CIS Security Incident Response Practice Test 2026 | ServiceNow SIR Exam Prep

Name: CIS Security Incident Response Practice Test 2026
Price: 9.99 USD
Availability: InStock
Rating: 5 (17 reviews)

1.When configuring a Security Tag what does the "Enrichment whitelist/blacklist" classification control-

AWhether the tag can be seen by external users.
BWhether Observables associated with the tagged incident are automatically sent for Threat Intelligence enrichment.
CWhich analysts are allowed to remove the tag.
DThe color of the tag in the UI.

Show full explanation

Correct Answer

B - Whether Observables associated with the tagged incident are automatically sent for Threat Intelligence enrichment.

Source

ServiceNow Zurich Documentation - Security Tags

Expert Explanation

Security Tags can be classified to control enrichment behavior. When a tag carries an enrichment blacklist classification, any Observables attached to that tagged security incident will be skipped during automatic Threat Intelligence enrichment. This is critical for sensitive cases where you do not want hashes or IPs sent to external threat feeds.

Why the Others Are Wrong

A confuses tag classification with user access controls. C confuses it with role-based permissions. D confuses it with UI styling, which is a separate tag property.

Memory Tip

Think "Enrichment whitelist/blacklist" literally: it whitelists or blacklists observables from being enriched. The name tells you exactly what it does.

Real-World Example

Your SOC is investigating an insider threat. You tag the incident "Insider - Sensitive" with an enrichment blacklist classification so that file hashes from the case are never sent to VirusTotal or other external services, preventing data leakage about the investigation.

2.You are configuring the Threat Intelligence Service Center TISC Which feature allows a security analyst to receive notifications about specific threat actors or campaigns they are personally tracking-

APersonal Threat Watchlist
BAnalyst Subscription Service
CThreat Feed RSS
DCampaign Monitor

Show full explanation

Correct Answer

A - Personal Threat Watchlist

Source

ServiceNow Zurich Documentation - Threat Intelligence Service Center

Expert Explanation

TISC provides a centralized hub for threat intelligence operations. The Personal Threat Watchlist feature lets analysts subscribe to specific threat actors or campaigns so they receive notifications when new intelligence or updates become available. This personalizes the threat intel experience for each analyst based on their active investigations.

Why the Others Are Wrong

B, C, and D are all invented feature names that do not exist in the TISC module. ServiceNow uses the term "Personal Threat Watchlist" specifically for this analyst-driven notification capability.

Memory Tip

Think of it like a "watchlist" on a stock trading app: you pick what you want to follow, and the system alerts you when something changes. Personal Threat Watchlist works the same way for threat actors.

Real-World Example

An analyst investigating APT29 adds this threat group to their Personal Threat Watchlist. Two weeks later, a new threat intel feed reports updated TTPs for APT29, and the analyst gets a notification to review the fresh intelligence without having to manually check every feed.

3.What is the function of the Capability Framework Abstract Actions when dealing with integrations-

AIt allows developers to write code in any language.
BIt provides a generic action e.g. Isolate Host that automatically selects the correct tool e.g. CrowdStrike Defender based on the specific CI involved.
CIt prevents integrations from running simultaneously.
DIt forces the analyst to manually select the integration script every time.

Show full explanation

Correct Answer

B - It provides a generic action (e.g., Isolate Host) that automatically selects the correct tool (e.g., CrowdStrike, Defender) based on the specific CI involved.

Source

ServiceNow Zurich Documentation - Capability Framework

Expert Explanation

The Capability Framework introduces an abstraction layer for security operations. Abstract Actions let playbook designers define what needs to happen (isolate a host, scan a file) without specifying which vendor tool performs the action. At runtime, the framework inspects the CI and routes the action to the appropriate integration. This makes playbooks portable and vendor-neutral.

Why the Others Are Wrong

A confuses the framework with a development environment feature. C inverts its purpose since the framework enables smooth integration, not restriction. D describes the manual process that Abstract Actions were specifically created to replace.

Memory Tip

Think "abstract" like an abstract class in programming: it defines the interface (Isolate Host) and lets the concrete implementation (CrowdStrike, Defender) handle the details at runtime.

Real-World Example

Your playbook has an "Isolate Host" step. A compromised laptop running CrowdStrike triggers the CrowdStrike isolation API. A compromised server running Microsoft Defender triggers the Defender isolation API. Same playbook, different tools, zero manual selection by the analyst.

