Bestseller
CIS-Discovery / RISCO - ServiceNow Practice Test 2026
Discovery questions get missed when people memorize definitions instead of workflows. This 173-question bank stays on MID Servers, credentials, patterns, classification, and RISCO behavior. Each answer links back to official ServiceNow docs so you can check the logic yourself.
What's included
- 173 questions on Discovery, RISCO, MID Servers, patterns, and credentials
- Every answer links to the ServiceNow doc page behind it
- Per-option reasoning shows why each distractor falls apart
- Built around Zurich-era behavior and the 2026 exam specs
- Yours for the long haul. Updates are included.
- Published by someone who passed all 18 ServiceNow exams on the first attempt
- Udemy backs it with a 30-day refund window
15 Free Preview Questions
Answer 5 questions free. Enter your email to continue through question 15. The full course has 173 questions on Udemy.
- Aadd each set of duplicate CIs to a de-duplication task
- Bsend a notification to the CI owner
- Cautomatically create an associated identification rule
- Dstop the next discovery for the CI that is duplicated
Show full explanation
Correct Answer
A. Add each set of duplicate CIs to a de-duplication task
Source
ServiceNow Zurich - CMDB Identification and Reconciliation
If the link fails, search Google for: ServiceNow Zurich CMDB Identification Reconciliation de-duplication task
Expert Explanation
The Identification and Reconciliation Engine (IRE) is the gatekeeper of CMDB data quality. When it detects that two or more CIs share the same identifier values (based on configured CI Identifier rules), it flags them as potential duplicates. Rather than automatically merging or deleting records - which could destroy valid data - the engine creates a de-duplication task.
These tasks are visible in the CMDB Health Dashboard under the duplicates section. An administrator then reviews each set of duplicates and decides whether to:
- Merge the CIs into a single authoritative record
- Reject the duplicate flag if the CIs are legitimately separate items
- Re-classify a CI if it was incorrectly typed
This human-in-the-loop approach prevents automated data loss while still surfacing quality issues promptly.
Why the Others Are Wrong
- B - Send notification to CI owner: There is no default notification mechanism for duplicate detection. De-duplication tasks are the standard workflow, not email alerts.
- C - Automatically create an identification rule: Identification rules are administrative configurations created before discovery runs. The IRE uses existing rules to detect duplicates - it cannot author new rules on its own.
- D - Stop the next discovery: Stopping discovery for a single CI would leave it stale and unmonitored. ServiceNow never pauses discovery as a response to duplicates - it isolates the problem into a reviewable task instead.
Memory Tip
Think of it like airport security finding two identical passports: they do not destroy one or stop all flights. They create a task (incident report) and let an officer (admin) sort it out. Duplicates = De-dup Task.
Real-World Example
A network engineer at Contoso Corp runs a discovery scan that finds two CIs for the same Linux server - one created by an earlier IP-based scan and another from a DNS-based scan. The IRE detects the overlap using the serial number identifier rule and creates a de-duplication task. The CMDB manager reviews the task, confirms both records represent server PRODWEB-04, and merges them into a single CI - preserving all 47 relationships from both records.
- ANMAP
- BPort Scanner plugin
- CWindows PowerShell module
- DOpenSSH server
Show full explanation
Correct Answer
A. NMAP
Source
ServiceNow Zurich - Credential-less Discovery with NMAP
If the link fails, search Google for: ServiceNow Zurich NMAP credential-less discovery MID Server
Expert Explanation
Credential-less discovery allows ServiceNow to identify and classify devices on the network without needing usernames, passwords, or SSH keys. This is accomplished by installing NMAP on the MID Server host operating system.
When NMAP is available, the MID Server can perform:
- Port scanning to detect which services are running on a target IP
- OS fingerprinting to determine the operating system based on TCP/IP stack behavior
- Service version detection to identify specific software versions
This is particularly useful for initial network sweeps where you want to build a baseline inventory before configuring credentials. The CIs created through credential-less discovery contain limited attributes (IP, OS type, open ports) compared to full credential-based discovery, but they give teams visibility into what exists on the network.
Why the Others Are Wrong
- B - Port Scanner plugin: This is a ServiceNow instance-level plugin, not a MID Server installation. Plugins activate functionality in the platform, not on the MID Server OS.
- C - Windows PowerShell module: PowerShell is used for authenticated Windows discovery via WinRM. It requires credentials and cannot perform credential-less scanning.
