Text preview & study summary

ServiceNow CIS-SecOps - Security Operations Implementation - SIR Vulnerability Threat Intelligence SOAR

A free sample of 5 questions from this quiz, shown in full with answer choices and explanations. No interactivity — everything is visible on this page for study and review.

Want to test your knowledge? Launch the Interactive Exam Simulator

Question 1

A security compliance officer needs to demonstrate to auditors that all Critical Security Incidents from the past year were investigated within the required 1-hour SLA and contained within 24 hours. What is the BEST way to export this evidence from ServiceNow?

Answer choices

  • A. Ask each security analyst to write a summary email

  • B. Generate a Scheduled Report from ServiceNow SIR showing all Critical Security Incidents with: creation time, acknowledgment time, containment time, SLA compliance status, and analyst assigned — export as PDF or CSV for auditor submission (Correct)

  • C. Manually compile incident details from emails and tickets

  • D. Screenshot each security incident record individually

Explanation

Audit evidence from ServiceNow SIR: (1) Report on sn_si.incident filtered by: severity = Critical AND closed within the past 12 months; (2) Fields: Incident Number, Short Description, Created, Acknowledged (time), Contained/Resolved (time), SLA Met (Yes/No), MTTD, MTTR, Assigned Analyst; (3) Scheduled Report configured to run monthly and email to compliance officer; (4) For annual audit: export to PDF (formatted for formal submission) or CSV (for auditor's own analysis); (5) SLA records (sn_task_sla) provide immutable, system-generated evidence of compliance that can't be manually manipulated; (6) Audit trail confirms data integrity. Manual compilation (option C) is not reliable — system-generated reports with timestamps are more defensible in audits.

Question 2

A security operations team needs to ensure that when a high-severity Security Incident remains unacknowledged for more than 30 minutes, it escalates to the on-call security manager automatically. What configuration achieves this?

Answer choices

  • A. The security manager sets a phone alarm and checks every 30 minutes

  • B. Configure a Security Incident SLA with breach condition: severity = High AND acknowledged = false AND SLA time > 30 minutes; on breach, trigger an escalation notification to the on-call security manager using on-call schedules from the On-Call Management module (Correct)

  • C. A scheduled job that runs every 5 minutes checking unacknowledged incidents

  • D. Configure PagerDuty separately to handle escalations

Explanation

Security Incident SLA with escalation: (1) SLA Definition on sn_si.incident: Condition = severity IN (High, Critical), Start = Created, Pause = (when acknowledged), Target = 30 minutes; (2) SLA Breach Action: when SLA breaches, trigger a notification; (3) Notification recipients: On-Call Security Manager from On-Call Management (using the on-call schedule to identify the currently on-call person by time/day); (4) Notification includes: incident severity, title, assigned group, link, and time unacknowledged; (5) Escalation chain: 30 min → Security Manager, 1 hour → Security Director. On-call management integration ensures the right person is paged regardless of who is on duty. Separate PagerDuty (option D) adds tool complexity when the same capability exists natively in ServiceNow.

Question 3

A Security Incident is being investigated and the analyst needs to preserve digital evidence from an affected system before it's wiped and rebuilt. What SecOps Evidence Management configuration supports this?

Answer choices

  • A. The analyst takes personal notes during investigation

  • B. Configure Evidence Collection tasks in the Security Incident playbook — automated steps collect forensic artifacts (memory dumps, disk images, log exports) via Integration Hub actions and store them as Evidence Artifacts attached to the Security Incident, with hash verification for chain of custody (Correct)

  • C. Store evidence on the analyst's local workstation

  • D. Email evidence files to the security team distribution list

Explanation

Forensic evidence management in SIR: (1) Evidence collection task in the playbook triggers automated collection: Endpoint Detection & Response (EDR) API captures memory and process dumps; Cloud trail logs are collected via API; SIEM log exports are retrieved for the affected timeframe; (2) Evidence stored as attachments or linked artifact records on the Security Incident with: collection timestamp, source system, analyst who collected, chain of custody notes; (3) Hash values (SHA-256) computed and stored — any tampering invalidates the hash, protecting evidence integrity; (4) Retention policy — evidence is held for the duration of the investigation and legal hold period; (5) eDiscovery integration (Purview) if litigation hold is required. Personal notes (option A) and local storage (option C) break chain of custody and are inadmissible in legal proceedings or regulatory investigations.

Question 4

A Security Operations team wants to implement automated threat hunting capabilities where specific queries run automatically against log data when a new Threat Intelligence IOC is imported, and results are surfaced as potential Security Incidents. What configuration is needed?

Answer choices

  • A. Analysts manually run threat hunting queries when they have time

  • B. Configure Threat Hunting automation: when a new critical IOC is imported into Threat Intelligence, a trigger activates a Flow that executes hunting queries via Integration Hub SIEM actions (Splunk, Sentinel), and any matches are automatically created as Security Incidents or Suspicious Activities for analyst review (Correct)

  • C. Export IOCs to a spreadsheet and manually compare to log data

  • D. Wait for the SIEM to alert on IOCs automatically

Explanation

Automated threat hunting with IOC correlation: (1) Trigger: New Threat Intelligence Observable created with confidence = High AND type = Malicious; (2) Flow Designer action: for each newly imported IOC, call the Splunk Spoke "Run Saved Search" or "Run Ad-hoc Query" action with a hunting query (e.g., `index=firewall dest_ip=<new_ioc_ip> earliest=-30d`); (3) If results returned: create Security Incident with "Potential IOC Match" category, attach query results as evidence, set initial severity based on IOC confidence and asset criticality; (4) Analyst reviews auto-created incidents for investigation; (5) False positive tracking improves IOC quality. Waiting for SIEM alerts (option D) only catches FUTURE events; threat hunting retroactively searches historical logs for evidence of past compromise by newly identified IOCs.

Question 5

During a Security Incident investigation, an analyst determines that a user account was compromised via credential stuffing. They need to immediately disable the account in Active Directory and force a password reset. What is the CORRECT SecOps implementation for this automated response action?

Answer choices

  • A. Email the IT help desk to disable the account manually

  • B. Use an Integration Hub action or custom playbook step that calls the Active Directory Spoke (or LDAP API) to disable the account and set "must change password at next login" flag, all from within the Security Incident record (Correct)

  • C. Create an ITSM change request to disable the account

  • D. Wait for the monthly security review to address compromised accounts

Explanation

SOAR automation for account compromise response: (1) Integration Hub Active Directory Spoke provides pre-built actions: "Disable User Account," "Reset Password," "Force Password Change"; (2) These actions can be called from: Security Incident playbook steps (automated workflow), or Security Incident Action Buttons (one-click analyst response); (3) The action's result (success/failure) is logged in the Security Incident timeline; (4) The compromised username and AD path are taken from the Security Incident's linked User record; (5) Optional: simultaneously trigger an email to the user explaining the security action. IT help desk email (option A) introduces 30-minute to several-hour delay — unacceptable for active credential compromise. Change requests (option C) add ITSM overhead and approval cycles inappropriate for active incident response.