Primarily when we focus on topics related to ServiceNow Security Operations, including Security Incident Response, Threat Intelligence, and best practices, multiple interview questions comes in our mind. Here’s a sample set of questions based on general knowledge of these topics that align with ServiceNow's broader Security Operations functionalities. These questions give a comprehensive assessment of candidate's knowledge in Security Incident Response as part of best practices in Security Operations.
ServiceNow Security Incident Response (SIR) interview questions and answers:
What is the primary function of the Security Incident Response module in ServiceNow?
- a) Incident logging and asset tagging
- b) Managing and responding to security incidents
- c) General IT issue resolution
- d) Data retention for compliance
- Answer: b) Managing and responding to security incidents
Which component in Security Incident Response enables automated investigation actions?
- a) Response Workflows
- b) Playbooks
- c) Threat Feeds
- d) Security Connectors
- Answer: b) Playbooks
What status is typically assigned to a security incident when the initial analysis is complete?
- a) Resolved
- b) Closed
- c) Under Review
- d) Containment Complete
- Answer: d) Containment Complete
Which field helps in calculating the priority of a security incident?
- a) Impact and Urgency
- b) User Role
- c) Incident ID
- d) Threat Type
- Answer: a) Impact and Urgency
Which of the following is a recommended best practice in managing security incidents?
- a) Always close incidents after containment
- b) Prioritize incidents based on user requests
- c) Use playbooks for standardized response processes
- d) Assign all incidents to a single response team
- Answer: c) Use playbooks for standardized response processes
Threat Intelligence
What is the main purpose of Threat Intelligence in ServiceNow Security Operations?
- a) To identify security weaknesses
- b) To provide structured threat data for analysis and incident response
- c) To automate user access reviews
- d) To manage compliance requirements
- Answer: b) To provide structured threat data for analysis and incident response
Which data format is commonly used by ServiceNow Threat Intelligence to share information?
- a) XML
- b) CSV
- c) STIX/TAXII
- d) JSON
- Answer: c) STIX/TAXII
Which plugin must be enabled to use Threat Intelligence in ServiceNow?
- a) Security Operations Core
- b) Threat Core Plugin
- c) Threat Intelligence Plugin
- d) Risk Management Plugin
- Answer: c) Threat Intelligence Plugin
What is the function of Threat Intelligence enrichment in security incidents?
- a) To close incidents faster
- b) To enhance incident data with threat context
- c) To manage user permissions
- d) To escalate non-critical incidents
- Answer: b) To enhance incident data with threat context
Which ServiceNow module is integrated with Threat Intelligence to leverage automated threat analysis?
- a) Change Management
- b) Vulnerability Response
- c) Knowledge Management
- d) Asset Management
- Answer: b) Vulnerability Response
Security Operations Best Practices
What is a best practice for maintaining data quality in Security Operations?
- a) Allow unrestricted data access
- b) Regularly update threat intelligence feeds
- c) Use manual entry for all incidents
- d) Avoid using automated workflows
- Answer: b) Regularly update threat intelligence feeds
Which ServiceNow component helps prioritize incident handling based on risk?
- a) SLA Management
- b) Risk Scoring Model
- c) Incident Urgency Tracker
- d) Asset Management
- Answer: b) Risk Scoring Model
What is the recommended approach to handling false positive alerts in Security Incident Response?
- a) Automatically close all false positives
- b) Use rules to filter and suppress known false positives
- c) Ignore all low-priority incidents
- d) Escalate false positives for additional review
- Answer: b) Use rules to filter and suppress known false positives
Which feature in Security Operations can help measure the effectiveness of response activities?
- a) Incident Closure Rate
- b) Playbook Efficiency
- c) Mean Time to Resolution (MTTR)
- d) Threat Feed Reliability
- Answer: c) Mean Time to Resolution (MTTR)
What role is typically responsible for configuring security operations properties in ServiceNow?
- a) Security Analyst
- b) System Administrator
- c) Incident Manager
- d) Security Operations Administrator
- Answer: d) Security Operations Administrator
Security Incident Response Roles and Responsibilities
Which role is primarily responsible for managing and responding to security incidents in ServiceNow?
