Now Learning Knowledge Article View
Article
KB0012138

ServiceNow CIS - Security Incident Response Delta Exam Study Guide

Article metadata.
This article was updated This article has 1512 views.

Release: Vancouver

 

Audience

All Learners

 

Overview

Use this study guide when completing your delta exam in Now Learning. The content presented in this knowledge article is the exam content you will be tested on to maintain your certification. In addition, we always encourage you to review ServiceNow's Product Documentation.

 

Delta Exam Study Guide Content

The ServiceNow® Security Incident Response (SIR) application helps your organization connect security and IT teams, respond faster and efficiently to threats, and view your organization's security posture. Security Incident Response was enhanced and updated in the Vancouver release.

 

In the Vancouver release, the new CrowdStrike Falcon Insight for Security Operations integration works with the Now Platform so that you can get additional insight into the scope of an incident. The CrowdStrike Falcon Insight captures all relevant endpoint event activities, you can use the Now Platform to focus on investigations and remediation actions.  This integration supports the UI Framework built capabilities in the new SIR workspace along with the existing capabilities such as Host Details, Logged On User, Network Statistics, Running Services, Running Process, and Host isolation.

 

With the CrowdStrike Falcon Insight for Security Operations integration, you can make remediation actions on the endpoints in real time, use profiles to gather details about the host, and make specific queries or actions on the endpoint using the Now Platform Security Incident Response product.

The Vancouver release also features the new McAfee ePO integration endpoint detection and response (EDR) capability that helps Security Operations Center (SOC) analysts identify cyberthreats and repair the damage caused by malicious files. This integration supports the UI Framework built capabilities in the new SIR workspace along with the existing capabilities such as Get System Details, List Threat Events, Initiate Malware Scan, and Host isolation.

The McAfee ePO integration makes available several key capabilities.  The “Get system details” capability gathers system details that include operating system details.  The “Initiate malware scan” capability initiates a scan of an impacted endpoint. based on scan configuration and scheduling.  The “Isolate/Unisolate host” capability removes a system from network access for investigation and restore access to the network. The “List threat events” capability gathers compliance status and the most current threat events.

In Vancouver, the SIR Workspace dashboards are also enhanced to provide you with the Security Incident Manager Overview dashboard, CISO Overview dashboard, and CISO Reporting Overview dashboard. These dashboards includes important metrics to analyze your Security Incident Response process such as new security incidents or the average age of open security incidents.

 

Along with these featured Security Incident Response updates, Vancouver also provides key updates to the Data Loss Prevention application such as the ability for DLP Admin to configure approval rules.  As a DLP admin, you can define the approval rules to grant consent on requests raised by end users to approve the advanced type of response option. You can also define multiple levels of approval from here. After configuring the approval levels, the users can approve or reject the assign approval requests using the Data Loss Prevention Incident Response user workspace.

 

Lastly, please be aware that in the Vancouver release ServiceNow® Security Incident Response no longer supports the Threat Crowd integration. Therefore, if you run a threat look-up against any observables using the Threat Crowd integration, you might see an error.  Please see ServiceNow Vancouver release notes for more information and additional changes with the Vancouver release.