- D - OpenSSH server: SSH is an authenticated protocol. Installing OpenSSH would support credential-based Linux discovery, not credential-less scanning.
Memory Tip
NMAP = No credentials Mapping All Ports. When you need to discover without passwords, NMAP is the answer. Think: "No credentials- NMAP!"
Real-World Example
A ServiceNow administrator at GlobalBank is tasked with inventorying 2,000 devices across a newly acquired subsidiary network. She has no credentials yet for those devices. She installs NMAP on the MID Server in that subnet, configures a credential-less discovery schedule targeting the 10.50.0.0/16 range, and within 4 hours has classified 1,847 devices by OS type - identifying 612 Linux servers, 890 Windows machines, and 345 network devices - all without a single password.
- AThe Kubernetes nodes are ignored by default and do not create any CIs.
- BA cmdb_ci_linux_server CI is created for each Kubernetes node by default.
- CThe Informer creates a cmdb_ci_windows_server CI for each Kubernetes node by default.
- DNo CIs are created unless manually configured each time.
Show full explanation
Correct Answer
B. A cmdb_ci_linux_server CI is created for each Kubernetes node by default.
Source
ServiceNow Zurich - Kubernetes Discovery
If the link fails, search Google for: ServiceNow Zurich Kubernetes discovery Informer cmdb_ci_linux_server node
Expert Explanation
ServiceNow uses Informers to discover Kubernetes environments. An Informer is an agent-based component that runs inside a Kubernetes cluster and reports back to the ServiceNow instance through the MID Server.
When the Informer discovers Kubernetes nodes, it creates CIs using the following default mapping:
- Each Kubernetes node becomes a cmdb_ci_linux_server CI in the CMDB
- Each Kubernetes cluster becomes a cmdb_ci_kubernetes_cluster CI
- Pods, services, and deployments get their own respective CI classes
The reason nodes default to cmdb_ci_linux_server is straightforward: Kubernetes was built on Linux, and the overwhelming majority of production Kubernetes nodes run Linux distributions like Ubuntu, CentOS, or RHEL. This default mapping ensures that the infrastructure layer beneath Kubernetes is properly represented in the CMDB for capacity planning and incident management.
Why the Others Are Wrong
- A - Nodes are ignored by default: This contradicts the Informer's purpose. The Informer is specifically designed to discover all cluster components including nodes. Ignoring them would defeat the goal of full-stack visibility.
- C - Creates cmdb_ci_windows_server: Kubernetes is a Linux-native technology. While Windows nodes are supported in modern Kubernetes, the default CI class for nodes is linux_server, reflecting the platform's Linux roots.
- D - No CIs unless manually configured: The Informer creates CIs automatically out of the box. Manual configuration is optional for customization, not required for basic node discovery.
Memory Tip
Kubernetes Nodes = Linux Servers. Just remember: "Kube Nodes Live on Linux Servers" - KN=LS. The Informer maps nodes to cmdb_ci_linux_server by default because Kubernetes was born on Linux.
Real-World Example
A DevOps team at RetailMax deploys the ServiceNow Kubernetes Informer into their production cluster running 24 nodes on Ubuntu 22.04. After the first discovery cycle, 24 cmdb_ci_linux_server CIs appear in the CMDB, each linked to the parent cmdb_ci_kubernetes_cluster CI. The infrastructure team now has visibility into node-level health metrics alongside their existing server monitoring - without any custom configuration.
- AQuick Discovery
- BECC queue load
- CDiscovery tuning advice
- DDiscovery Admin Workspace Home page
Show full explanation
Correct Answer
D. Discovery Admin Workspace Home page
Source
ServiceNow Zurich - Discovery Admin Workspace
If the link fails, search Google for: ServiceNow Zurich Discovery Admin Workspace Home page critical tasks
Expert Explanation
The Discovery Admin Workspace is a modern, purpose-built workspace for managing discovery operations in ServiceNow. Its Home page is a command center that aggregates critical information including:
- Critical discovery tasks requiring immediate attention
- Discovery status summaries showing recent scan results
- Error breakdowns categorized by type (credential failures, connection timeouts, classification errors)
- MID Server health indicators
- Actionable widgets that link directly to resolution workflows
The Home page is designed so that a discovery administrator can log in, immediately see what needs attention, and navigate directly to the relevant records to resolve issues. This is different from the legacy Discovery Status list, which required manual filtering and did not prioritize critical items.
Why the Others Are Wrong
- A - Quick Discovery: This is a single-target discovery tool accessed from the navigator. It runs discovery against one IP and returns results. It has no dashboard or task prioritization capability.
