Splunk Enterprise Security Certified Admin — Question 57

Following the installation of ES, an admin configured users with the ess_user role the ability to close notable events.
How would the admin restrict these users from being able to change the status of Resolved notable events to Closed?

Answer options

• A. In Enterprise Security, give the ess_user role the Own Notable Events permission.
• B. From the Status Configuration window select the Closed status. Remove ess_user from the status transitions for the Resolved status.
• C. From the Status Configuration window select the Resolved status. Remove ess_user from the status transitions for the Closed status.
• D. From Splunk Access Controls, select the ess_user role and remove the edit_notable_events capability.

Correct answer: C

Explanation

The correct answer is C because restricting the ess_user role from transitioning Resolved events to Closed directly addresses the requirement. Answer A is incorrect as giving Own Notable Events does not limit status changes. Answer B incorrectly seeks to restrict transitions from Closed, and D removes a capability that doesn't relate to status transitions specifically.