- a) Incident Coordinator
- b) Security Analyst
- c) System Administrator
- d) Response Manager
- Answer: b) Security Analyst
Who typically has the authority to close a security incident?
- a) Incident Owner
- b) Security Incident Manager
- c) System Administrator
- d) Any Security Analyst
- Answer: b) Security Incident Manager
What is the purpose of the Security Incident Response "Owner" field in ServiceNow?
- a) To specify the user responsible for remediation
- b) To define access permissions for the incident
- c) To assign users to monitor incidents
- d) To escalate incidents automatically
- Answer: a) To specify the user responsible for remediation
Security Incident Lifecycle
What is typically the first stage in the Security Incident Response process?
- a) Containment
- b) Identification
- c) Recovery
- d) Resolution
- Answer: b) Identification
What action should follow the containment of a security incident?
- a) Recovery
- b) Resolution
- c) Analysis
- d) Eradication
- Answer: d) Eradication
During which stage of Security Incident Response is the root cause analysis performed?
- a) Identification
- b) Containment
- c) Recovery
- d) Eradication
- Answer: d) Eradication
Which incident status indicates that analysis and containment actions are underway?
- a) Initial Response
- b) Under Investigation
- c) Resolved
- d) Closed
- Answer: b) Under Investigation
Security Incident Prioritization and Categorization
Which two fields are critical in determining the priority of a security incident?
- a) Urgency and Impact
- b) Source and Assignment
- c) Category and Subcategory
- d) Owner and Location
- Answer: a) Urgency and Impact
What field is used to categorize security incidents into specific types, such as malware or phishing?
- a) Impact
- b) Threat Category
- c) Incident Source
- d) Assignment Group
- Answer: b) Threat Category
Which of the following is a common best practice for prioritizing high-severity incidents?
- a) Assign them to a lower priority team
- b) Limit alerts to high-level stakeholders
- c) Use automated workflows for immediate escalation
- d) Ignore unless affecting critical assets
- Answer: c) Use automated workflows for immediate escalation
Security Incident Response Playbooks and Workflows
What is the main purpose of a Security Incident Response playbook in ServiceNow?
- a) Automate the remediation of incidents
- b) Provide step-by-step guidance for responding to specific types of incidents
- c) Monitor incident activity
- d) Assign incidents to the right personnel
- Answer: b) Provide step-by-step guidance for responding to specific types of incidents
Which feature in ServiceNow enables automated actions in response to specific triggers during incident handling?
- a) Workflows
- b) Assignment Rules
- c) Response Actions
- d) Playbook Triggers
- Answer: a) Workflows
What should be the primary action if a security incident playbook is not applicable to an incident type?
- a) Escalate the incident
- b) Close the incident
- c) Perform a manual analysis
- d) Defer the incident until applicable
- Answer: c) Perform a manual analysis
Security Incident Response Reporting and Metrics
Which metric is used to measure the average time taken to fully resolve a security incident?
- a) Mean Time to Respond (MTTR)
- b) Mean Time to Recover
- c) Time to Containment
- d) Incident Duration Score
- Answer: a) Mean Time to Respond (MTTR)
What is the purpose of the ‘Open Security Incidents by Severity’ report?
- a) To analyze root causes of incidents
- b) To categorize incidents based on urgency
- c) To display all active incidents by severity level
- d) To show closed incidents by type
- Answer: c) To display all active incidents by severity level
Which metric tracks the effectiveness of a team in containing security incidents?
- a) Incident Containment Time
- b) Incident Recovery Score
- c) Resolution Efficiency
- d) First Contact Resolution
- Answer: a) Incident Containment Time
What is a key indicator that a security incident is well-managed in ServiceNow?
- a) It’s closed within the SLA
- b) It has been escalated multiple times
- c) All team members are assigned to it
- d) It remains open for further analysis
- Answer: a) It’s closed within the SLA
System Properties and Configuration in Security Incident Response
Which property allows configuration of the default assignment group for new security incidents?
- a)
sn_sec.default_assignment_group
- b)
sn_sir.incident_assignment_group
- c)
sn_sir.default_group
- d)
sn_sir.assignment.default
- Answer: b)
sn_sir.incident_assignment_group
- a)
What property should be adjusted to increase the notification frequency for high-severity incidents?