- B - ECC queue load: The ECC (External Communication Channel) queue load is a performance metric showing message throughput. While useful for diagnosing bottlenecks, it does not identify or help resolve discovery tasks.
- C - Discovery tuning advice: Tuning advice offers optimization suggestions (thread counts, batch sizes, timeouts) for improving discovery performance. It is advisory, not task-oriented.
Memory Tip
Think of the Discovery Admin Workspace Home page as the "mission control" screen in a space center. Just like NASA controllers see all critical alerts on their main screen, discovery admins see all critical tasks on the Home page. Home = where you see what's broken.
Real-World Example
A discovery administrator at MegaCorp logs into the Discovery Admin Workspace on Monday morning. The Home page immediately shows 3 critical tasks: 14 Windows servers failing SSH-based discovery (wrong protocol), 6 network switches with expired SNMP credentials, and 1 MID Server that went offline over the weekend. She resolves the credential issue in 10 minutes by updating the SNMP community string, reassigns the Windows servers to use WinRM, and escalates the MID Server outage to the infrastructure team - all from links on the Home page.
- Aa proxy server
- Ba discoverable CI
- Cthe admin role
- DService Mapping installed
Show full explanation
Correct Answer
B. A discoverable CI
Source
ServiceNow Zurich - Debug in Pattern Designer
If the link fails, search Google for: ServiceNow Zurich Pattern Designer Debug discoverable CI
Expert Explanation
The Pattern Designer is the tool used to create and modify horizontal discovery patterns in ServiceNow. The Debug feature allows you to test a pattern by running it step-by-step against a real device.
To use Debug, you need:
- A discoverable CI - an actual device or application that the pattern can connect to and query
- Valid credentials configured for that target
- A MID Server that can reach the target
The debugger runs each pattern step sequentially against the live target, showing you the raw output from each operation (SSH commands, WMI queries, SNMP walks, etc.) and how the parsing rules extract data into variables. This real-time execution against an actual device is what makes Debug so powerful for pattern development and troubleshooting.
Without a discoverable CI, the Debug feature has nothing to execute against and cannot be used.
Why the Others Are Wrong
- A - Proxy server: Proxies are network infrastructure components unrelated to pattern debugging. The MID Server connects to targets directly or through configured network paths, not through a debugging-specific proxy.
- C - Admin role: The admin role is not specifically required. The discovery_admin role grants sufficient permissions for Pattern Designer and Debug functionality. More importantly, having any role without a discoverable target makes Debug unusable.
- D - Service Mapping: Service Mapping is a separate product that uses patterns for application-layer discovery. Pattern Designer Debug works independently of Service Mapping and only requires a discoverable target.
Memory Tip
You cannot debug in a vacuum. Just like you cannot test-drive a car without an actual car, you cannot debug a pattern without an actual discoverable CI. Debug = real device required. Debug needs a Device.
Real-World Example
A ServiceNow developer at AcmeTech is building a custom pattern to discover Oracle Database instances on Linux servers. She opens Pattern Designer, writes an SSH operation to run "oracle_home/bin/sqlplus -v", and clicks Debug. The system prompts her to select a discoverable CI. She picks ORADB-PROD-01 (10.20.30.41), and the debugger connects via SSH, executes the command, and shows the raw output - letting her refine her parsing regex until the version number extracts correctly as "19.3.0.0".
- AThe MID Server is unavailable.
- BThe MID Server responds slower than usual.
- CThe ServiceNow instance is on Orlando patch 1, while the MID Server is on New York patch 2.
- DThe ServiceNow instance is on Orlando patch 3, but the MID Server is on Orlando patch 1.
Show full explanation
Correct Answer
D. The ServiceNow instance is on Orlando patch 3, but the MID Server is on Orlando patch 1.
Source
ServiceNow Zurich - MID Server Version Status
If the link fails, search Google for: ServiceNow Zurich MID Server version status yellow icon patch mismatch
Expert Explanation
ServiceNow uses a color-coded icon system to indicate MID Server version alignment with the instance:
- Green: The MID Server version exactly matches the instance version (same release, same patch)
- Yellow: The MID Server is on the same release family but a different patch level (e.g., both Orlando, but different patches)
- Red: The MID Server is on a completely different release family (e.g., instance on Orlando, MID Server on New York)
The yellow icon is a warning, not a critical alert. It means the MID Server is functional but may lack bug fixes or features introduced in the newer patch. ServiceNow recommends upgrading the MID Server to match the instance patch level to ensure full compatibility and access to the latest fixes.