4.The Executive Status Report in Major Security Incident Management is primarily designed to:

AProvide a technical log of all API calls.
BGenerate a non-technical high-level summary of the incidents impact status and financial cost for stakeholders.
CAssign tasks to junior analysts.
DReplace the Post Incident Review.

Show full explanation

Correct Answer

B - Generate a non-technical, high-level summary of the incident's impact, status, and financial cost for stakeholders.

Source

ServiceNow Zurich Documentation - Major Security Incident Management

Expert Explanation

During a major security incident, leadership needs clear, concise updates without technical jargon. The Executive Status Report is purpose-built for this communication need. It pulls together impact data, current containment status, and estimated financial exposure into a format suitable for C-suite executives and board members.

Why the Others Are Wrong

A describes system-level logging, which is a technical function unrelated to executive communication. C describes operational workflow, not reporting. D confuses two distinct processes since the PIR is a post-closure activity while the Executive Status Report is used during active incidents.

Memory Tip

"Executive" is the key word. Executives want business impact and cost, not packet captures and API logs. The report matches its audience.

Real-World Example

A ransomware attack hits your organization. The CISO needs to brief the board in 30 minutes. The Executive Status Report provides a ready-made summary showing: 200 endpoints affected, containment at 80%, estimated recovery cost of $2.5M, and current status of law enforcement engagement.

5.In the Security Incident Response Workspace which tab allows an analyst to view and execute automated playbooks and workflows associated with the incident-

AThe Activity Stream
BThe Playbook tab / Contextual Side Panel
CThe Related Lists tab
DThe Business Intelligence tab

Show full explanation

Correct Answer

B - The Playbook tab / Contextual Side Panel

Source

ServiceNow Zurich Documentation - Security Incident Response Workspace

Expert Explanation

The SIR Workspace is designed for analyst efficiency. The Playbook tab and Contextual Side Panel serve as the automation hub where analysts can view which playbooks are attached to an incident, trigger new playbook runs, monitor execution progress, and complete User Form activities that require human input. This centralizes automation control within the incident context.

Why the Others Are Wrong

A is for communication and history tracking, not automation. C shows related data records but has no playbook controls. D does not exist as a standard SIR Workspace tab.

Memory Tip

Playbooks live in the Playbook tab. The name is intentionally straightforward so analysts can find automation controls quickly during high-pressure incidents.

Real-World Example

An analyst opens a phishing incident in the SIR Workspace. They click the Playbook tab, see the "Phishing Triage" playbook is already running, check its progress, then launch a second playbook called "Email Header Analysis" directly from the same panel without leaving the incident record.

6.If a Security Incident is created from a Security Alert which feature ensures that subsequent updates to the Alert (such as additional evidence) are automatically reflected in the existing Security Incident rather than creating a duplicate-

AAlert Aggregation Rule
BAlert Update Rule
CIncident Deduplication
DAlert Management Rule (Updates on Open Alert)

Show full explanation

Correct Answer

D - Alert Management Rule (Updates on Open Alert)

Source

ServiceNow Zurich Documentation - Alert Management Rules

Expert Explanation

Alert Management Rules govern the lifecycle relationship between Security Alerts and Security Incidents. The "Updates on Open Alert" variant specifically handles the scenario where a SIEM or detection tool sends updated information for an alert that has already been promoted to an incident. Instead of creating a new incident, the rule routes the fresh evidence into the existing one, keeping all context in a single place.

Why the Others Are Wrong

A handles alert-to-alert grouping before incident creation, not post-creation updates. B is not a real ServiceNow feature name. C prevents duplicate incidents but does not manage the update flow from alerts to incidents.

Memory Tip

Focus on the phrase "Updates on Open Alert" - it literally describes what happens: when an open alert gets updates, those updates propagate to the linked incident.

Real-World Example

Your SIEM sends an alert about a suspicious login. An incident is created. Ten minutes later, the SIEM detects the same attacker accessing a second system and updates the alert. The Alert Management Rule (Updates on Open Alert) automatically adds the new evidence to the existing incident instead of spawning a duplicate.

7.Which dashboard is specifically designed to give the CISO a high-level view of the organizations security posture including Mean Time to Detect MTTD and Mean Time to Contain MTTC trends-

ASecurity Analyst Overview
BCISO Dashboard
CSecurity Operations Efficiency
DVulnerability Remediation Dashboard

Show full explanation

Correct Answer

B - CISO Dashboard

Source

ServiceNow Zurich Documentation - SIR Dashboards

Expert Explanation

ServiceNow SIR includes role-specific dashboards. The CISO Dashboard is tailored for executive security leadership, aggregating key metrics like MTTD and MTTC trends, open incident counts by severity, and compliance posture into a single high-level view. This allows the CISO to assess organizational security health at a glance without drilling into individual cases.

