Question 1
Which of the following process definitions are not provided
baseline?
NIST Open
SAN Stateful
NIST Stateful
SANS Open
Answer : A
Which process definition is set as default for security
incident response application?
A. NIST Open
B. SANS Open
C. SANS Stateful
D. NIST Stateful
Correct Answer: D
In which ServiceNow module can you find pre-built
integrations?
A. Integrations
B. Sightings Search Configuration
C. Integration Configurations
D. Integration Status
Correct Answer: C
Which of the following statements best describes what
Security Incident Calculators are used to do? A. Set specific values according
to matched conditions
B. Determine the Security Incident Risk Score
C. Calculate the cost of an incident
D. Calculate the time spent in the various incident states
Correct Answer: A
A flow executes when what is met?
A. A trigger condition
B. IntegrationHub activation
C. Response Task state is Active
D. NIST Ready State
Correct Answer: A
Identify three key Security Incident Response reporting
audiences:
A.
Security Analysts
B.
Security Managers
C.
CIOs/CISOs
D.
Facilities Managers
E.
Human Resources Managers
Correct Answers: A, B, C
Next Question
Question 2
A flow consists of . (Choose two.)
Scripts
Actions
Processes
Actors
Triggers
Answer : B, E
Next Question
Question 3
The EmailUserReportedPhishing script include processes
inbound emails and creates a record in which table?
ar_sn_si_phishing_email
sn_si_incident
sn_si_phishing_email_header
sn_si_phishing_email
Answer : A
Next Question
Question 4
Using the KB articles for Playbooks tasks also gives you
which of these advantages?
Automated activities to run scans and enrich Security
Incidents with real time data
Automated activities to resolve security Incidents through
patching
Improved visibility to threats and vulnerabilities
Enhanced ability to create and present concise, descriptive
tasks
Answer : C
Next Question
Question 5
Why is it important that the Platform (System) Administrator
and the Security Incident administrator role be separated? (Choose three.)
Access to security incident data may need to be restricted
Allow SIR Teams to control assignment of security roles
Clear separation of duty
Reduce the number of incidents assigned to the Platform
Admin
Preserve the security image in the company
Answer : B, C, D
Next Question
Question 6
Which improvement opportunity can be found baseline which
can contribute towards process maturity and strengthen costumer's overall
security posture?
Post-Incident Review
Fast Eradication
Incident Containment
Incident Analysis
Answer : D
Next Question
Question 7
What three steps enable you to include a new playbook in the
Selected Playbook choice list? (Choose three.)
Add the TLP: GREEN tag to the playbooks that you want to
include in the Selected Playbook choice list
Navigate to the sys_hub_flow.list table
Search for the new playbook you have created using Flow
Designer
Add the sir_playbook tag to the playbooks that you want to
include in the Selected Playbook choice list
Navigate to the sys_playbook_flow.list table
Answer : B, C, D
Sample Questions
Which role is needed to install the Security Incident
Response application?
sn_si.write
sn_sec_cmn.admin
sn_si.admin
admin
Answer – D
Security Incident Response can be defined as:
The change plan taken to fulfill requests raised through the
Security Incident Catalog
The action plan taken to mitigate security incidents and
imminent security threats
The response plan taken to react to imminent security
threats
The reaction plan taken to capture and record security
incidents
Correct Answer: A
In which ServiceNow module can you find pre-built
integrations?
Integration Status
Integrations
Sightings Search Configuration
Integration Configurations
Answer – D
Which of the following statements best describes what
Security Incident Calculators are used to do??
Calculate the time spent in the various incident states
Set specific values according to matched conditions
Determine the Security Incident Risk Score
Calculate the cost of an incident
Answer – A
NEW QUESTION 14
What field is used to distinguish Security events from other
IT events?
A. Source
B. Description
C. Classification
D. Type
Answer: C
NEW QUESTION 16
Which one of the following reasons best describes why roles
for Security Incident Response (SIR) begin with
"sn_si"?
A. Because SIR is a scoped application, roles and script
includes will begin with the sn_si prefix
B. Because the Security Incident Response application uses a
Secure Identity token
C. Because ServiceNow checks the instance for a Secure
Identity when logging on to this scoped application
D. Because ServiceNow tracks license use against the
Security Incident Response Application
Answer: B
NEW QUESTION 17
What is the first step when creating a security Playbook?
A. Create a Runbook
B. Set the Response Task's state
C. Create a Knowledge Article
D. Create a Flow
Answer: D
NEW QUESTION 18
What parts of the Security Incident Response lifecycle is
responsible for limiting the impact of a security incident?
