CIS - SIR Practice Questions (1).docx PDF

Summary

This document is a set of practice questions for security incident response. The questions cover various aspects of security incident response, from identifying and classifying incidents to resolving them. It also includes information about how security incidents can be created, handled, and managed.

Full Transcript

**1). What makes a playbook appear for a Security Incident if using Flow
Designer?**

A. Actions defined to create tasks

B. Trigger set to conditions that match the security incident

C. Runbook property set to true

D. Service Criticality set to High

**2). What is the purpose of Calculator Groups as opposed to
Calculators?**

A. To provide metadata about the calculators

B. To allow the agent to select which calculator they want to execute

C. To set the condition for all calculators to run

D. To ensure one at maximum will run per group

**3). The following term is used to describe any observable occurrence:
\_\_\_\_\_\_\_\_\_\_.**

A. Incident

B. Log

C. Ticket

D. Alert

E. Event

**4). The severity field of the security incident is influenced by
what?**

A. The cost of the response to the security breach

B. The impact, urgency and priority of the incident

C. The time taken to resolve the security incident

D. The business value of the affected asset

**5). The Risk Score is calculated by combining all the weights using
\_\_\_\_\_\_\_\_\_\_.** A. an arithmetic mean

B. addition

C. the Risk Score script include

D. a geometric mean

**6). What are two of the audiences identified that will need reports
and insight into Security Incident Response reports? (Choose two.)**

A. Analysts

B. Vulnerability Managers

C. Chief Information Security Officer (CISO)

D. Problem Managers

**7). What three steps enable you to include a new playbook in the
Selected Playbook choice list? (Choose three.)**

A. Add the TLP: GREEN tag to the playbooks that you want to include in
the Selected Playbook choice list B. Navigate to the sys\_hub\_ow.list
table

C. Search for the new playbook you have created using Flow Designer

D. Add the sir\_playbook tag to the playbooks that you want to include
in the Selected Playbook choice list

E. Navigate to the sys\_playbook\_ow.list table

**8). Which improvement opportunity can be found baseline which can
contribute towards process maturity and strengthen costumer's overall
security posture?**

A. Post-Incident Review

B. Fast Eradication

C. Incident Containment

D. Incident Analysis

**9). What is the fastest way for security incident administrators to
remove unwanted widgets from the Security Incident Catalog?**

A. Clicking the X on the top right corner

B. Talking to the system administrator

C. Can\'t be removed

D. Through the Catalog Definition record

**10). Select the one capability that retrieves a list of running
processes on a CI from a host or endpoint.**

A. Get Network Statistics

B. Isolate Host

C. Get Running Processes

D. Publish Watchlist

E. Block Action

F. Sightings Search

**11). Which Table would be commonly used for Security Incident
Response?**

A. sysapproval\_approver

B. sec\_ops\_incident

C. cmdb\_rel\_ci

D. sn\_si\_incident

**12). There are several methods in which security incidents can be
raised, which broadly fit into one of these categories:
\_\_\_\_\_\_\_\_\_\_. (Choose two.)**

A. Integrations

B. Manually created

C. Automatically created

D. Email parsing

**13). What is the first step when creating a security Playbook?**

A. Set the Response Task\'s state

B. Create a Flow

C. Create a Runbook

D. Create a Knowledge Article

**14). To conjure Security Incident Escalations, you need the following
role(s): \_\_\_\_\_\_\_\_\_\_.**

A. sn\_si.admin

B. sn\_si.admin or sn\_si.manager

C. sn\_si.admin or sn\_si.ciso

D. sn\_si.manager or sn\_si.analyst

**15). Which of the following are potential benets for utilizing
Security Incident assignment automation? (Choose two.)**

A. Decreased Time to Containment

B. Increased Mean Time to Remediation

C. Decreased Time to Ingestion

D. Increased resolution process consistency

**16). What is the key to a successful implementation?**

A. Sell customer the most expensive package

B. Implementing everything that we offer

C. Understanding the customer's goals and objectives

D. Building custom integrations

**17). A flow consists of one or more actions and a what?**

A. Change formatter

B. Catalog Designer

C. NIST Ready State

D. Trigger

**18). Flow Triggers can be based on what? (Choose three.)**

A. Record changes

B. Schedules

C. Subflows

D. Record inserts

E. Record views

**19). Which one of the following users is automatically added to the
Request Assessments list?**

A. Any user that adds a worknote to the ticket

B. The analyst assigned to the ticket

C. Any user who has Response Tasks on the incident

D. The Affected User on the incident

**20). For Customers who don\'t use 3rd-party systems, what ways can
security incidents be created? (Choose three.)**

A. Security Service Catalog

B. Security Incident Form

C. Inbound Email Parsing Rules

D. Leveraging an Integration

E. Alert Management

**21). What does a flow require?**

A. Security orchestration flows

B. Runbooks

C. CAB orders

D. A trigger

**22). Knowledge articles that describe steps an analyst needs to follow
to complete Security incident tasks might be associated to those tasks
through which of the following?**

A. Work Instruction Playbook

B. Flow

C. Workow

D. Runbook

E. Flow Designer

**23). Which of the following process denitions allow only single-step
progress through the process dened without allowing step skipping?**

A. SANS Stateful

B. NIST Stateful

C. SANS Open

D. NIST Open

**24). If the customer's email server currently has an account setup to
report suspicious emails, then what happens next?**

A. An integration added to Exchange keeps the ServiceNow platform in
sync

B. The ServiceNow platform ensures that parsing and analysis takes place
on their mail server

C. The customer's systems are already handling suspicious emails

D. The customer should set up a rule to forward these mails onto the
ServiceNow platform

**25). What parts of the Security Incident Response lifecycle is
responsible for limiting the impact of a security incident?**