Why the Others Are Wrong

A targets analyst-level daily operations. C focuses on SOC team efficiency metrics. D is limited to the vulnerability management domain and does not cover incident response KPIs.

Memory Tip

CISO wants the CISO Dashboard. The naming convention in ServiceNow SIR directly matches the target audience for each dashboard.

Real-World Example

Before a quarterly board meeting, the CISO opens the CISO Dashboard to see that MTTD has dropped from 4.2 hours to 2.8 hours over the past quarter, and MTTC improved by 15%. These are the exact metrics the board expects to see in the security update presentation.

8.A Post Incident Review can contain which of the following- (Choose three.) (choose 3)

APost incident questionnaires
BAn audit trail
CKey incident fields
DAttachments associated with the security incident
EPerformance Analytics reports

Show full explanation

Correct Answer

A, B, C - Post incident questionnaires, An audit trail, Key incident fields

Source

ServiceNow Zurich Documentation - Post Incident Review

Expert Explanation

The Post Incident Review in SIR is a structured after-action process. It automatically pulls in key incident fields for context, preserves the audit trail showing all actions taken during the incident, and presents configurable questionnaires to guide the review team through a thorough assessment of the response. Together, these three components create a comprehensive lessons-learned document.

Why the Others Are Wrong

D (Attachments) belong to the security incident record, not the PIR structure. E (Performance Analytics reports) are standalone analytical tools that can consume PIR data but are not embedded within the review itself.

Memory Tip

PIR has three pillars: Questions (questionnaires), History (audit trail), and Facts (key fields). Q-H-F helps you remember what lives inside a Post Incident Review.

Real-World Example

After resolving a data breach, the security manager opens the PIR. They see the incident timeline and key fields auto-populated, review the audit trail showing each analyst action, and then work through a questionnaire asking "Was the escalation path followed-" and "Were containment SLAs met-" to produce a formal lessons-learned report.

9.In a Security Incident Playbook what is the function of a User Form activity-

ATo display a read-only message.
BTo pause the automation and require the analyst to input specific data or make a decision before the playbook proceeds.
CTo create a new user account in sys_user.
DTo send an email to the affected user.

Show full explanation

Correct Answer

B - To pause the automation and require the analyst to input specific data or make a decision before the playbook proceeds.

Source

ServiceNow Zurich Documentation - Security Incident Playbooks

Expert Explanation

Playbooks automate security response workflows, but certain steps require human judgment. The User Form activity is the mechanism that bridges automation and human decision-making. When a playbook reaches a User Form, it pauses execution and presents a configurable form to the assigned analyst. Only after the analyst submits the required input does the playbook resume its automated flow.

Why the Others Are Wrong

A describes a passive display, but User Forms require active input. C describes an identity management function unrelated to playbooks. D describes an email notification activity, which is a different playbook component.

Memory Tip

"User Form" means the user fills out a form. It is the human-in-the-loop checkpoint where automation waits for a person to act.

Real-World Example

A malware containment playbook reaches the "Approve Host Isolation" step. A User Form appears asking the analyst to confirm the hostname, verify business impact, and select "Approve Isolation" or "Escalate to Manager." The playbook waits until the analyst submits this form before executing the isolation action.

10.For Customers who don't use 3rd-party systems what ways can security incidents be created- (Choose three.) (choose 3)

ASecurity Service Catalog
BSecurity Incident Form
CInbound Email Parsing Rules
DLeveraging an Integration
EAlert Management

Show full explanation

Correct Answer

A, B, C - Security Service Catalog, Security Incident Form, Inbound Email Parsing Rules

Source

ServiceNow Zurich Documentation - Creating Security Incidents

Expert Explanation

ServiceNow SIR provides multiple native methods for creating security incidents without relying on external tools. The Service Catalog offers a self-service portal for end users. The Security Incident Form gives analysts direct record creation. Inbound Email Parsing Rules automate incident creation from email reports. All three methods operate entirely within the ServiceNow platform.

Why the Others Are Wrong

D explicitly requires third-party system connectivity, which contradicts the question premise. E depends on alerts from external detection tools (SIEMs, endpoint solutions), which also requires third-party systems.

Memory Tip

Think "no external tools" and remember the three native channels: Portal (catalog), Form (manual), and Email (parsing). P-F-E are all built into ServiceNow without needing anything else.