A. Post Incident Activity
B. Detection & Analysis
C. Preparation and Identification
D. Containment, Eradication, and Recovery
Answer: D
NEW QUESTION 19
Knowledge articles that describe steps an analyst needs to
follow to complete Security incident tasks might be associated to those tasks
through which of the following?
A. Flow
B. Workflow
C. Flow Designer
D. Runbook
E. Work Instruction Playbook
Answer: D
NEW QUESTION 20
How do you select which process definition to use?
A. By setting the Script Include record to Active
B. By setting the process definition record to Active
C. By selecting the desired process within the Process
Selection module
D. By selecting the desired process within the Process
Definition module
Answer: C
NEW QUESTION 21
A flow consists of one or more actions and a what?
A. Change formatter
B. NIST Ready State
C. Trigger
D. Catalog Designer
Answer: C
NEW QUESTION 22
The Risk Score is calculated by combining all the weights
using __________.
A. an arithmetic mean
B. the Risk Score script include
C. addition
D. a geometric mean
Answer: A
NEW QUESTION 23
Which one of the following users is automatically added to
the Request Assessments list?
A. The analyst assigned to the ticket
B. Any user that adds a worknote to the ticket
C. The Affected User on the incident
D. Any user who has Response Tasks on the incident
Answer: D
NEW QUESTION 24
What are two of the audiences identified that will need
reports and insight into Security Incident Response reports? (Choose two.)
A. Problem Managers
B. Chief Information Security Officer (CISO)
C. Analysts
D. Vulnerability Managers
Answer: C,D
NEW QUESTION 25
What does a flow require?
A. A trigger
B. CAB orders
C. Security orchestration flows
D. Runbooks
Answer: A
NEW QUESTION 26
A pre-planned response process contains which sequence of
events?
A. Organize, Detect, Prioritize, Contain
B. Organize, Analyze, Prioritize, Contain (OAPC)
C. Organize, Verify, Prioritize, Contain
D. Organize, Prepare, Prioritize, Contain
Answer: B
NEW QUESTION 28
In order to see the Actions in Flow Designer for Security
Incident, what plugin must be activated?
A. Security Spoke
B. Security Incident Spoke
C. Security Operations Spoke
D. Performance Analytics for Security Incident Response
Answer: C
NEW QUESTION 29
Flow Triggers can be based on what? (Choose three.)
A. Record views
B. Record inserts
C. Record changes
D. Subflows
E. Schedules
Answer: C,D,E
NEW QUESTION 30
Which Table would be commonly used for Security Incident
Response?
A. cmdb_rel_ci
B. sysapproval_approver
C. sn_si_incident
D. sec_ops_incident
Answer: C
NEW QUESTION 31
David is on the Network team and has been assigned a
security incident response task.
What role does he need to be able to view and work the task?
A. External
B. Security Analyst
C. Read
D. Security Basic
Answer: B
NEW QUESTION 32
What role(s) are required to add new items to the Security
Incident Catalog?
A. requires the sn_si.catalog role
B. requires both sn_si.write and catalog_admin roles
C. requires the admin role
D. requires the sn_si.admin role
Answer: C
NEW QUESTION 33
Which of the following is an action provided by the Security
Incident Response application?
A. Create Response Task set Incident state V1
B. Create Record on Security Incident state V1
C. Look Up Record on Security Incident state V1
D. Create Outage state V1
Answer: C
NEW QUESTION 34
Which of the following fields is used to identify an Event
that is to be used for Security purposes?
A. Security
B. CI
C. Classification
D. IT
Answer: C
NEW QUESTION 35
Which of the following tag classifications are provided
baseline? (Choose three.)
A. Severity
B. Traffic Light Protocol
C. IoC Type
D. Block from Sharing
E. Enrichment whitelist/blacklist
F. Escalation Level
G. Cyber Kill Chain Step
Answer: B,C,E
NEW QUESTION 36
The EmailUserReportedPhishing script include processes
inbound emails and creates a record in which table?
A. ar_sn_si_phishing_email
B. sn_si_phishing_email_header
C. sn_si_phishing_email
D. sn_si_incident
Answer: A
NEW QUESTION 37
What field is used to distinguish Security events from other
IT events?
A. Source
B. Description
C. Classification
D. Type
Answer: C
01. A flow executes when what is met?
a) A trigger condition
b) IntegrationHub activation
c) Response Task state is Active
d) NIST Ready State
Answer: a
02. For Customers who don’t use
3rd-party systems, what ways can security incidents be created?
