Text preview & study summary
ServiceNow CIS-SecOps - Security Operations Implementation - SIR Vulnerability Threat Intelligence SOAR
A free sample of 5 questions from this quiz, shown in full with answer choices and explanations. No interactivity — everything is visible on this page for study and review.
Want to test your knowledge? Launch the Interactive Exam Simulator
Question 1
A security compliance officer needs to demonstrate to auditors that all Critical Security Incidents from the past year were investigated within the required 1-hour SLA and contained within 24 hours. What is the BEST way to export this evidence from ServiceNow?
Explanation
Audit evidence from ServiceNow SIR: (1) Report on sn_si.incident filtered by: severity = Critical AND closed within the past 12 months; (2) Fields: Incident Number, Short Description, Created, Acknowledged (time), Contained/Resolved (time), SLA Met (Yes/No), MTTD, MTTR, Assigned Analyst; (3) Scheduled Report configured to run monthly and email to compliance officer; (4) For annual audit: export to PDF (formatted for formal submission) or CSV (for auditor's own analysis); (5) SLA records (sn_task_sla) provide immutable, system-generated evidence of compliance that can't be manually manipulated; (6) Audit trail confirms data integrity. Manual compilation (option C) is not reliable — system-generated reports with timestamps are more defensible in audits.
Question 2
A security operations team needs to ensure that when a high-severity Security Incident remains unacknowledged for more than 30 minutes, it escalates to the on-call security manager automatically. What configuration achieves this?
Explanation
Security Incident SLA with escalation: (1) SLA Definition on sn_si.incident: Condition = severity IN (High, Critical), Start = Created, Pause = (when acknowledged), Target = 30 minutes; (2) SLA Breach Action: when SLA breaches, trigger a notification; (3) Notification recipients: On-Call Security Manager from On-Call Management (using the on-call schedule to identify the currently on-call person by time/day); (4) Notification includes: incident severity, title, assigned group, link, and time unacknowledged; (5) Escalation chain: 30 min → Security Manager, 1 hour → Security Director. On-call management integration ensures the right person is paged regardless of who is on duty. Separate PagerDuty (option D) adds tool complexity when the same capability exists natively in ServiceNow.
Question 3
A Security Incident is being investigated and the analyst needs to preserve digital evidence from an affected system before it's wiped and rebuilt. What SecOps Evidence Management configuration supports this?
Explanation
Forensic evidence management in SIR: (1) Evidence collection task in the playbook triggers automated collection: Endpoint Detection & Response (EDR) API captures memory and process dumps; Cloud trail logs are collected via API; SIEM log exports are retrieved for the affected timeframe; (2) Evidence stored as attachments or linked artifact records on the Security Incident with: collection timestamp, source system, analyst who collected, chain of custody notes; (3) Hash values (SHA-256) computed and stored — any tampering invalidates the hash, protecting evidence integrity; (4) Retention policy — evidence is held for the duration of the investigation and legal hold period; (5) eDiscovery integration (Purview) if litigation hold is required. Personal notes (option A) and local storage (option C) break chain of custody and are inadmissible in legal proceedings or regulatory investigations.
Question 4
A Security Operations team wants to implement automated threat hunting capabilities where specific queries run automatically against log data when a new Threat Intelligence IOC is imported, and results are surfaced as potential Security Incidents. What configuration is needed?
Explanation
Automated threat hunting with IOC correlation: (1) Trigger: New Threat Intelligence Observable created with confidence = High AND type = Malicious; (2) Flow Designer action: for each newly imported IOC, call the Splunk Spoke "Run Saved Search" or "Run Ad-hoc Query" action with a hunting query (e.g., `index=firewall dest_ip=<new_ioc_ip> earliest=-30d`); (3) If results returned: create Security Incident with "Potential IOC Match" category, attach query results as evidence, set initial severity based on IOC confidence and asset criticality; (4) Analyst reviews auto-created incidents for investigation; (5) False positive tracking improves IOC quality. Waiting for SIEM alerts (option D) only catches FUTURE events; threat hunting retroactively searches historical logs for evidence of past compromise by newly identified IOCs.
Question 5
During a Security Incident investigation, an analyst determines that a user account was compromised via credential stuffing. They need to immediately disable the account in Active Directory and force a password reset. What is the CORRECT SecOps implementation for this automated response action?
Explanation
SOAR automation for account compromise response: (1) Integration Hub Active Directory Spoke provides pre-built actions: "Disable User Account," "Reset Password," "Force Password Change"; (2) These actions can be called from: Security Incident playbook steps (automated workflow), or Security Incident Action Buttons (one-click analyst response); (3) The action's result (success/failure) is logged in the Security Incident timeline; (4) The compromised username and AD path are taken from the Security Incident's linked User record; (5) Optional: simultaneously trigger an email to the user explaining the security action. IT help desk email (option A) introduces 30-minute to several-hour delay — unacceptable for active credential compromise. Change requests (option C) add ITSM overhead and approval cycles inappropriate for active incident response.