Real-World Example

A small company without a SIEM uses all three methods: employees report phishing via the Security Service Catalog, SOC analysts create incidents manually through the form when they spot something suspicious, and the team email security@company.com is configured with parsing rules to auto-generate incidents from employee reports.

11.Runbooks are used to create a relationship between what components- (Choose two.) (choose 2)

AEvents
BSecurity Incident Response Task
CPlaybook Task
DAlerts
EWorkflow Trigger
FKnowledge article

Show full explanation

Correct Answer

B, F - Security Incident Response Task, Knowledge article

Source

ServiceNow Zurich Documentation - Runbooks

Expert Explanation

Runbooks in ServiceNow SIR bridge documentation and execution. They create a relationship between Security Incident Response Tasks (the work being done) and Knowledge Articles (the procedures describing how to do it). When an analyst picks up a SIR task, the linked Runbook provides the documented procedure from the knowledge base, ensuring consistent and repeatable response actions.

Why the Others Are Wrong

A (Events) are raw data inputs, not task-level components. C (Playbook Tasks) belong to the automated playbook engine, not manual Runbooks. D (Alerts) feed into incident creation upstream of task execution. E (Workflow Triggers) are automation engine components unrelated to procedural documentation.

Memory Tip

A Runbook is a "run this book of instructions" for a task. It connects the Task (what to do) with the Knowledge Article (how to do it).

Real-World Example

An analyst receives a SIR task called "Contain Compromised Endpoint." They open the linked Runbook, which pulls up a Knowledge Article with step-by-step instructions: verify the hostname, check active network connections, initiate host isolation, and document findings. The Runbook ensures every analyst follows the same containment procedure.

12.Regarding the "Analyze" phase of a Security Incident which feature allows an analyst to automatically check an observable (like a file hash) against multiple Threat Intelligence feeds (like VirusTotal and Palo Alto) simultaneously-

AObservable Enforcement
BThreat Lookup
CTrusted Security Circles
DVulnerability Scanners

Show full explanation

Correct Answer

B - Threat Lookup

Source

ServiceNow Zurich Documentation - Threat Lookup

Expert Explanation

During the Analyze phase of a security incident, analysts need to quickly determine whether an observable is malicious. Threat Lookup provides a one-click mechanism to query multiple Threat Intelligence feeds simultaneously. An analyst submits a file hash, IP, or domain, and the system fans out requests to all configured TI sources, returning a consolidated report showing each source's verdict and enrichment data.

Why the Others Are Wrong

A (Observable Enforcement) takes action on observables but does not query threat feeds. C (Trusted Security Circles) is for inter-organizational threat sharing, not individual lookups. D (Vulnerability Scanners) belongs to a different security domain entirely.

Memory Tip

"Threat Lookup" does exactly what the name says: you look up a threat indicator across all your intelligence sources at once. When you hear "check an observable against feeds," think Threat Lookup.

Real-World Example

An analyst finds a suspicious file hash in a phishing email attachment. They right-click the observable and select Threat Lookup. Within seconds, VirusTotal reports 42/68 detections, Palo Alto classifies it as a known Emotet variant, and the analyst has enough evidence to escalate the incident to containment without manually checking each feed.

13.When mapping MITRE ATT&CK data to a Security Incident which two fields are primarily populated to describe the adversary's behavior- (Choose two.) (choose 2)

ATactic
BSeverity
CTechnique
DVector

Show full explanation

Correct Answer

A, C - Tactic and Technique

Source

ServiceNow Zurich Documentation - MITRE ATT&CK Integration

Expert Explanation

The MITRE ATT&CK framework uses a Tactic-Technique hierarchy to categorize adversary behavior. When mapping ATT&CK data to a Security Incident in ServiceNow, the two primary fields are Tactic (the strategic goal, like "Credential Access") and Technique (the specific method, like "Brute Force"). Together they describe both why the attacker is doing something and how they are doing it.

Why the Others Are Wrong

B (Severity) is an incident impact rating unrelated to ATT&CK behavioral classification. D (Vector) describes the attack entry point, which is a different classification concept from the ATT&CK Tactic-Technique pairing.

Memory Tip

MITRE ATT&CK is built on TT: Tactics and Techniques. Tactic = the goal (why), Technique = the method (how). Two T's for two fields.

Real-World Example

An analyst maps a credential-stealing attack: Tactic is set to "Credential Access" (the adversary wants credentials) and Technique is set to "OS Credential Dumping" (they used Mimikatz to dump LSASS). This mapping lets the SOC correlate this incident with other attacks using the same TTPs across the organization.