(Choose three.)
a) Security Service Catalog
b) Security Incident Form
c) Inbound Email Parsing Rules
d) Leveraging an Integration
e) Alert Management
Answer: a, b, c
03. In which ServiceNow module can
you find pre-built integrations?
a) Integrations
b) Sightings Search Configuration
c) Integration Configurations
d) Integration Status
Answer: c
04. How do you select which process definition
to use?
a) By setting the process
definition record to Active
b) By selecting the desired
process within the Process Selection module
c) By selecting the desired
process within the Process Definition module
d) By setting the Script Include
record to Active
Answer: b
05. Security Incident Response can be
defined as:
a) The change plan taken to
fulfill requests raised through the Security Incident Catalog
b) The reaction plan taken to
capture and record security incidents
c) The response plan taken to
react to imminent security threats
d) The action plan taken to
mitigate security incidents and imminent security threats
Answer: d
06. Identify three key Security
Incident Response reporting audiences:
a) Security Analysts
b) Security Managers
c) CIOs/CISOs
d) Facilities Managers
e) Human Resources Managers
Answer: a, b, c
07. Which of the following statements
best describes what Security Incident Calculators are used to do?
a) Set specific values according
to matched conditions
b) Determine the Security Incident
Risk Score
c) Calculate the cost of an incident
d) Calculate the time spent in the
various incident states
Answer:
a
08. Which role is needed to install
the Security Incident Response application?
a) sn_si.admin
b) admin
c) sn_sec_cmn.admin
d) sn_si.write
Answer:
b
09. Which process definition is set
as default for security incident response application?
a) NIST Open
b) SANS Open
c) SANS Stateful
d) NIST Stateful
Answer: d
10. David is on the Network team and
has been assigned a security incident response task. What role does he need to
be able to view and work the task?
a) Security Analyst
b) Security Basic
c) External
d) Read
Answer:
a
Q1. Security tag used when a piece
of information requires support to be effectively acted upon, yet carries risks
to privacy, reputation, or operations if shared outside of the organizations
involved.
ATLP:GREEN
BTLP:AMBER
CTLP:RED
DTLP:WHITE
Answer: B
Q2.
A Post Incident Review can contain
which of the following? (Choose three.)
APost incident Question:naires
BAn audit trail
CAttachments associated with the security
incident
DKey incident fields
EPerformance Analytics reports
Answer: A,B,D
Q3.
Which one of the following reasons
best describes why roles for Security Incident Response (SIR) begin with
"sn_si"?
ABecause SIR is a scoped application, roles
and script includes will begin with the sn_si prefix
BBecause the Security Incident Response
application uses a Secure Identity token
CBecause ServiceNow checks the instance for a
Secure Identity when logging on to this scoped application
DBecause ServiceNow tracks license use against
the Security Incident Response Application
Answer: B
Q4.
Which of the following is an
action provided by the Security Incident Response application?
ACreate Outage state V1
BCreate Record on Security Incident state V1
CCreate Response Task set Incident state V1
DLook Up Record on Security Incident state V1
Answer: D
Q5.
What specific role is required in
order to use the REST API Explorer?
Aadmin
Bsn_si.admin
Crest_api_explorer
Dsecurity_admin
Answer: A,C
Question 1/21
Which of the following fields is used
to identify an Event that is to be used for Security purposes?
A. Classification
B. IT
C. CI
D. Security
Correct Answer: A
Question 2/21
Why is it important that the
Platform (System) Administrator and the Security Incident administrator role be
separated? (Choose three.)
A. Allow SIR Teams to control
assignment of security roles
B. Clear separation of duty
C. Preserve the security image in
the company
D. Access to security incident
data may need to be restricted
E. Reduce the number of incidents
assigned to the Platform Admin
Correct Answer: A,B,E
Question 3/21
What specific role is required in
order to use the REST API Explorer?
A. sn_si.admin
B. admin
C. security_admin
D. rest_api_explorer
Correct Answer: B,D
Question 4/21
Joe is on the SIR Team and needs
to be able to configure Territories and Skills. What role does he need?
A. Security Admin
B. Manager
C. Security Basic
D. Security Analyst
Correct Answer: A
Which one of the following users
is automatically added to the Request Assessments list?
A. The analyst assigned to the
ticket
B. Any user who has Response Tasks
on the incident
C. Any user that adds a worknote
to the ticket
D. The Affected User on the
incident
Correct Answer: B
Question 6/21
A pre-planned response process
contains which sequence of events?