- a)
sn_sir.high_severity_notify_frequency
- b)
sn_sir.notification_high_severity
- c)
sn_sir.severity_alert_frequency
- d)
sn_sir.alert_freq_high
- Answer: a)
sn_sir.high_severity_notify_frequency
- a)
To enforce automated escalation of unaddressed security incidents, which setting should be configured?
- a)
sn_sir.auto_escalation_enabled
- b)
sn_sec.enable_auto_escalation
- c)
sn_sir.escalation_threshold
- d)
sn_sec.default_escalation
- Answer: b)
sn_sec.enable_auto_escalation
Advanced Security Incident Prioritization
What ServiceNow feature allows prioritization of incidents based on asset criticality?
- a) Risk Calculator
- b) Asset Management
- c) Business Impact Analysis
- d) Criticality-based SLA
- Answer: a) Risk Calculator
Which of the following fields best helps prioritize incidents based on potential organizational impact?
- a) Category
- b) Impact
- c) Assignment Group
- d) Incident Cost
- Answer: b) Impact
How does ServiceNow use urgency and impact to determine the priority of a security incident?
- a) By assigning a numerical score to each incident
- b) Through automatic escalation rules
- c) Based on incident age and status
- d) By mapping urgency and impact values on a priority matrix
- Answer: d) By mapping urgency and impact values on a priority matrix
What is the primary use of assignment groups in prioritizing security incidents?
- a) To define which teams handle specific types of incidents
- b) To escalate incidents automatically
- c) To assess incident resolution times
- d) To categorize incidents based on severity
- Answer: a) To define which teams handle specific types of incidents
Automation and Playbook Actions in Security Incident Response
Which component of a playbook defines specific steps or tasks for handling an incident type?
- a) Response Template
- b) Workflow Engine
- c) Playbook Action Steps
- d) Incident Routing
- Answer: c) Playbook Action Steps
What ServiceNow feature enables automated response actions when an incident reaches a certain severity?
- a) Security Incident Workflows
- b) Severity Triggered Automation
- c) Escalation Rules
- d) Security Alerts Dashboard
- Answer: a) Security Incident Workflows
How can a Security Incident Response playbook be used to contain a phishing incident automatically?
- a) By defining a containment action that blocks the sender
- b) By enabling the Auto-block feature
- c) By setting up a rule to delete all related emails
- d) By escalating the incident to a high-severity level
- Answer: a) By defining a containment action that blocks the sender
What action can ServiceNow take automatically if a high-severity security incident remains open past a set threshold?
- a) Decrease the incident severity
- b) Send reminder notifications
- c) Escalate the incident to a higher priority
- d) Assign the incident to a different response team
- Answer: c) Escalate the incident to a higher priority
Security Incident Response Integrations
What type of integration is typically used to import data from external security tools into Security Incident Response?
- a) Webhook-based Integration
- b) API-based Integration
- c) Email Integration
- d) FTP-based Data Sync
- Answer: b) API-based Integration
Which integration method allows ServiceNow to communicate real-time alerts to third-party SIEM (Security Information and Event Management) systems?
- a) API Integration
- b) Webhook Integration
- c) Email Connector
- d) Data Synchronization Protocol
- Answer: b) Webhook Integration
Which integration enhances Security Incident Response by correlating incidents with threat intelligence data?
- a) Threat Intelligence Plugin
- b) Configuration Compliance
- c) Asset Management Integration
- d) Security Compliance Hub
- Answer: a) Threat Intelligence Plugin
What is the function of the Security Incident Correlation feature in ServiceNow?
- a) Group related incidents based on shared attributes
- b) Calculate the priority based on incident frequency
- c) Automate the response for recurring incidents
- d) Create detailed reports on unrelated incidents
- Answer: a) Group related incidents based on shared attributes
Security Incident Reporting and Analytics
What report would you use to identify the types of security incidents occurring most frequently?
- a) Incident Frequency by Type
- b) Incident Source Summary
- c) Security Incident Trends
- d) Severity Analysis Report
- Answer: a) Incident Frequency by Type
Which metric in Security Incident Response helps monitor if incidents are being closed within SLA targets?