MID Server auto-upgrade can resolve this automatically if enabled, but organizations that control MID Server updates manually may see yellow icons after instance patching.
Why the Others Are Wrong
- A - MID Server unavailable: Unavailability is shown through the MID Server status field (Down/Up), not the version icon color. A down MID Server would display differently from a version mismatch warning.
- B - Slower than usual: Performance degradation is not tracked by the version icon. Response time issues would appear in MID Server performance metrics or ECC queue monitoring.
- C - Orlando vs New York: A cross-release mismatch (Orlando vs New York) is a major version difference, which would result in a red icon, not yellow. Yellow is reserved for same-release, different-patch scenarios.
Memory Tip
Traffic light logic: Green = perfect match, go. Yellow = caution, same family but different patch (like siblings with different birthdays - same family, slightly different). Red = stop, completely different release. Yellow = "same release, different patch."
Real-World Example
After a weekend maintenance window, the platform team at FinServ Inc upgrades their ServiceNow instance from Orlando Patch 1 to Orlando Patch 3. On Monday, the discovery admin notices 8 MID Servers showing yellow version icons. All 8 are still on Orlando Patch 1. She enables auto-upgrade for the MID Server cluster, and within 2 hours all icons turn green as the MID Servers pull down Patch 3 binaries and restart.
- ANew software installation packages for IT infrastructure enhancement.
- BUpdates to the physical servers in the user's infrastructure.
- CUpdated tutorials and user manuals for ServiceNow ITOM Content Service.
- DNew Configuration Items (CIs) identified from products currently in use.
Show full explanation
Correct Answer
D. New Configuration Items (CIs) identified from products currently in use.
Source
ServiceNow Zurich - ITOM Content Service
If the link fails, search Google for: ServiceNow Zurich ITOM Content Service weekly updates patterns classifiers
Expert Explanation
The ITOM Content Service is a cloud-based delivery mechanism that provides weekly updates to ServiceNow customers. These updates include:
- New CI classifications for recently released software, hardware, and cloud services
- Updated discovery patterns that can identify new product versions
- New classifiers for identifying device types based on open ports and services
- Pattern improvements based on field feedback from the ServiceNow customer base
The key value is that customers do not need to wait for a major platform release to discover new products. When a vendor releases a new software version or a new cloud service appears, ServiceNow's content team can push recognition capability to all customers within the weekly update cycle.
These updates are delivered automatically and do not require instance upgrades or MID Server restarts. They are applied through the content subscription mechanism.
Why the Others Are Wrong
- A - Software installation packages: ITOM Content Service delivers discovery content (patterns, classifiers), not software packages for installation on customer infrastructure.
- B - Physical server updates: The service operates entirely in the ServiceNow domain - it updates what discovery can recognize, not the physical infrastructure itself.
- C - Tutorials and manuals: Documentation is maintained on docs.servicenow.com and Now Learning. The Content Service is an operational tool, not an educational resource.
Memory Tip
ITOM Content Service = Weekly CI Menu Updates. Just like a restaurant updates its menu weekly with new dishes, ITOM Content Service updates the "menu" of CIs that discovery can recognize. New products in the market- Content Service adds them to the menu so discovery can find them.
Real-World Example
A cloud architect at TechStart Inc notices that ServiceNow discovery suddenly recognizes their newly deployed Redis 7.2 instances, even though they had not updated their discovery patterns manually. This happened because the ITOM Content Service pushed a new classifier and pattern for Redis 7.2 in the weekly update cycle. Within one week of Redis 7.2 being generally available, ServiceNow could discover and classify it across all customer environments.
- Awindows_cmdb_ci
- BCI Type on the Discovery Pattern form
- Cinfrastructure_system
- Dcomputer_system
Show full explanation
Correct Answer
B. CI Type on the Discovery Pattern form and D. computer_system
Source
ServiceNow Zurich - Horizontal Discovery Pattern Variables
If the link fails, search Google for: ServiceNow Zurich horizontal discovery pattern default variables computer_system CI Type
Expert Explanation
Horizontal discovery patterns discover applications and services running on top of already-discovered infrastructure. They come with default variables that are pre-populated by the discovery framework before pattern steps execute.
The two default variables available are:
- CI Type (from the Discovery Pattern form): This variable is set based on the CI Type field on the pattern record itself. It tells the pattern what class of CI to create or update when matches are found. It is available as a variable that subsequent pattern steps can reference.
