CIS Event Management Practice Test 2026 | ServiceNow EM Exam Prep

Name: CIS Event Management Practice Test 2026
Price: 9.99 USD
Availability: InStock
Rating: 3.8 (1 reviews)

1.You have an event with a Source of 'Trap from Enterprise 111' but the alert created for this event shows a Source of 'Oracle EM'. If you want to change what this is set to where in the event rule would you do this-

ATransform and Compose Alert Output tab
BEvent rule info tab
CCI Binding tab
DEvent Filter tab

Show full explanation

Correct Answer

A) Transform and Compose Alert Output tab

Source

ServiceNow Zurich Docs: Configure Event Rules
(If the link fails, search Google for: ServiceNow Zurich Event Rule Transform Compose Alert Output)

Expert Explanation

The Transform and Compose Alert Output tab in an event rule controls how event fields are mapped to alert fields. When an event with Source "Trap from Enterprise 111" creates an alert showing Source "Oracle EM," the mapping on this tab is overriding the original source value. To change what appears in the alert Source field, you modify the field mapping on this tab.

Why the Others Are Wrong

Event rule info tab contains metadata about the rule itself, not field transformations
CI Binding tab handles CMDB association, not alert field values
Event Filter tab determines which events match, not how alert output is composed

Memory Tip

Transform and Compose = transforming event data into alert output. If the alert shows wrong values, check the Transform tab.

Real-World Example

A monitoring team notices alerts showing "Oracle EM" as the source even though events come from SNMP traps. They open the matching event rule, go to the Transform and Compose Alert Output tab, and find a hardcoded "Oracle EM" value. They change it to use the original event source field.

2.In default configuration using baseline connectors how often is event data collected from event sources-

AOnce every minute
BEvery 2 minutes
CTwice every minute
DEvery 5 minutes

Show full explanation

Correct Answer

B) Every 2 minutes

Source

ServiceNow Zurich Docs: Event Management Connectors
(If the link fails, search Google for: ServiceNow Zurich Event Management connector polling interval default)

Expert Explanation

Baseline event connectors in ServiceNow are configured to poll event sources every 2 minutes by default. This interval balances the need for timely event detection with system performance. The polling interval can be adjusted per connector based on the criticality of the monitored source.

Why the Others Are Wrong

Every minute is more frequent than the default setting
Twice every minute (30 seconds) would cause excessive load on both the MID Server and event source
Every 5 minutes is longer than the default, which could delay critical event detection

Memory Tip

Default = 2 minutes. Think of it as the "standard heartbeat" for event collection.

Real-World Example

A network monitoring team deploys a new SNMP trap connector. Without changing any settings, it starts collecting events every 2 minutes. For their critical production firewall, they reduce the interval to 1 minute for faster detection.

3.Entry Points: When using Service Mapping to build a "Mapped Application Service" what is the primary function of an Entry Point-

AIt defines the login credentials for the service.
BIt defines the first tier of the application connection (e.g. a URL or IP/Port) to begin discovery.
CIt defines the person responsible for the service.
DIt defines the API endpoint for the Event Connector.

Show full explanation

Correct Answer

B) It defines the first tier of the application connection to begin discovery

Source

ServiceNow Zurich Docs: Service Mapping Entry Points
(If the link fails, search Google for: ServiceNow Zurich Service Mapping Entry Points)

Expert Explanation

In Service Mapping, an Entry Point defines the starting connection point for discovering a Mapped Application Service. It specifies how to reach the first tier of the application, typically through a URL for web applications or an IP/port combination for other services. From this starting point, Service Mapping discovers downstream dependencies automatically.

Why the Others Are Wrong

Login credentials are managed in the Credentials table, not Entry Points
Person responsible is defined on the service record in the CMDB
API endpoint for Event Connector is a completely different concept unrelated to Service Mapping

Memory Tip

Entry Point = the front door of your application. Service Mapping walks in through this door and discovers everything inside.

Real-World Example

To map an e-commerce application, the admin creates an Entry Point with URL https://shop.example.com:443. Service Mapping starts at this web server and discovers the load balancer, application servers, databases, and storage systems behind it.

