ServiceNow Implementation Specialist
Security Incident Response Exam
QUESTIONS AND CORRECT ANSWERS
Product Tiers - CORRECT ANSWER Standard includes: SIR, Security event ingestion,
Trusted Circles, Basic Reporting
Professional: above, plus Threat Intelligence (TI) enrichment, Case management, Event
Management, Performance Analytics
Enterprise: above, plus Advanced use cases - baseline orchestration and automation, Python
based integrations; Trusted Security Circles (advanced)
Goal of SIR - CORRECT ANSWER Containment as soon as possible
O.A.P.C.
* Organize
* Analyze
* Prioritize
* Contain (Respond)
Incident Response Lifecycle (based on NIST) - CORRECT ANSWER Preparation
* training, tools, response plans and runbooks
Detection & Analysis
* Sources include Firewalls, Intrusion Detection Systems, logs of email or web gateways
* Analysis is mainly manual
Containment, Eradication and Recovery
, * Containment (e.g. disconnect from network)
* Eradication (patching, disinfecting, reimaging) - guided by runbooks
* Recovery - reinstating systems
Post Incident Activity
* Documenting observations, CSI, knowledge articles
SIR Information sources, - CORRECT ANSWER Manual Incidents
* potentially through Security Service Catalog
Automatic
* SIEM, parsing inbound email
Examples:
paloalto
TANIUM
Symantec
virustotal
Check Point
SIEMs:
splunk
Qradar
ArcSight
McAfee
Security Incident definition - CORRECT ANSWER No official ITIL definition
ServiceNow - an incident created to address an event that can be related to either a security
threat or security vulnerability, often attributable to a human root cause
Security Incident Response Exam
QUESTIONS AND CORRECT ANSWERS
Product Tiers - CORRECT ANSWER Standard includes: SIR, Security event ingestion,
Trusted Circles, Basic Reporting
Professional: above, plus Threat Intelligence (TI) enrichment, Case management, Event
Management, Performance Analytics
Enterprise: above, plus Advanced use cases - baseline orchestration and automation, Python
based integrations; Trusted Security Circles (advanced)
Goal of SIR - CORRECT ANSWER Containment as soon as possible
O.A.P.C.
* Organize
* Analyze
* Prioritize
* Contain (Respond)
Incident Response Lifecycle (based on NIST) - CORRECT ANSWER Preparation
* training, tools, response plans and runbooks
Detection & Analysis
* Sources include Firewalls, Intrusion Detection Systems, logs of email or web gateways
* Analysis is mainly manual
Containment, Eradication and Recovery
, * Containment (e.g. disconnect from network)
* Eradication (patching, disinfecting, reimaging) - guided by runbooks
* Recovery - reinstating systems
Post Incident Activity
* Documenting observations, CSI, knowledge articles
SIR Information sources, - CORRECT ANSWER Manual Incidents
* potentially through Security Service Catalog
Automatic
* SIEM, parsing inbound email
Examples:
paloalto
TANIUM
Symantec
virustotal
Check Point
SIEMs:
splunk
Qradar
ArcSight
McAfee
Security Incident definition - CORRECT ANSWER No official ITIL definition
ServiceNow - an incident created to address an event that can be related to either a security
threat or security vulnerability, often attributable to a human root cause