- a) SLA Compliance Rate
- b) Incident Response Efficiency
- c) Mean Time to Respond (MTTR)
- d) Incident Frequency Score
- Answer: a) SLA Compliance Rate
What is the purpose of the “Incident Volume by Source” report?
- a) To track incident counts by assignment group
- b) To categorize incidents based on their sources
- c) To monitor incident resolution speed
- d) To filter out redundant incidents
- Answer: b) To categorize incidents based on their sources
Which report would provide insight into how quickly security incidents are contained after detection?
- a) Incident Response Time Report
- b) Containment Time Analysis
- c) Resolution Time Summary
- d) Urgency-based Closure Report
- Answer: b) Containment Time Analysis
Incident Escalation and Response Protocols
Which ServiceNow feature is used to define escalation protocols for overdue security incidents?
- a) SLA Policies
- b) Incident Escalation Workflow
- c) Response Rule Set
- d) Escalation Protocol Manager
- Answer: a) SLA Policies
What is the purpose of incident escalation in Security Incident Response?
- a) To expedite the closure of low-priority incidents
- b) To ensure timely action on unresolved high-priority incidents
- c) To reassign incidents to different teams
- d) To decrease the incident urgency
- Answer: b) To ensure timely action on unresolved high-priority incidents
Which field in a security incident record is typically used to initiate an escalation?
- a) Escalation Status
- b) Priority
- c) Urgency
- d) SLA Compliance
- Answer: d) SLA Compliance
What is a best practice when setting up escalation thresholds for security incidents?
- a) Apply the same thresholds to all incidents
- b) Adjust thresholds based on incident priority and severity
- c) Ignore thresholds for high-priority incidents
- d) Use static thresholds for all incident types
- Answer: b) Adjust thresholds based on incident priority and severity
Security Incident Response Properties and Configurations
Which property determines if incident records should be locked after closure?
- a)
sn_sir.lock_on_close
- b)
sn_sir.record_lock_after_close
- c)
sn_sec.close_incident_lock
- d)
sn_sir.post_closure_lock
- Answer: a)
sn_sir.lock_on_close
- a)
To automatically assign newly created incidents to specific groups based on criteria, which feature would you use?
- a) Incident Assignment Rules
- b) Incident Routing Profiles
- c) Assignment Rule Engine
- d) Response Assignment Manager
- Answer: a) Incident Assignment Rules
What is the function of the
sn_sir.notify_on_severity_change
property?- a) Sends notifications when incident severity is updated
- b) Locks incident priority after severity is changed
- c) Assigns the incident to a new owner upon severity change
- d) Escalates incidents automatically
- Answer: a) Sends notifications when incident severity is updated
Which configuration property can be used to customize the maximum allowed time for incident containment?
- a)
sn_sir.containment_threshold
- b)
sn_sir.max_containment_duration
- c)
sn_sir.containment_time_limit
- d)
sn_sir.default_containment_time
- Answer: c)
sn_sir.containment_time_limit
- a)
How can an administrator disable automated notifications for closed incidents?
- a) Set
sn_sir.notifications_on_close
tofalse
- b) Disable
sn_sir.close_notification_alerts
- c) Use
sn_sir.alert_on_close
and set tofalse
- d) Modify
sn_sir.disable_close_notifications
totrue
- Answer: a) Set
sn_sir.notifications_on_close
tofalse
Incident Sources and Creation
Which of the following is a common source for creating security incidents in ServiceNow?
- a) Threat Intelligence Feeds
- b) User Access Logs
- c) Automated Compliance Checks
- d) All of the above
- Answer: d) All of the above
How can security incidents be automatically generated based on threat detection in ServiceNow?
- a) By configuring security incident sources
- b) Through manual entry by analysts
- c) By using threat enrichment rules
- d) By assigning incidents to a single team
- Answer: a) By configuring security incident sources
Which integration automatically generates incidents based on vulnerability scans in ServiceNow?
- a) Vulnerability Response
- b) Incident Management
- c) Threat Intelligence
- d) Event Management
- Answer: a) Vulnerability Response
What type of incident source is best for handling potential phishing incidents?