- computer_system: This variable represents the host device (server, VM, or compute instance) on which the pattern is executing. It is pre-populated with the CI record of the underlying machine, giving pattern steps access to attributes like hostname, IP address, and OS version without needing to re-discover them.
These default variables eliminate the need for patterns to redundantly discover host-level information and provide consistent CI classification across all pattern executions.
Why the Others Are Wrong
- A - windows_cmdb_ci: This is not a recognized default variable name in the discovery pattern framework. While platform-specific variables exist, they follow different naming conventions.
- C - infrastructure_system: This variable name does not exist as a default in horizontal patterns. The correct infrastructure-level variable is computer_system, not "infrastructure_system."
Memory Tip
Think of the two defaults as answering two fundamental questions: "What am I creating-" (CI Type) and "Where am I running-" (computer_system). Every pattern needs to know WHAT to build and WHERE it is running. CI Type + computer_system = What + Where.
Real-World Example
A pattern developer at LogiCorp writes a horizontal pattern to discover Apache Tomcat instances. The pattern's CI Type field is set to cmdb_ci_app_server_tomcat. When the pattern runs on server APPSVR-12, the computer_system variable is pre-populated with APPSVR-12's CI record. The pattern uses computer_system to grab the server's IP address for building relationships, and the CI Type to ensure newly found Tomcat instances are classified correctly - all without writing extra discovery steps for that base information.
- ACredentials
- BIP Range Sets
- CMID Server selection
- DDiscovery schedule frequency (run interval)
Show full explanation
Correct Answer
A. Credentials
Source
ServiceNow Zurich - Configure a Discovery Schedule
If the link fails, search Google for: ServiceNow Zurich Discovery Schedule configuration credentials separate
Expert Explanation
A Discovery Schedule controls the operational aspects of a discovery run - when it runs, where it scans, and which MID Server executes it. However, credentials are managed in a completely separate part of the platform.
What you CAN configure in a Discovery Schedule:
- IP Range Sets - which network segments to scan
- MID Server selection - which MID Server runs the discovery
- Run interval/frequency - when and how often it runs
- Discovery type - IP-based, CI-based, cloud, etc.
- Behaviors - what to do on completion
What you CANNOT configure in a Discovery Schedule:
- Credentials - these are managed in the Credentials table and linked through credential rules, credential order, or credential affinity
This separation exists by design. Credentials are sensitive security objects that may be shared across multiple schedules and are subject to access controls. Embedding them in schedules would create duplication and security management complexity.
Why the Others Are Wrong
- B - IP Range Sets: These are a core component of schedule configuration. Every IP-based discovery schedule needs at least one IP range set defining its scan targets.
- C - MID Server selection: The schedule includes a MID Server field where you specify which MID Server should handle the scan, making this fully configurable within the schedule.
- D - Run interval: The schedule frequency is the most fundamental schedule setting - it determines when and how often the discovery executes.
Memory Tip
A Discovery Schedule answers W-W-W: When (frequency), Where (IP ranges), Which MID (server selection). Credentials are the HOW you authenticate - and that lives in a different place. Schedule = When/Where/Which. Credentials = separate.
Real-World Example
An administrator at HealthNet creates a nightly discovery schedule for the 10.100.0.0/16 subnet using MID Server MID-EAST-01, running daily at 2:00 AM. When she tries to add SSH credentials directly to the schedule, she realizes there is no credential field. She navigates to Discovery > Credentials, creates an SSH credential record with the service account, and then creates a credential rule that matches the 10.100.0.0/16 range. The schedule and credentials work together but are configured in separate locations.
- AMID Server
- BDiscovery Schedule
- CTarget IP
- DPID (Process ID)
Show full explanation
Correct Answer
A. MID Server and C. Target IP
Source
ServiceNow Zurich - Run Quick Discovery
If the link fails, search Google for: ServiceNow Zurich Quick Discovery MID Server target IP inputs
Expert Explanation
Quick Discovery is a lightweight, on-demand discovery tool that lets administrators discover a single device without setting up a full discovery schedule. It requires exactly two inputs:
- MID Server: You must select which MID Server will execute the discovery. The MID Server must be able to reach the target device on the network.
- Target IP (or hostname): You must specify the IP address or FQDN of the device you want to discover.