A. Organize, Verify, Prioritize,
Contain
B. Organize, Prepare, Prioritize,
Contain
C. Organize, Detect, Prioritize,
Contain
D. Organize, Analyze, Prioritize,
Contain
Correct Answer: D
Question 7/21
Which of the following process
definitions are not provided baseline?
A. NIST Stateful
B. SANS Open
C. SAN Stateful
D. NIST Open
Correct Answer: D
What field is used to distinguish
Security events from other IT events?
A. Type
B. Classification
C. Description
D. Source
Correct Answer: B
What is the fastest way for
security incident administrators to remove unwanted widgets from the Security
Incident Catalog?
A. Can't be removed
B. Talking to the system
administrator
C. Through the Catalog Definition
record
D. Clicking the X on the top right
corner
Correct Answer: C
What is calculated as an
arithmetic mean taking into consideration different values in the CI, Security
Incident, and User records?
A. Priority
B. Business Impact
C. Risk Score
D. Severity
Correct Answer: B
To configure Security Incident
Escalations, you need the following role(s):.
A. sn_si.admin or sn_si.manager
B. sn_si.admin or sn_si.ciso
C. sn_si.manager or sn_si.analyst
D. sn_si.admin
Correct Answer: D
Question 12/21
Which of the following State Flows
are provided for Security Incidents? (Choose three.)
A. SANS Open
B. SANS Stateful
C. NIST Stateful
D. NIST Open
Correct Answer: B,C,D
Chief factors when configuring
auto-assignment of Security Incidents are .
AAgent group membership, Agent
location and time zone
BSecurity incident priority, CI
Location and agent time zone
CAgent skills, System Schedules
and agent location
DAgent location, Agent skills and
agent time zone
Answer – D
Question 13/21
What is the first step when
creating a security Playbook?
A. Create a Runbook
B. Set the Response Task's state
C. Create a Flow
D. Create a Knowledge Article
Correct Answer: C
Question 14/21
What factor, if any, limits the
ability to close SIR records?
A. Nothing, SIR records could be
closed at any time
B. All post-incident review questioners
have to be completed first
C. Best practice dictates that SIR
records should be set to 'Resolved' never to 'Closed'
D. Opened related INC records
Correct Answer: D
Question 15/21
Chief factors when configuring
auto-assignment of Security Incidents are.
A. Security incident priority, CI
Location and agent time zone
B. Agent location, Agent skills
and agent time zone
C. Agent group membership, Agent
location and time zone
D. Agent skills, System Schedules
and agent location
Correct Answer: B
Question 16/21
If the customer's email server
currently has an account setup to report suspicious emails, then what happens
next?
A. the customer's systems are
already handling suspicious emails
B. the customer should set up a
rule to forward these mails onto the ServiceNow platform
C. an integration added to
Exchange keeps the ServiceNow platform in sync
D. the ServiceNow platform ensures
that parsing and analysis takes place on their mail server
Correct Answer: B
Question 17/21
The Risk Score is calculated by
combining all the weights using.
A. addition
B. an arithmetic mean
C. a geometric mean
D. the Risk Score script include
Correct Answer: B
Question 18/21
If a desired pre-built integration
cannot be found in the platform, what should be your next step to find a
certified integration?
A. Ask for assistance in the
community page
B. Look for one in the ServiceNow
Store
C. Build your own through the REST
API Explorer
D. Download one from ServiceNow
Share
Correct Answer: B
Question 19/21
What is the name of the Inbound
Action that validates whether an inbound email should be processed as a phishing
email for URP v2?
A. User Reporting Phishing (for
New emails)
B. User Reporting Phishing (for
Forwarded emails)
C. Create Phishing Email
D. Scan email for threats
Correct Answer: B
Which one of the following reasons
best describes why roles for Security Incident Response (SIR) begin with
"sn_si"?
A. Because SIR is a scoped
application, roles and script includes will begin with the sn_si prefix
B. Because ServiceNow checks the
instance for a Secure Identity when logging on to this scoped application
C. Because ServiceNow tracks
license use against the Security Incident Response Application
D. Because the Security Incident
Response application uses a Secure Identity token
Correct Answer: D
Question 21/21
Which ServiceNow automation
capability extends Flow Designer to integrate business processes with other
systems?
A. Integration Hub
B. Subflows
C. Workflow
D. Orchestration
Correct Answer: A
Using the KB articles for
Playbooks tasks also gives you which of these advantages?
A . Automated activities to run
scans and enrich Security Incidents with real time data
B . Automated activities to
resolve security Incidents through patching
C . Improved visibility to threats
and vulnerabilities
D . Enhanced ability to create and
present concise, descriptive tasks
Answer: C
Which Table would be commonly used
for Security Incident Response?