- a) Threat Intelligence
- b) SIEM (Security Information and Event Management)
- c) User Reports
- d) CMDB Data
- Answer: c) User Reports
SLA Management in Security Incident Response
What is the purpose of SLAs in Security Incident Response?
- a) To set response and resolution time targets for incidents
- b) To define incident escalation protocols
- c) To determine the severity of incidents
- d) To assign incidents to teams automatically
- Answer: a) To set response and resolution time targets for incidents
How can SLAs help improve the effectiveness of Security Incident Response?
- a) By automating low-priority incident responses
- b) By enforcing time-based response standards
- c) By limiting incidents to high-priority only
- d) By escalating all incidents equally
- Answer: b) By enforcing time-based response standards
Which metric is often tracked in SLAs to ensure timely response to incidents?
- a) Mean Time to Recovery
- b) Mean Time to Detect
- c) Response Time
- d) Incident Count
- Answer: c) Response Time
What is the function of a “breach time” in an SLA policy?
- a) It defines the time at which an SLA is breached if not met
- b) It signals that an incident should be closed
- c) It automatically lowers incident priority
- d) It locks the incident record
- Answer: a) It defines the time at which an SLA is breached if not met
What action might ServiceNow take if a high-priority security incident breaches its SLA?
- a) Escalate the incident to a higher severity
- b) Decrease the incident priority
- c) Close the incident automatically
- d) Transfer the incident to a new team
- Answer: a) Escalate the incident to a higher severity
Integrations with Other Modules
Which ServiceNow module helps identify misconfigurations that may lead to security incidents?
- a) Configuration Compliance
- b) Incident Management
- c) Threat Intelligence
- d) Change Management
- Answer: a) Configuration Compliance
How does integrating CMDB with Security Incident Response enhance incident handling?
- a) By allowing access to asset information for faster impact analysis
- b) By automating incident closure
- c) By limiting access to incident records
- d) By creating incidents directly from assets
- Answer: a) By allowing access to asset information for faster impact analysis
Which integration allows ServiceNow Security Incident Response to leverage real-time alerts from third-party tools?
- a) Event Management
- b) Asset Management
- c) Change Management
- d) Project Management
- Answer: a) Event Management
What is a benefit of integrating Vulnerability Response with Security Incident Response?
- a) Automatic generation of security incidents for detected vulnerabilities
- b) Instant closing of low-severity incidents
- c) Extended retention of incident logs
- d) User access limitation
- Answer: a) Automatic generation of security incidents for detected vulnerabilities
Incident Review and Post-Incident Analysis
What is a common purpose of post-incident analysis in Security Incident Response?
- a) To identify root causes and implement preventive measures
- b) To archive old incidents
- c) To assign all incidents to one team
- d) To ensure incidents are deleted periodically
- Answer: a) To identify root causes and implement preventive measures
What key metric is typically reviewed during a post-incident analysis?
- a) Response time vs SLA targets
- b) Average time users spent on resolution
- c) Incident title and description accuracy
- d) Number of notifications sent per incident
- Answer: a) Response time vs SLA targets
Which tool can be used to measure the effectiveness of containment actions in Security Incident Response?
- a) Containment Analysis Report
- b) SLA Dashboard
- c) Incident Containment Dashboard
- d) Mean Time to Containment (MTTC) metric
- Answer: d) Mean Time to Containment (MTTC) metric
What role does the “Lessons Learned” report play in the Security Incident Response process?
- a) Summarizes key takeaways from incidents to improve future response
- b) Archives old incidents
- c) Calculates average incident duration
- d) Removes incidents from the system
- Answer: a) Summarizes key takeaways from incidents to improve future response
What is the primary purpose of root cause analysis in security incidents?
- a) To determine the underlying cause and prevent recurrence
- b) To expedite incident resolution
- c) To escalate the incident
- d) To increase incident priority
- Answer: a) To determine the underlying cause and prevent recurrence
Incident Closure and Documentation
What is a recommended best practice for incident closure in Security Incident Response?
- a) Ensure all containment, eradication, and recovery steps are documented
- b) Only document containment actions
- c) Mark incidents as resolved without documentation
- d) Archive incident details immediately
- Answer: a) Ensure all containment, eradication, and recovery steps are documented
Why is it important to document response actions for each security incident?