4.Event Class Variable When writing custom JavaScript in an Event Rule which internal variable allows access to the classification object of the event-

Acurrent
Bevent_class
Cevt
Dbinding

Show full explanation

Correct Answer

B) event_class

Source

ServiceNow Zurich Docs: Scripting in Event Rules
(If the link fails, search Google for: ServiceNow Zurich Event Rule scripting variables event_class)

Expert Explanation

When writing custom JavaScript in an Event Rule, the event_class variable gives you access to the classification object of the event being processed. This allows you to read classification properties, modify how the event is categorized, and make decisions based on the event classification within your rule logic.

Why the Others Are Wrong

current refers to the event GlideRecord, not the classification object specifically
evt is not the standard variable name for classification access in Event Rules
binding relates to CI binding, a separate concern from event classification

Memory Tip

event_class = the class/category of the event. The variable name literally tells you what it contains.

Real-World Example

An Event Rule needs to set a custom severity based on the event class. The script uses event_class to check the classification and conditionally set the alert severity to Critical for production infrastructure classes.

5.What is an alert called that moves from an open to a closed state multiple times within a designated time-frame-

AFluctuating
BSwinging
CFlipping
DFlapping

Show full explanation

Correct Answer

D) Flapping

Source

ServiceNow Zurich Docs: Alert Flapping
(If the link fails, search Google for: ServiceNow Zurich Event Management alert flapping)

Expert Explanation

Flapping occurs when an alert repeatedly transitions between open and closed states within a configured time window. This typically indicates an intermittent issue, such as a network link going up and down. ServiceNow detects flapping and can keep the alert open to prevent alert fatigue from constant open/close notifications.

Why the Others Are Wrong

Fluctuating is a common English word but not the ServiceNow term
Swinging is not used in ServiceNow Event Management terminology
Flipping sounds similar but is not the correct ServiceNow term

Memory Tip

Think of a fish flapping on a dock, going up and down rapidly. A flapping alert does the same thing between open and closed states.

Real-World Example

A failing network switch causes a link to drop and reconnect every 3 minutes. Without flapping detection, agents would receive dozens of open/close alert pairs per hour. With flapping detection enabled, ServiceNow keeps the alert open and marks it as flapping, sending a single notification to investigate the unstable link.

6.Alert Automation vs. Management Rules: What is one of the primary benefits of using Alert Automation in Service Operations Workspace compared to legacy Alert Management Rules-

AIt uses back-end tables separate from those in event management rules
BIt offers a simplified experience for creating and managing event and alert-related rules
CIt enables centralized administration for all alert management
DIt allows for the use of JavaScript in all fields

Show full explanation

Correct Answer

B) It offers a simplified experience for creating and managing rules

Source

ServiceNow Zurich Docs: Alert Automation
(If the link fails, search Google for: ServiceNow Zurich Alert Automation Service Operations Workspace)

Expert Explanation

Alert Automation provides a streamlined, user-friendly interface within the Service Operations Workspace for creating and managing event and alert rules. Compared to legacy Alert Management Rules, it reduces complexity by offering guided workflows, reducing the need for scripting, and consolidating rule management into a single workspace experience.

Why the Others Are Wrong

Separate back-end tables is incorrect; Alert Automation integrates with the Event Management framework
Centralized administration is a general benefit, not the primary differentiator
JavaScript in all fields is the opposite of what Alert Automation does; it simplifies by reducing script requirements

Memory Tip

Alert Automation = making alert rules simpler. The key benefit is simplification, not more features.

Real-World Example

An IT operations manager who previously needed a developer to write JavaScript for alert management rules can now create suppression and grouping rules through a guided, no-code interface in the Service Operations Workspace.

7.Mandatory Connector Functions You are writing a custom JavaScript based Event Connector to pull events from a legacy mainframe via REST Which specific function must be defined in your script to allow the Test Connector button in the UI to validate credentials without actually pulling data

Aexecute()
Bcollect()
CtestConnection()
DvalidateAuth()

Show full explanation

Correct Answer

C) testConnection()

Source

ServiceNow Zurich Docs: Create Custom Event Connector
(If the link fails, search Google for: ServiceNow Zurich custom Event Connector testConnection JavaScript)

Expert Explanation

When building a custom JavaScript-based Event Connector, you must define the testConnection() function to enable the Test Connector button in the connector configuration UI. This function validates that the provided credentials and endpoint are correct without pulling actual event data. The collect() function handles the actual data retrieval during scheduled collection runs.