Quick Discovery is commonly used for:
- Testing whether a specific device is discoverable before adding it to a full schedule
- Troubleshooting discovery issues with a particular CI
- Verifying credentials work correctly for a target
- One-off discovery of a newly provisioned device
Because Quick Discovery is designed for simplicity, it strips away all the configuration overhead of schedules, IP ranges, and behaviors. Just pick a MID Server, enter an IP, and go.
Why the Others Are Wrong
- B - Discovery Schedule: Quick Discovery exists specifically to avoid creating a schedule. It is the "skip the schedule" option for single-device, ad-hoc discovery runs.
- D - PID (Process ID): Process IDs are data that discovery collects from target devices. They are never used as inputs. Quick Discovery only needs network-level information (MID Server and IP) to begin.
Memory Tip
Quick Discovery = Quick Inputs. Just two things: MID Server and Target IP. Think "Meet the Target" - MID meets Target. That is all you need for a quick scan. No schedule, no process ID, no complexity.
Real-World Example
A ServiceNow admin at DataStream Corp just provisioned a new database server at 192.168.5.100. Before adding it to the nightly discovery schedule, she wants to verify it is discoverable. She opens Quick Discovery, selects MID-SERVER-DC2 (the MID Server in the same data center), enters 192.168.5.100 as the target IP, and clicks Discover. Within 90 seconds, the server appears in the CMDB as a cmdb_ci_linux_server with PostgreSQL detected - confirming credentials and network connectivity work before committing to the production schedule.
- AIt is very likely that this operation is part of a step on a pattern set to Application Pattern Type.
- BFor this operation to run, it is required that variable process.executablePath contains some data.
- CAttributes from First Table and Second Table populates a table with the same name as a ServiceNow CMDB table.
- DIf a value is unmatched, it will be merged into the Target Table anyway.
Show full explanation
Correct Answer
A, B, and C are all correct statements.
Source
ServiceNow Zurich - Discovery Pattern Operations
If the link fails, search Google for: ServiceNow Zurich discovery pattern Merge Table operation application pattern variables
Expert Explanation
This question tests understanding of the Merge Table operation in discovery patterns. Let us analyze each statement against the operation details:
The operation:
- Type: Merge Table
- First Table: $user_details
- Second Table: $process_information
- Target Table: $cmdb_ci_web_server
- Merge criteria: $process.executablePath contains "mongoose"
- Unmatched values: removed
Why A is correct: The pattern merges process and user data to create web server CIs, filtering by application signature ("mongoose" in the executable path). This is classic application-layer discovery behavior - identifying specific software from running processes. Only Application Pattern Types work at this layer.
Why B is correct: The merge criteria checks if $process.executablePath contains "mongoose." If executablePath has no data, the contains check cannot match, and no rows would pass the filter. The operation requires populated process data to function.
Why C is correct: The target variable $cmdb_ci_web_server maps directly to the CMDB table cmdb_ci_web_server. This naming convention is how patterns indicate which CMDB class the discovered data should populate.
Why the Others Are Wrong
- D - Unmatched values merged anyway: The operation specification explicitly states "unmatched values are removed." This is the filtering mechanism that ensures only processes matching the Mongoose web server signature end up in the cmdb_ci_web_server target table. Merging unmatched data would create false CIs.
Memory Tip
Remember A-B-C for Merge Table: Application pattern (because it matches process signatures), Before merge, data must exist (executablePath needs values), CMDB table naming (target variable = CMDB class). D for Discard unmatched - they are removed, not kept.
Real-World Example
A pattern developer at WebScale Inc builds a pattern to discover Mongoose-based Node.js web servers. The pattern first collects running processes ($process_information) and logged-in users ($user_details) via SSH. The Merge Table step then filters for processes where the executable path contains "mongoose," combines them with user details, and outputs to $cmdb_ci_web_server. On a server running 84 processes, only 2 match the mongoose filter. The other 82 are removed (unmatched). The 2 matching entries create web server CIs in the CMDB with correct ownership from the user details table.
- Ait_service_manager
- Bnetwork_operator
- Cdiscovery_user
- Ddiscovery_admin
Show full explanation
Correct Answer
D. discovery_admin
Source
ServiceNow Zurich - Discovery Admin Workspace
If the link fails, search Google for: ServiceNow Zurich Discovery Admin Workspace role discovery_admin access
Expert Explanation
The Discovery Admin Workspace is a dedicated workspace for managing all aspects of ServiceNow Discovery. Access requires the discovery_admin role, which is the administrative role for the discovery module.