- a) To create a historical record for audit purposes and future reference
- b) To assign the incident to multiple teams
- c) To expedite closure without follow-up
- d) To reduce incident priority
- Answer: a) To create a historical record for audit purposes and future reference
Which field should be updated to reflect the final resolution of an incident?
- a) Resolution Code
- b) Assignment Group
- c) Priority
- d) Escalation Status
- Answer: a) Resolution Code
How does ServiceNow handle security incidents that are incorrectly marked as closed?
- a) The incidents are re-opened if additional issues are identified
- b) They are deleted automatically
- c) They are sent to a queue for re-evaluation
- d) They remain locked and archived
- Answer: a) The incidents are re-opened if additional issues are identified
Security Incident Trends and Reporting
Which report provides a historical view of incident counts by severity over time?
- a) Incident Trends by Severity
- b) Severity Impact Analysis
- c) Incident Aging Report
- d) SLA Trends Dashboard
- Answer: a) Incident Trends by Severity
What is the purpose of the “Incident Aging” report?
- a) To identify incidents that have been open for an extended period
- b) To count incidents by their severity
- c) To list incidents by source
- d) To categorize incidents by priority
- Answer: a) To identify incidents that have been open for an extended period
Which report would be best to assess the effectiveness of escalation protocols for security incidents?
- a) Escalation Efficiency Report
- b) SLA Breach Analysis
- c) Mean Time to Escalate
- d) Resolution Efficiency Report
- Answer: c) Mean Time to Escalate
What does the “Incident Resolution Efficiency” metric measure in Security Incident Response?
- a) The effectiveness of response actions in resolving incidents
- b) The average containment duration
- c) Total incidents assigned per team
- d) The accuracy of incident categorization
- Answer: a) The effectiveness of response actions in resolving incidents
Incident Resolution Workflows and Actions
What is the main benefit of using workflows in Security Incident Response?
- a) Automatically close all incidents
- b) Ensure a structured and consistent response process for incidents
- c) Reduce the number of required security analysts
- d) Assign incidents based on random distribution
- Answer: b) Ensure a structured and consistent response process for incidents
What workflow step typically follows “Eradication” in an incident response process?
- a) Containment
- b) Recovery
- c) Initial Response
- d) Closure
- Answer: b) Recovery
Which of the following tasks is essential during the "Recovery" phase of Security Incident Response?
- a) Blocking unauthorized IPs
- b) Ensuring systems are safe to bring back into operation
- c) Performing threat assessments
- d) Creating new playbooks
- Answer: b) Ensuring systems are safe to bring back into operation
What is the primary purpose of incident resolution actions?
- a) To automate incident closure
- b) To execute specific steps to remediate the security incident
- c) To escalate incidents automatically
- d) To generate new threat reports
- Answer: b) To execute specific steps to remediate the security incident
Which feature in workflows enables automatic notifications to teams or stakeholders when an incident changes status?
- a) SLA Notifications
- b) Escalation Rules
- c) Response Actions
- d) Workflow Notifications
- Answer: d) Workflow Notifications
Data Privacy and Security
Which field should be used to track sensitive information associated with security incidents?
- a) Confidential Notes
- b) Restricted Comments
- c) Secure Info Tracker
- d) Sensitive Data Log
- Answer: b) Restricted Comments
What feature in ServiceNow helps restrict access to high-sensitivity incidents?
- a) Security Incident Access Control
- b) Role-based Access Restrictions
- c) Confidential Incident Mode
- d) Incident Privacy Protocol
- Answer: b) Role-based Access Restrictions
How can ServiceNow administrators ensure that sensitive security incidents are only accessible by specific roles?
- a) Configure assignment rules
- b) Use role-based access controls (RBAC) to restrict visibility
- c) Automatically assign all incidents to security teams
- d) Assign all users read-only access
- Answer: b) Use role-based access controls (RBAC) to restrict visibility
Which of the following actions is crucial for maintaining compliance when documenting security incidents?
- a) Log all activities without details
- b) Limit documentation to the response actions only
- c) Avoid storing sensitive information in incident records
- d) Use confidential data fields to protect sensitive information
- Answer: d) Use confidential data fields to protect sensitive information
Reporting Customization and Dashboard Creation
What is a primary benefit of creating customized dashboards in Security Incident Response?