14.Why is it important that the Platform (System) Administrator and the Security Incident administrator role be separated- (Choose three.) (choose 3)

AAccess to security incident data may need to be restricted
BAllow SIR Teams to control assignment of security roles
CClear separation of duty
DReduce the number of incidents assigned to the Platform Admin
EPreserve the security image in the company

Show full explanation

Correct Answer

A, B, C - Access restriction, SIR team role control autonomy, Clear separation of duty

Source

ServiceNow Zurich Documentation - SIR Roles and Administration

Expert Explanation

Separating the Platform Administrator and SIR Administrator roles is a security governance best practice rooted in three principles. First, security incident data often contains extremely sensitive information that must be restricted. Second, the SIR team needs autonomous control over who holds security roles. Third, separation of duty prevents any single role from having both platform control and access to security investigation data.

Why the Others Are Wrong

D frames role separation as a workload management issue, which misses the security governance rationale entirely. E is about organizational image rather than the concrete access control and compliance requirements that drive role separation.

Memory Tip

Remember the three pillars: Restrict (access to sensitive data), Control (SIR team manages its own roles), and Separate (clear duty boundaries). R-C-S covers the three correct answers.

Real-World Example

The platform admin needs to update ServiceNow system properties and manage upgrade schedules. The SIR admin investigates a data breach involving an executive. If both roles were combined, the platform admin could view sensitive investigation details about leadership, violating least privilege and duty separation principles.

15.What is the purpose of Security Tag Categories-

ATo color-code the tags.
BTo restrict which roles can see or apply specific groups of tags e.g. separating Compliance tags from Investigation tags.
CTo determine the weight of the tag in the Risk Score.
DTo auto-close incidents.

Show full explanation

Correct Answer

B - To restrict which roles can see or apply specific groups of tags, separating them by function (e.g., Compliance tags vs. Investigation tags).

Source

ServiceNow Zurich Documentation - Security Tags

Expert Explanation

As the number of Security Tags grows, managing them as a flat list becomes impractical. Security Tag Categories solve this by grouping tags into functional categories and controlling role-based access at the category level. For example, tags in the "Compliance" category might be visible only to compliance officers, while "Investigation" tags are restricted to SOC analysts. This keeps each team focused on relevant tags.

Why the Others Are Wrong

A confuses categories with visual formatting. C attributes scoring influence to categories, which is handled by a different configuration. D suggests lifecycle management capabilities that categories do not have.

Memory Tip

Think of Tag Categories like file folders with permissions. The category groups similar tags together (the folder) and controls who can access them (the permissions). Organization plus access control in one feature.

Real-World Example

Your organization has 50 security tags. The compliance team needs tags like "PCI-DSS," "HIPAA," and "SOX" but should not see investigation tags like "APT," "Insider Threat," or "Active Exploitation." By placing each set in its own Security Tag Category with role restrictions, each team sees only the tags relevant to their work.

CIS Security Incident Response - ServiceNow Practice Test 2026

What's included

15 Free Preview Questions

Correct Answer

Source

Expert Explanation

Why the Others Are Wrong

Memory Tip

Real-World Example

Correct Answer

Source

Expert Explanation

Why the Others Are Wrong

Memory Tip

Real-World Example

Correct Answer

Source

Expert Explanation

Why the Others Are Wrong

Memory Tip

Real-World Example

Correct Answer

Source

Expert Explanation

Why the Others Are Wrong

Memory Tip

Real-World Example

Correct Answer

Source

Expert Explanation

Why the Others Are Wrong

Memory Tip

Real-World Example

Correct Answer

Source

Expert Explanation

Why the Others Are Wrong

Memory Tip

Real-World Example

Correct Answer

Source

Expert Explanation

Why the Others Are Wrong

Memory Tip

Real-World Example

Correct Answer

Source

Expert Explanation

Why the Others Are Wrong

Memory Tip

Real-World Example

Correct Answer

Source

Expert Explanation

Why the Others Are Wrong

Memory Tip

Real-World Example

Correct Answer

Source

Expert Explanation

Why the Others Are Wrong

Memory Tip

Real-World Example

Correct Answer

Source

Expert Explanation

Why the Others Are Wrong

Memory Tip

Real-World Example

Correct Answer

Source

Expert Explanation

Why the Others Are Wrong

Memory Tip

Real-World Example

Correct Answer

Source

Expert Explanation

Why the Others Are Wrong

Memory Tip