Splunk Exam SPLK-3001 Topic 1 Question 73 Discussion

Actual exam question for Splunk's SPLK-3001 exam

Question #: 73
Topic #: 1

Following the installation of ES, an admin configured users with the ess_user role the ability to close notable events.

How would the admin restrict these users from being able to change the status of Resolved notable events to Closed?

AIn Enterprise Security, give the ess_user role the Own Notable Events permission.

BFrom the Status Configuration window select the Closed status. Remove ess_user from the status
transitions for the Resolved status.

CFrom the Status Configuration window select the Resolved status. Remove ess_user from the status transitions for the Closed status.

DFrom Splunk Access Controls, select the ess_user role and remove the edit_notable_events
capability.

Show Suggested Answer

Suggested Answer: A

by Chaya at Aug 05, 2023, 05:42 AM

Limited Time Offer

25%

Off

Contribute your Thoughts:

Submit Cancel

2 days ago

Option B seems the way to go. Removing the ess_user role from the status transitions for the Resolved status will do the trick.

upvoted 0 times

...

4 days ago

But wouldn't giving the ess_user role the Own Notable Events permission also help restrict them from closing events?

upvoted 0 times

...

6 days ago

I agree with Gerald. That way, ess_user won't be able to change the status of Resolved notable events to Closed.

upvoted 0 times

...

7 days ago

I think the admin should remove ess_user from the status transitions for the Closed status.

upvoted 0 times

...