Why the Others Are Wrong

execute() is not the designated function for connection testing in the connector framework
collect() handles actual event data collection, not credential validation
validateAuth() is not a function defined in the ServiceNow connector API

Memory Tip

testConnection() = test the connection. The function name tells you exactly what it does.

Real-World Example

A developer builds a custom connector to pull events from a legacy mainframe REST API. They define testConnection() to make a simple GET /health call to verify the endpoint responds with 200 OK using the provided credentials. The admin clicks Test Connector in the UI, and the function executes without pulling actual events.

8.Synthetic Monitoring: Synthetic monitors in the ServiceNow Event Management context can be hosted from which of the following locations- (Choose three) (choose 3)

AA MID Server
BA cluster of Agent Client Collector (ACC) agents
CA ServiceNow Glide instance (for public endpoints)
DThe end-user's browser
EA third-party cloud monitoring agent

Show full explanation

Correct Answer

A) MID Server, B) ACC agents, C) ServiceNow Glide instance

Source

ServiceNow Zurich Docs: Synthetic Monitoring
(If the link fails, search Google for: ServiceNow Zurich Synthetic Monitoring hosting locations)

Expert Explanation

Synthetic monitors can be hosted from three locations: MID Servers (for internal network testing), ACC agent clusters (for distributed endpoint monitoring), and the ServiceNow Glide instance itself (for public-facing endpoints). Each location provides different visibility depending on where the monitored service is accessible from.

Why the Others Are Wrong

End-user browser is not a native synthetic monitoring host
Third-party cloud agents are not part of the ServiceNow synthetic monitoring framework

Memory Tip

Three hosts: MID (internal), ACC (distributed), Glide (public). Think inside, across, and outside the network.

Real-World Example

A company monitors their internal HR portal via MID Server, tests distributed office connectivity via ACC agents, and checks their public website availability directly from the ServiceNow instance.

9.The correct regex to capture the name of the server in "the server webserver3.domain.com is down" would be:

A.*(\w+\.\w+\.\w+).*
BThe server (.*)\s.*
C.*\s(\w+\.\w+\.\w+).*
Dthe server (.*).*

Show full explanation

Correct Answer

C) .*\s(\w+\.\w+\.\w+).*

Source

ServiceNow Zurich Docs: Regular Expressions in Event Management
(If the link fails, search Google for: ServiceNow Zurich Event Management regex parsing)

Expert Explanation

The regex .*\s(\w+\.\w+\.\w+).* works by first consuming any characters up to a whitespace character, then capturing a three-part dotted name pattern (like webserver3.domain.com). The \w+ matches word characters and the \. matches literal dots, correctly isolating the FQDN from the surrounding text.

Why the Others Are Wrong

Option A starts greedy matching from position zero, potentially capturing wrong text
Option B uses a fixed text prefix and greedy (.*) capture that grabs too much
Option D is case-sensitive to "the" and uses greedy capture that would match beyond the server name

Memory Tip

Look for the pattern that uses \s before the capture group. The space anchors the start of the server name.

Real-World Example

An event rule needs to extract the server FQDN from free-text event messages. The regex captures "webserver3.domain.com" from "the server webserver3.domain.com is down" and maps it to the alert Node field for CI binding.

10.You have a very large networking environment and have noticed that your event notifications are either not being triggered or are delayed. What are best options to try to resolve this issue- (Choose two.) (choose 2)

AEnsure all Event Management - process events jobs are set to a Ready state
BVerify that the Bucket field in the event table is set to zero (0)
CAdd additional event processor jobs
DEnsure multi-node event processing is disabled

Show full explanation

Correct Answer

A) Ensure process events jobs are Ready, C) Add additional event processor jobs

Source

ServiceNow Zurich Docs: Event Processing
(If the link fails, search Google for: ServiceNow Zurich Event Management processing performance large environment)

Expert Explanation

In large networking environments, event processing delays can be resolved by ensuring all event processing scheduled jobs are active (Ready state) and by adding more processor jobs to increase parallel throughput. Both approaches increase the rate at which events are consumed from the queue.

Why the Others Are Wrong

Setting Bucket to zero does not address processing capacity
Disabling multi-node processing would reduce capacity and worsen delays

Memory Tip

Delayed events- Two fixes: make sure existing processors are running (Ready), and add more processors (additional jobs).