The ServiceNow discovery role hierarchy works as follows:
- discovery_admin: Full access to all discovery functions including the Discovery Admin Workspace, schedules, patterns, credentials, MID Servers, and discovery configuration
- discovery_user: Read-only access to discovery statuses, results, and CI data. Cannot modify discovery configuration or access the admin workspace
The discovery_admin role provides permissions for:
- Creating and modifying discovery schedules
- Managing MID Server configuration
- Editing discovery patterns
- Configuring credentials and credential rules
- Accessing the Discovery Admin Workspace and all its features
- Viewing and resolving discovery errors
Why the Others Are Wrong
- A - it_service_manager: This ITSM role manages service delivery processes. It operates in a different domain (ITSM vs ITOM) and has no discovery administrative permissions.
- B - network_operator: This role is focused on network operations and monitoring. While network operators may benefit from discovery data, they need the discovery_admin role specifically to access the workspace.
- C - discovery_user: This role provides read-only discovery access. The Admin Workspace requires administrative privileges that only discovery_admin provides. Think of discovery_user as "viewer" and discovery_admin as "manager."
Memory Tip
The workspace is called Discovery ADMIN Workspace - the role is discovery_admin. The name tells you the answer. Admin workspace = admin role. If you see "admin" in the workspace name, the role has "admin" in it too.
Real-World Example
A new hire at CloudFirst Corp is assigned the discovery_user role during onboarding. She can view discovery statuses and see which CIs were found, but when she tries to open the Discovery Admin Workspace from the navigator, she gets an "insufficient privileges" error. Her manager submits a request to add the discovery_admin role to her account. After approval, she can access the full workspace with dashboards, schedule management, and error resolution tools.
- ADAS (Direct-attached storage)
- BMAS (Multiple area network)
- CNAS (Network-attached storage)
- DSAN (Storage area network)
Show full explanation
Correct Answer
A. DAS, C. NAS, and D. SAN
Source
ServiceNow Zurich - Storage Discovery
If the link fails, search Google for: ServiceNow Zurich storage discovery DAS NAS SAN dependencies
Expert Explanation
ServiceNow Discovery can discover and map dependencies for the three standard storage architectures in enterprise IT:
- DAS (Direct-attached storage): Storage physically connected to a single server. Discovery identifies DAS through host-level probes that detect local disks, RAID controllers, and directly connected storage devices. Dependencies are mapped between the server CI and its attached storage.
- NAS (Network-attached storage): File-level storage accessible over the standard network. Discovery finds NAS devices (like NetApp filers or EMC VNX) and maps which servers mount file shares from them. Protocols discovered include NFS and SMB/CIFS.
- SAN (Storage area network): Block-level storage delivered over a dedicated high-speed network. Discovery maps the complete SAN topology including Fibre Channel switches, storage arrays, LUNs (Logical Unit Numbers), zones, and HBA (Host Bus Adapter) connections.
Storage discovery is critical for impact analysis. When a SAN array goes down, the CMDB relationships show exactly which servers and applications are affected.
Why the Others Are Wrong
- B - MAS (Multiple area network): This is not a real storage technology. The acronym MAS does not correspond to any recognized storage architecture. The three industry-standard storage types are DAS, NAS, and SAN. This option is a distractor using a plausible-sounding but fictional term.
Memory Tip
Remember the storage trio with the word "DANS" minus the extra letter: DAS, NAS, SAN. Or think: Direct, Network, Storage Area Network. The fake one is MAS - Made-up Acronym for Storage.
Real-World Example
A storage administrator at MediaCorp runs discovery across their data center. The results populate the CMDB with: 200 DAS entries (local SSDs in application servers), 4 NAS filers (NetApp FAS8200 units serving 2 PB of media files), and a SAN fabric with 2 Brocade switches, 3 Pure Storage arrays, and 480 LUN mappings. When Pure Storage Array #2 reports a degraded controller, the CMDB instantly shows 160 affected servers and 12 critical applications - enabling the team to notify the right application owners within minutes.
- A$table[1].example
- B$table[].example
- C$table[*].example
- D$table[X].example
Show full explanation
Correct Answer
A. $table[1].example, B. $table[].example, and C. $table[*].example
Source
ServiceNow Zurich - Pattern Variable Reference Syntax
If the link fails, search Google for: ServiceNow Zurich discovery pattern tabular variable syntax brackets reference
Expert Explanation
In ServiceNow discovery patterns, tabular variables store multi-row data (like command output parsed into a table). Referencing columns within these tables requires bracket notation to specify which rows you want to access.
