Multiple Choice
Following the installation of ES, an admin configured users with the ess_user role the ability to close notable events. How would the admin restrict these users from being able to change the status of Resolved notable events to Closed ?
A) In Enterprise Security, give the ess_user role the Own Notable Events permission. In Enterprise Security, give the role the Own Notable Events permission.
B) From the Status Configuration window select the Closed status. Remove ess_user from the status transitions for the Resolved status. From the Status Configuration window select the status. Remove from the status transitions for the status.
C) From the Status Configuration window select the Resolved status. Remove ess_user from the status transitions for the Closed status.
D) From Splunk Access Controls, select the ess_user role and remove the edit_notable_events capability. From Splunk Access Controls, select the role and remove the edit_notable_events capability.
Correct Answer:
Verified
Correct Answer:
Verified
Q35: Which indexes are searched by default for
Q36: Which of the following actions may be
Q37: An administrator wants to ensure that none
Q38: A set of correlation searches are enabled
Q39: What do threat gen searches produce?<br>A) Threat
Q41: What feature of Enterprise Security downloads threat
Q42: In order to include an eventtype in
Q43: The Brute Force Access Behavior Detected correlation
Q44: What does the Security Posture dashboard display?<br>A)
Q45: What are adaptive responses triggered by?<br>A) By