- a) To display only closed incidents
- b) To visualize specific metrics and KPIs tailored to organizational needs
- c) To limit access to certain users
- d) To increase the SLA times for incident responses
- Answer: b) To visualize specific metrics and KPIs tailored to organizational needs
Which type of chart best helps visualize the distribution of incidents by priority level?
- a) Heat Map
- b) Pie Chart
- c) Scatter Plot
- d) Line Graph
- Answer: b) Pie Chart
What feature allows users to add filters to reports for real-time insights on specific incident types?
- a) Report Filters
- b) Dynamic Dashboard Controls
- c) Filter Settings
- d) Incident Sort Options
- Answer: a) Report Filters
Which dashboard component displays the average time taken to resolve security incidents?
- a) Incident Resolution Time Widget
- b) Mean Time to Resolution (MTTR) Widget
- c) SLA Compliance Chart
- d) Incident Aging Report
- Answer: b) Mean Time to Resolution (MTTR) Widget
How can administrators create a view that shows only high-severity, open incidents?
- a) Configure a high-severity filter on the dashboard
- b) Use the Incident Management Module
- c) Create a static report for critical incidents
- d) Enable severity view mode
- Answer: a) Configure a high-severity filter on the dashboard
Real-Time Monitoring and Incident Notifications
What ServiceNow feature helps monitor security incidents in real-time?
- a) Real-Time Alert Dashboard
- b) Incident Management Live Feed
- c) Security Incident Response Dashboard
- d) Threat Intelligence Alerts
- Answer: c) Security Incident Response DashboardWhich feature allows administrators to set up real-time alerts for high-priority incidents?
- a) SLA Notification Alerts
- b) Real-Time Incident Alerts
- c) High-Priority Incident Monitoring
- d) Priority Notification Triggers
- Answer: b) Real-Time Incident AlertsHow can you configure ServiceNow to notify stakeholders when a critical incident is created?
- a) Set up notification rules on the SLA engine
- b) Use notification triggers on incident creation for critical incidents
- c) Create a report and manually distribute it
- d) Configure email notifications for all incidents
- Answer: b) Use notification triggers on incident creation for critical incidentsWhich tool in Security Incident Response can automate alerts when an incident status is updated?
- a) Incident Status Tracker
- b) Event Management Integration
- c) Notification Trigger Rules
- d) Live Status Feeds
- Answer: c) Notification Trigger RulesWhat should be configured to automatically alert teams if an incident is unresolved beyond a certain time frame?
- a) SLA Breach Notifications
- b) High-Severity Incident Alerts
- c) Resolution Warning Dashboard
- d) Escalation Rules
- Answer: a) SLA Breach Notifications
Advanced SLA and KPI Monitoring
Which KPI helps measure the efficiency of initial response in Security Incident Response?
- a) First Response Time (FRT)
- b) Mean Time to Recovery (MTTR)
- c) Incident Containment Rate
- d) Incident Resolution Frequency
- Answer: a) First Response Time (FRT)What does the “Mean Time to Recover” (MTTR) KPI track in incident response?
- a) Time to initial detection
- b) Average time to fully recover from an incident
- c) Number of incidents per day
- d) Time between incident discovery and resolution
- Answer: b) Average time to fully recover from an incidentWhich KPI could indicate that incidents are being addressed promptly within SLA targets?
- a) SLA Compliance Rate
- b) Incident Escalation Score
- c) Average Containment Time
- d) Incident Duration
- Answer: a) SLA Compliance RateHow does ServiceNow calculate the “Average Time to Resolve” KPI?
- a) By averaging the time taken to close each incident
- b) By the time incidents remain open after escalation
- c) Based on containment and eradication times only
- d) Using the first detection timestamp
- Answer: a) By averaging the time taken to close each incidentWhat does a high SLA Compliance Rate indicate in Security Incident Response?
- a) Incidents are resolved without escalations
- b) Incidents are being resolved within established timeframes
- c) Incidents are resolved after multiple escalations
- d) Incidents are not prioritized properly
- Answer: b) Incidents are being resolved within established timeframes