Real-World Example

A large enterprise with 50,000 network devices notices event notifications arriving 30 minutes late. Investigation reveals two of four event processor jobs were paused after a maintenance window. Reactivating them and adding two more jobs brings processing latency back under 2 minutes.

11.Which two methods can be used to improve the processing of events in large network environments- (Choose two.) (choose 2)

AEnable multi-node processing
BIncrease the source polling interval
CEnsure the bucket value in the event table is greater than 0
DIncrease the number of scheduled jobs processing events

Show full explanation

Correct Answer

A) Enable multi-node processing, D) Increase scheduled jobs processing events

Source

ServiceNow Zurich Docs: Event Processing
(If the link fails, search Google for: ServiceNow Zurich Event Management multi-node processing performance)

Expert Explanation

Two primary methods improve event processing in large environments: enabling multi-node processing (distributes load across application nodes) and increasing the number of scheduled event processor jobs (adds parallel processing threads). Both approaches increase the total processing capacity of the system.

Why the Others Are Wrong

Increasing polling interval makes collection slower, not processing faster
Bucket value greater than 0 is related to processing distribution but is not a primary optimization method listed

Memory Tip

More capacity = more nodes + more jobs. Both multiply processing power.

Real-World Example

A cloud provider managing 100,000 VMs enables multi-node processing across 4 application nodes and increases event processor jobs from 2 to 8. Event processing latency drops from 15 minutes to under 1 minute.

12.In Service Operations Workspace what tool shows relationships between configuration items and alerts with real time updates and detailed impact paths-

ACMDB identification and reconciliation engine IRE
BUnified service map
CDependency view map
DCMDB class manager

Show full explanation

Correct Answer

B) Unified service map

Source

ServiceNow Zurich Docs: Unified Service Map
(If the link fails, search Google for: ServiceNow Zurich Unified Service Map Service Operations Workspace)

Expert Explanation

The Unified Service Map in Service Operations Workspace provides a dynamic, real-time visualization of CI relationships and active alerts. It shows how alerts on infrastructure components impact business services through detailed impact paths, helping operators quickly understand the blast radius of an issue.

Why the Others Are Wrong

CMDB IRE processes CI data, not alert visualization
Dependency View Map shows CI dependencies but lacks real-time alert integration in SOW
CMDB Class Manager manages table/class definitions, not operational views

Memory Tip

Unified = everything in one map. Service map + alerts + impact paths, all unified in real time.

Real-World Example

A database server triggers a critical alert. An operator opens the Unified Service Map and immediately sees the alert propagating through the application servers to three customer-facing services, with a clear impact path showing which business services are degraded.

13.MID less ACC Deployment You are deploying Agent Client Collector in a MID less configuration for a fleet of roaming laptops Workstation Discovery that are rarely on the corporate VPN Which two specific parameters are required during installation to register these agents directly Choose two (choose 2)

AA valid MID Server User credential
BThe Agent Registration Key generated on the instance
CThe public DNS name of the Cloud Services Endpoint
DThe internal IP of the primary MID Server

Show full explanation

Correct Answer

B) Agent Registration Key, C) Cloud Services Endpoint DNS name

Source

ServiceNow Zurich Docs: MID-less ACC Deployment
(If the link fails, search Google for: ServiceNow Zurich ACC MID-less deployment registration)

Expert Explanation

In a MID-less ACC deployment for roaming laptops, two parameters are required during installation: the Agent Registration Key (to authenticate the agent with the instance) and the Cloud Services Endpoint DNS name (to establish direct communication without a MID Server). This enables discovery of devices that are rarely on the corporate network.

Why the Others Are Wrong

MID Server User credential is not needed when deploying without a MID Server
Internal IP of MID Server contradicts the MID-less architecture

Memory Tip

MID-less needs two things: a key (Registration Key) and a door (Cloud Services Endpoint). No MID Server involved.

Real-World Example

IT deploys ACC agents on 500 sales laptops that rarely connect to VPN. During installation, each agent receives the Registration Key and Cloud Services Endpoint URL. Laptops are discovered and inventoried whenever they have internet access, regardless of VPN connectivity.