A . sysapproval_approver
B . sec_ops_incident
C . cmdb_rel_ci
D . sn_si_incident
Answer: D
When the Security Phishing Email
record is created what types of observables are stored in the record? (Choose
three.)
A . URLs, domains, or IP addresses
appearing in the body
B . Who reported the phishing
attempt
C . State of the phishing email
D . IP addresses from the header
E . Hashes and/or file names found
in the EML attachment
F . Type of Ingestion Rule used to
identify this email as a phishing attempt
Answer: A,D,E
June 23, 2021examsLeave a
commentPost navigation
The EmailUserReportedPhishing
script include processes inbound emails and creates a record in which table?
A . ar_sn_si_phishing_email
B . sn_si_incident
C . sn_si_phishing_email_header
D . sn_si_phishing_email
Answer: A
A flow consists of one or more
actions and a what?
A . Change formatter
B . Catalog Designer
C . NIST Ready State
D . Trigger
Answer: D
What does a flow require?
A . Security orchestration flows
B . Runbooks
C . CAB orders
D . A trigger
Answer: D
What specific role is required in
order to use the REST API Explorer?
A . admin
B . sn_si.admin
C . rest_api_explorer
D . security_admin
Answer: A,C
The benefits of improved Security
Incident Response are expressed.
A . as desirable outcomes with
clear, measurable Key Performance Indicators
B . differently depending upon 3
stages: Process Improvement, Process Design, and Post Go-Live
C . as a series of states with
consistent, clear metrics
D . as a value on a scale of 1-10
based on specific outcomes
Answer: C
Why should discussions focus with
the end in mind?
A . To understand desired outcomes
B . To understand current posture
C . To understand customer’s
process
D . To understand required tools
Answer: A
A pre-planned response process
contains which sequence of events?
A . Organize, Analyze, Prioritize,
Contain
B . Organize, Detect, Prioritize,
Contain
C . Organize, Prepare, Prioritize,
Contain
D . Organize, Verify, Prioritize,
Contain
Answer: A
Chief factors when configuring
auto-assignment of Security Incidents are.
A . Agent group membership, Agent
location and time zone
B . Security incident priority, CI
Location and agent time zone
C . Agent skills, System Schedules
and agent location
D . Agent location, Agent skills
and agent time zone
Answer: D
Security tag used when a piece of
information requires support to be effectively acted upon, yet carries risks to
privacy, reputation, or operations if shared outside of the organizations
involved.
A . TLP: GREEN
B . TLP: AMBER
C . TLP: RED
D . TLP: WHITE
Answer: B
Which of the following fields is
used to identify an Event that is to be used for Security purposes?
A . IT
B . Classification
C . Security
D . CI
Answer: B
here are several methods in which
security incidents can be raised, which broadly fit into one of these
categories:. (Choose two.)
A . Integrations
B . Manually created
C . Automatically created
D . Email parsing
Answer: B,C
Select the one capability that
restricts connections from one CI to other devices.
A . Isolate Host
B . Sightings Search
C . Block Action
D . Get Running Processes
E . Get Network Statistics
F . Publish Watchlist
Answer: A
What plugin must be activated to
see the New Security Analyst UI?
A . Security Analyst UI Plugin
B . Security Incident Response UI
plugin
C . Security Operations UI plugin
D . Security Agent UI Plugin
Answer: D
Which of the following are
potential benefits for utilizing Security Incident assignment automation?
(Choose two.)
A . Decreased Time to Containment
B . Increased Mean Time to
Remediation
C . Decreased Time to Ingestion
D . Increased resolution process
consistency
Answer: B,D
Knowledge articles that describe
steps an analyst needs to follow to complete Security incident tasks might be
associated to those tasks through which of the following?
A . Work Instruction Playbook
B . Flow
C . Workflow
D . Runbook
E . Flow Designer
Answer: D
What field is used to distinguish
Security events from other IT events?
A . Type
B . Source
C . Classification
D . Description
Answer: C
What is the key to a successful implementation?
A . Sell customer the most
expensive package
B . Implementing everything that
we offer
C . Understanding the customer’s
goals and objectives
D . Building custom integrations
Answer: C
https://www.certshero.com/servicenow/cis-sir/practice-test
https://www.fast2test.com/CIS-SIR-practice-test.html
https://quizizz.com/admin/quiz/63524f2b9cf199001dd1b069/startV4?fromBrowserLoad=true
No comments:
Post a Comment