Is the CIS-SIR practice exam free?

Yes. ExamCademy offers all 119 CIS-SIR practice questions for free with a registered account. No payment needed. Optional supporter features add AI explanations and spaced repetition study tools.

How accurate are the CIS-SIR practice questions?

All CIS-SIR questions are community-created and reviewed by moderators to align with ServiceNow's published exam objectives. The community continuously reports and fixes issues to keep content accurate and up to date.

How should I study for the CIS-SIR exam?

Start by browsing practice questions to identify weak areas. Use spaced repetition (Learn Mode) to focus study time on topics you struggle with. Combine practice questions with official ServiceNow documentation and hands-on experience for best results.

CIS-SIR Practice Exam — Free 119+ Questions

119Practice Questions

3Study Modes

FreeTo Get Started

Sort:

Question 1

Question 2

Question 3

Question 4

Question 5

Question 6

Question 7

Question 9

Question 10

Question 11

Question 12

Question 13

Question 14

Question 15

Question 16

Question 17

Question 18

Question 19

Question 20

Question 22

Question 23

Question 24

Question 25

Question 26

Question 27

Page 1 of 5 • Questions 1-25 of 119

1 2 3 4 5

→

Know a question that should be here? Contribute to this exam

A Post Incident Review can contain which of the following? (Choose three.)

A Post incident questionnaires
B An audit trail
C Attachments associated with the security incident
D Key incident fields
E Performance Analytics reports

Events received from external tools should include what information? (Choose three.)

A A list of similar indicators that were discovered in the event details
B Event description, which populates the description of the security incident
C Event classification set to Security to distinguish them from other IT events
D Whitelisted and Blacklisted IP addresses
E Node set to the name, IP address, or sys_id of the CI that becomes the affected resource

Why should discussions focus with the end in mind?

A To understand desired outcomes
B To understand current posture
C To understand customer’s process
D To understand required tools

Chief factors when configuring auto-assignment of Security Incidents are __________.

A Agent group membership, Agent location and time zone
B Security incident priority, CI Location and agent time zone
C Agent skills, System Schedules and agent location
D Agent location, Agent skills and agent time zone

Which ServiceNow automation capability extends Flow Designer to integrate business processes with other systems?

A Workflow
B Orchestration
C Subflows
D Integration Hub

If a desired pre-built integration cannot be found in the platform, what should be your next step to find a certified integration?

A Build your own through the REST API Explorer
B Ask for assistance in the community page
C Download one from ServiceNow Share
D Look for one in the ServiceNow Store

The time zone of a CI is determined by:

A The time zone setting on the computer
B The time zone field on the Clock
C The time zone of the asset owner
D The time zone of the location

The following term is used to describe any observable occurrence: __________.

A Incident
B Log
C Ticket
D Alert
E Event

There are several methods in which security incidents can be raised, which broadly fit into one of these categories: __________. (Choose two.)

A Integrations
B Manually created
C Automatically created
D Email parsing

What is the key to a successful implementation?

A Sell customer the most expensive package
B Implementing everything that we offer
C Understanding the customer’s goals and objectives
D Building custom integrations

Risk Score weighting uses which of the following components? (Choose two.)

A Business impact of a CI or Security Incident
B Severity and Priority of a Security incident
C Cost and Risk of an affected service
D SLA and Schedule of an impacted service
E Impact and Urgency of a Security incident

Select all of the following which are the target personas for MITRE ATT&CK 2.0? (Choose three.)

A SOC Managers and CISO
B Security and Threat Intelligence Administrators
C Security Analysts
D Compliance Managers
E Penetration Testers

How does a user modify Risk Scores to suit their organizational needs?

A alter values in the Risk Score Configuration module
B amend constants in the RiskScoreUtil script include
C change the business impact for affected Business Services and Configuration Items
D recode logic in the Risk Score Calculator

What are some of the ways SIR teams can increase their productivity? (Choose three.)

A Red/Blue automation
B Export to spreadsheet pivot tables
C Process automation
D Training
E Form personalization

How can you create a new record using the REST API?

A Using a PATCH request
B Using a POST request
C Using a PUT request
D Using a GET request

Which role must a user have to customize major security incident reports based on the incremental progress since last summary update?

A sn_msi.workspace_user
B sn_msi.workspace_responder
C sn_msim.workspace_responder
D sn_msi.workspace_manager

Who is responsible for identifying security incidents?

A Everyone
B Managers
C IT personnel
D Security analysts

Select all of the following which are key features of the Malware Information Sharing Platform (Choose three.)

A Dedicated MISP workspace for managing major security incidents
B Auto-extract MITRE-ATT&CK™ information from MISP attributes and associate them to SIR security incidents
C Attribute enrichment including adding or updating tags, galaxies, or attributes
D Send malware to MISP for detonation
E Add security incident associated observables as attributes to a MISP event

Which security tag should be used when a piece of information cannot be effectively acted upon by additional parties, and could lead to impacts on a party’s privacy, reputation, or operations if misused?

A TLP:WHITE
B TLP:RED
C TLP:GREEN
D TLP:AMBER

What is one of the Security Incident Response Team’s activities?

A Patch vulnerabilities
B Escalate incidents to security incidents
C Monitor security alerts
D Penetration testing

Which of the following State Flows are provided for Security Incidents? (Choose three.)

A NIST Open
B SANS Open
C NIST Stateful
D SANS Stateful

What is the purpose of Calculator Groups as opposed to Calculators?

A To provide metadata about the calculators
B To allow the agent to select which calculator they want to execute
C To set the condition for all calculators to run
D To ensure one at maximum will run per group

What are two of the audiences identified that will need reports and insight into Security Incident Response reports? (Choose two.)

A Analysts
B Vulnerability Managers
C Chief Information Security Officer (CISO)
D Problem Managers

What makes a playbook appear for a Security Incident if using Flow Designer?

A Actions defined to create tasks
B Trigger set to conditions that match the security incident
C Runbook property set to true
D Service Criticality set to High

The severity field of the security incident is influenced by what?

A The cost of the response to the security breach
B The impact, urgency and priority of the incident
C The time taken to resolve the security incident
D The business value of the affected asset

CIS-SIRPreview

About the CIS-SIR Exam

Question 1

Question 2

Question 3

Question 4

Question 5

Question 6

Question 7

Question 9

Question 10

Question 11

Question 12

Question 13

Question 14

Question 15

Question 16

Question 17

Question 18

Question 19

Question 20

Question 22

Question 23

Question 24

Question 25

Question 26

Question 27

CIS-SIRPreview

About the CIS-SIR Exam

Mode Selection

Question 1

Question 2

Question 3

Question 4

Question 5

Question 6

Question 7

Question 9

Question 10

Question 11

Question 12

Question 13

Question 14

Question 15

Question 16

Question 17

Question 18

Question 19

Question 20

Question 22

Question 23

Question 24

Question 25

Question 26

Question 27