What role should be assigned to a security team member who will be taking ownership of notable events in the incident review dashboard?
What role should be assigned to a security team member who will be taking ownership of notable events in the incident review dashboard?
The appropriate role for a security team member taking ownership of notable events in the incident review dashboard is the ess_analyst. The ess_analyst role is specifically designed for individuals who will be responsible for owning and performing status changes on notable events, ensuring they can efficiently manage incident reviews. While an ess_admin also has the capability, assigning the ess_analyst role aligns better with specific responsibilities and follows best practices.
C is correct
The correct answer is C
ess_analyst is also true, and from a best practices perspective it is better to assign this one instead of admin no ?
C is correct Admin ES - Slide 20
can you share Admin ES slides?
B is the correct answer - https://docs.splunk.com/Documentation/ES/6.5.1/Install/ConfigureUsersRoles
SORRY C is the correct answer https://docs.splunk.com/Documentation/ES/6.5.1/Install/ConfigureUsersRoles I made a mistake earlier. Answer is C
C is the correct ES Analyst ess_analyst Owns notable events and performs notable event status changes Administering Splunk Enterprise Security page 20
C is correct
Should be C. Technically an Admin can be able to do it all, but the responsibility should lie with the ess_analyst. The admin would inherit it as a higher role.
The ability to change notable event statuses is available to the ess_analyst and ess_admin roles by default.
ess_analyst can own the notable https://docs.splunk.com/Documentation/ES/6.1.0/Install/ConfigureUsersRoles