The three valid syntaxes are:
- $table[1].column - Specific row access: The numeric index selects a single row by position (1-based indexing). Use this when you know exactly which row contains the data you need, such as grabbing the version from the first row of parsed output.
- $table[].column - Row iteration: Empty brackets tell the pattern engine to iterate through each row one at a time. Each iteration processes one row, making the column value available for that specific row. This is the standard way to loop through table data.
- $table[*].column - Wildcard selection: The asterisk selects all rows at once, returning all values from the specified column as a collection. This is useful for bulk operations like populating a list or checking if any row matches a condition.
Why the Others Are Wrong
- D - $table[X].example: The letter "X" has no meaning in the pattern variable syntax. Valid bracket contents are limited to: numeric indices (positive integers), empty brackets (for iteration), or the asterisk wildcard. Using "X" would cause a pattern execution error.
Memory Tip
Think of the three valid syntaxes as "1, empty, star": [1] = pick ONE row, [] = loop through EACH row (empty = iterate), [*] = grab ALL rows (star = everything). The fake one uses [X] - and X marks the wrong answer. X = eXcluded.
Real-World Example
A pattern developer at NetOps Inc writes a pattern to discover database instances. After parsing the output of "ps aux | grep oracle" into $oracle_procs, she uses three different syntaxes: $oracle_procs[1].pid to get the first Oracle process ID for a health check, $oracle_procs[].instance_name to iterate through each row and create separate CI records for each Oracle instance, and $oracle_procs[*].memory_mb to collect all memory values at once for a total memory calculation. All three syntaxes are valid and serve different purposes.
- AFrom a Classifier
- BFrom a Discovery Pattern
- CFrom the MID Server
- DFrom a Probe
Show full explanation
Correct Answer
B. From a Discovery Pattern
Source
ServiceNow Zurich - Tracked Files in Discovery Patterns
If the link fails, search Google for: ServiceNow Zurich discovery pattern tracked files tab configuration
Expert Explanation
The Tracked Files feature in ServiceNow Discovery allows administrators to monitor specific files on discovered devices for changes. This functionality is configured and modified directly from the Discovery Pattern form.
The image in the question shows the Tracked Files tab on a Discovery Pattern record. From this tab, you can:
- Add files to track by specifying file paths and file names
- Set tracking parameters like checksum monitoring, size tracking, and modification time detection
- Define file patterns using wildcards to match multiple files
- Configure what attributes to collect for each tracked file (permissions, ownership, content hash)
When discovery runs and executes the pattern, it checks the specified files on the target device and records their current state in the CMDB. Subsequent discovery runs detect changes by comparing the new state against the previously recorded values.
This is part of ServiceNow's modern pattern-based discovery architecture, where patterns are the central configuration point for all discovery behavior.
Why the Others Are Wrong
- A - From a Classifier: Classifiers determine CI types during the classification phase of discovery. They answer "what is this device-" but do not define file tracking behavior. Tracked Files is a data collection feature, not a classification feature.
- C - From the MID Server: The MID Server is the execution engine that runs discovery operations. It does not store configuration for what files to track. Configuration lives in the pattern on the ServiceNow instance; the MID Server simply executes the pattern instructions.
- D - From a Probe: Probes are legacy discovery components. The Tracked Files feature was built as part of the modern pattern framework. The image clearly shows a pattern form, not a probe configuration.
Memory Tip
The image shows a tab on a Pattern - and the answer is Pattern. When you see a tab that is part of a form, the answer is always the form it belongs to. Tracked Files TAB lives on the PATTERN form. Tab on Pattern = modify from Pattern.
Real-World Example
A security-conscious administrator at SecureBank wants to monitor critical configuration files on 500 Linux servers. She opens the Linux Server discovery pattern, navigates to the Tracked Files tab, and adds entries for /etc/passwd, /etc/shadow, /etc/ssh/sshd_config, and /etc/sudoers. After the next discovery cycle, the CMDB records checksums for all these files across 500 servers. When an unauthorized change is detected on /etc/sudoers on server SEC-APP-14 three days later, the change appears in the CMDB diff report - triggering a security incident investigation that reveals a compromised service account.
Free exam updates. No spam. Unsubscribe anytime.
You scored 0/15 on the 15-question preview.
The full course keeps the same answer breakdown style across all 173 questions.
Your first exam attempt is free. Your second costs $350.
Many students also study:
Compare all 18 practice tests, or use the cert quiz to plan what to study next.
Looking for a different certification-
Browse all 18 practice tests →