Free CIS-SIR Sample Questions — Certified Implementation Specialist - Security Incident Response

What specific role is required in order to use the REST API Explorer?

• A. admin
• B. sn_si.admin
• C. rest_api_explorer
• D. security_admin

Which of the following tag classifications are provided baseline? (Choose three.)

• A. Traffic Light Protocol
• B. Block from Sharing
• C. IoC Type
• D. Severity
• E. Cyber Kill Chain Step
• F. Escalation Level
• G. Enrichment whitelist/blacklist

Which of the following process definitions allow only single-step progress through the process defined without allowing step skipping?

• A. SANS Stateful
• B. NIST Stateful
• C. SANS Open
• D. NIST Open

When a Post-Incident Review report is created, it can be found...

• A. as a published article in a knowledge base
• B. as an unpublished article in a knowledge base
• C. as an attachment to the original security incident
• D. as an article pending approval in a knowledge base

Security Incidents can be created using a manual UI Action on which one of the following record types?

• A. Event
• B. Email Notification
• C. Workflow
• D. Alert

How does a user modify Risk Scores to suit their organizational needs?

• A. alter values in the Risk Score Configuration module
• B. amend constants in the RiskScoreUtil script include
• C. change the business impact for affected Business Services and Configuration Items
• D. recode logic in the Risk Score Calculator

Events within the platform that are utilized for the creation of Alerts and/or Security Incidents are held in which table?

• A. sir_event
• B. sysevent
• C. em_event
• D. sys_event

Select all of the following which are key features of Microsoft Defender for Endpoint. (Choose three.)

• A. Perform host enrichment actions to gather more information about the endpoint, which includes host details, logged-in users, and observable related machines details
• B. Find indicators of compromise (IoC) and enrich security incidents with threat intelligence data
• C. Perform Enterprise Security Search to sight potential malicious observables across endpoints, and take remediation actions
• D. Perform response actions such as Isolate host, Remove isolation, Restrict app execution, Run antivirus scan, Remove app restriction, and Stop and quarantine file

What is included in the real-time data model in the right pane of the Flow Designer UI that may be dragged and dropped into fields in the main flow workspace?

• A. Record Objects
• B. Table References
• C. Data Pills
• D. Code Snippets

Which role must a user have to customize major security incident reports based on the incremental progress since last summary update?

• A. sn_msi.workspace_admin
• B. sn_msi.workspace_manager
• C. sn_msi.workspace_user
• D. sn_msim.workspace_manager

Which statement about Security Incident Calculators is correct?

• A. All Calculator Groups run in order but only the calculator with the highest order in that group runs
• B. All Calculator Groups run in order but only the first matching calculator from each group will apply
• C. All Calculator Groups run in order but only the first matching group will apply
• D. All Calculator Groups run in order and all calculators in the first matching group apply

A Post Incident Review can contain which of the following? (Choose three.)

• A. Post incident questionnaires
• B. An audit trail
• C. Attachments associated with the security incident
• D. Key incident fields
• E. Performance Analytics reports

LDAP, Direct Web Service, and SOAP are types of what?

• A. Integration methods
• B. Data mapping
• C. ServiceNow access protocol
• D. Reporting methods

Why is it important that the Platform (System) Administrator and the Security Incident administrator role be separated? (Choose three.)

• A. Access to security incident data may need to be restricted
• B. Allow SIR Teams to control assignment of security roles
• C. Clear separation of duty
• D. Reduce the number of incidents assigned to the Platform Admin
• E. Preserve the security image in the company

What is calculated as an arithmetic mean taking into consideration different values in the CI, Security Incident, and User records?

• A. Priority
• B. Business Impact
• C. Severity
• D. Risk Score

If a desired pre-built integration cannot be found in the platform, what should be your next step to find a certified integration?

• A. Build your own through the REST API Explorer
• B. Ask for assistance in the community page
• C. Download one from ServiceNow Share
• D. Look for one in the ServiceNow Store

Runbook records utilize a link to what type record for content?

• A. Knowledge article
• B. Response Tasks
• C. Managed Document
• D. Instruction Details

Select the one capability that restricts connections from one CI to other devices.

• A. Isolate Host
• B. Sightings Search
• C. Block Action
• D. Get Running Processes
• E. Get Network Statistics
• F. Publish Watchlist

What is the main goal of the Security Incident Response process?

• A. Automate set processes
• B. Reduce time to contain
• C. Save the company money
• D. Minimize impact

Flow Logic in the baseline includes: (Choose two.)

• A. For Each Loops
• B. Interrupts
• C. If Then conditions
• D. Function Calls
• E. Wait until