14.Which customer challenges questions does Event Management help resolve- choose three (choose 3)

AWhat devices are we using-
BDid we deprecate assets we do not own-
CWhat is the current state of our IT infrastructure-
DHow do we know what servers and applications provide services-
EHow can I automate and prioritize remediation tasks and notifications-
FHow can we consolidate our monitoring tools into a single management system

Show full explanation

Correct Answer

C) Current state of IT infrastructure, E) Automate remediation, F) Consolidate monitoring tools

Source

ServiceNow Zurich Docs: Event Management Overview
(If the link fails, search Google for: ServiceNow Zurich Event Management overview challenges)

Expert Explanation

Event Management addresses three key customer challenges: understanding the real-time state of IT infrastructure through event monitoring, automating and prioritizing remediation through alert workflows and correlation, and consolidating multiple monitoring tools into a single management platform to reduce tool sprawl and provide a unified operational view.

Why the Others Are Wrong

What devices are we using is an asset management concern
Deprecating assets is an asset lifecycle concern
What servers provide services is a Service Mapping/CMDB concern

Memory Tip

Event Management = See (infrastructure state), Act (automate remediation), Unify (consolidate tools).

Real-World Example

A bank runs 12 different monitoring tools across network, server, and application teams. Event Management consolidates all events into one platform, automatically correlates related alerts, and triggers incident creation with priority-based routing for remediation.

15.Log Source Mapping In Health Log Analytics HLA raw log data must be mapped to a specific structure to extract meaningful fields like timestamp host and severity Which component is responsible for defining the Grok patterns or regular expressions used to parse this incoming text

ALog Listener
BSource Type Structure
CMetric Intelligence Policy
DEvent Rule Transform

Show full explanation

Correct Answer

B) Source Type Structure

Source

ServiceNow Zurich Docs: HLA Source Types
(If the link fails, search Google for: ServiceNow Zurich Health Log Analytics Source Type Structure Grok)

Expert Explanation

In Health Log Analytics (HLA), the Source Type Structure component defines how raw log text is parsed into structured data. It uses Grok patterns (built on regular expressions) to extract meaningful fields such as timestamp, hostname, severity level, and message content from unstructured log lines. Each log source can have its own Source Type Structure tailored to its specific format.

Why the Others Are Wrong

Log Listener receives logs but does not define parsing rules
Metric Intelligence Policy handles metric thresholds, not log parsing
Event Rule Transform maps event fields to alert fields, unrelated to log parsing

Memory Tip

Source Type Structure = the structure definition for a source type. It tells HLA how to break apart raw text into meaningful pieces.

Real-World Example

A Linux syslog feed sends raw text like "Mar 12 09:15:33 webserver01 nginx: 502 Bad Gateway." The Source Type Structure defines a Grok pattern that extracts Mar 12 09:15:33 as timestamp, webserver01 as host, nginx as application, and 502 Bad Gateway as the message.

CIS Event Management - ServiceNow Practice Test 2026

What's included

15 Free Preview Questions

Correct Answer

Source

Expert Explanation

Why the Others Are Wrong

Memory Tip

Real-World Example

Correct Answer

Source

Expert Explanation

Why the Others Are Wrong

Memory Tip

Real-World Example

Correct Answer

Source

Expert Explanation

Why the Others Are Wrong

Memory Tip

Real-World Example

Correct Answer

Source

Expert Explanation

Why the Others Are Wrong

Memory Tip

Real-World Example

Correct Answer

Source

Expert Explanation

Why the Others Are Wrong

Memory Tip

Real-World Example

Correct Answer

Source

Expert Explanation

Why the Others Are Wrong

Memory Tip

Real-World Example

Correct Answer

Source

Expert Explanation

Why the Others Are Wrong

Memory Tip

Real-World Example

Correct Answer

Source

Expert Explanation

Why the Others Are Wrong

Memory Tip

Real-World Example

Correct Answer

Source

Expert Explanation

Why the Others Are Wrong

Memory Tip

Real-World Example

Correct Answer

Source

Expert Explanation

Why the Others Are Wrong

Memory Tip

Real-World Example

Correct Answer

Source

Expert Explanation

Why the Others Are Wrong

Memory Tip

Real-World Example

Correct Answer

Source

Expert Explanation

Why the Others Are Wrong

Memory Tip

Real-World Example

Correct Answer

Source

Expert Explanation

Why the Others Are Wrong

Memory Tip