A. Post Incident Activity

B. Detection & Analysis

C. Preparation and Identification

D. Containment, Eradication, and Recovery

**26). Select the one capability that restricts connections from one CI
to other devices.**

A. Isolate Host

B. Sightings Search

C. Block Action

D. Get Running Processes

E. Get Network Statistics

F. Publish Watchlist

**27). What factor, if any, limits the ability to close SIR records?**

A. Opened related INC records

B. Best practice dictates that SIR records should be set to \'Resolved\'
never to \'Closed\'

C. Nothing, SIR records could be closed at any time

D. All post-incident review questionnaires have to be completed first

**28). When the Security Phishing Email record is created what types of
observables are stored in the record? (Choose three.)**

A. URLs, domains, or IP addresses appearing in the body

B. Who reported the phishing attempt

C. State of the phishing email D. IP addresses from the header

E. Hashes and/or le names found in the EML attachment

F. Type of Ingestion Rule used to identify this email as a phishing
attempt

**29). What plugin must be activated to see the New Security Analyst
UI?**

A. Security Analyst UI Plugin

B. Security Incident Response UI plugin

C. Security Operations UI plugin

D. Security Agent UI Plugin

**30). The benefits of improved Security Incident Response are expressed
\_\_\_\_\_\_\_\_\_\_.**

A. as desirable outcomes with clear, measurable Key Performance
Indicators

B. differently depending upon 3 stages: Process Improvement, Process
Design, and Post Go-Live

C. as a series of states with consistent, clear metrics

D. as a value on a scale of 1-10 based on specific outcomes

**31). This type of integration workflow helps retrieve a list of active
network connections from a host or endpoint, so it can be used to enrich
incidents during investigation.**

A. Security Incident Response -- Get Running Services

B. Security Incident Response -- Get Network Statistics

C. Security Operations Integration -- Sightings Search

D. Security Operations Integration -- Block Request

**32). Joe is on the SIR Team and needs to be able to configure
Territories and Skills. What role does he need?**

A. Security Basic

B. Manager

C. Security Analyst

D. Security Admin

**33). Why should discussions focus with the end in mind?**

A. To understand desired outcomes

B. To understand current posture

C. To understand customer's process

D. To understand required tools

**34). Which of the following State Flows are provided for Security
Incidents? (Choose three.)**

A. NIST Open

B. SANS Open

C. NIST Stateful

D. SANS Stateful

**35). Chief factors when configuring auto-assignment of Security
Incidents are \_\_\_\_\_\_\_\_\_\_.**

A. Agent group membership, Agent location and time zone

B. Security incident priority, CI Location and agent time zone

C. Agent skills, System Schedules and agent location

D. Agent location, Agent skills and agent time zone

**36). Which ServiceNow automation capability extends Flow Designer to
integrate business processes with other systems?**

A. Workflow

B. Orchestration

C. Subflows

D. Integration Hub

**37). In order to see the Actions in Flow Designer for Security
Incident, what plugin must be activated?**

A. Performance Analytics for Security Incident Response

B. Security Spoke

C. Security Operations Spoke

D. Security Incident Spoke

**38). How do you select which process definition to use?**

A. By selecting the desired process within the Process Definition module

B. By selecting the desired process within the Process Selection module

C. By setting the process denition record to Active

D. By setting the Script Include record to Active

**39). What role(s) are required to add new items to the Security
Incident Catalog?** A. requires the sn\_si.admin role

B. requires the sn\_si.catalog role

C. requires both sn\_si.write and catalog\_admin roles

D. requires the admin role

**40). What is calculated as an arithmetic mean taking into
consideration different values in the CI, Security Incident, and User
records?**

A. Priority

B. Business Impact

C. Severity

D. Risk Score

**41). What is the name of the Inbound Action that validates whether an
inbound email should be processed as a phishing email for URP v2?**

A. User Reporting Phishing (for Forwarded emails)

B. Scan email for threats

C. User Reporting Phishing (for New emails)

D. Create Phishing Email

**42). When a record is created in the Security Incident Phishing Email
table what is triggered to create a Security Incident?**

A. Ingestion Rule

B. Transform flow

C. Transform workflow

D. Duplication Rule

**43). If a desired pre-built integration cannot be found in the
platform, what should be your next step to find a certified
integration?**

A. Build your own through the REST API Explorer

B. Ask for assistance in the community page

C. Download one from ServiceNow Share

D. Look for one in the ServiceNow Store

**44). Incident severity is influenced by the business value of the
affected asset. Which of the following are asset types that can be
affected by an incident? (Choose two.)**

A. Business Service

B. Configuration Item

C. Calculator Group

D. Severity Calculator

**45). A pre-planned response process contains which sequence of
events?**

A. Organize, Analyze, Prioritize, Contain

B. Organize, Detect, Prioritize, Contain

C. Organize, Prepare, Prioritize, Contain

D. Organize, Verify, Prioritize, Contain

**46). Why is it important that the Platform (System) Administrator and
the Security Incident administrator role be separated? (Choose three.)**

A. Access to security incident data may need to be restricted

B. Allow SIR Teams to control assignment of security roles

C. Clear separation of duty

D. Reduce the number of incidents assigned to the Platform Admin

E. Preserve the security image in the company

**47). Using the KB articles for Playbooks tasks also gives you which of
these advantages?**

A. Automated activities to run scans and enrich Security Incidents with
real time data

B. Automated activities to resolve security Incidents through patching

C. Improved visibility to threats and vulnerabilities

D. Enhanced ability to create and present concise, descriptive tasks

**48). The EmailUserReportedPhishing script processes inbound emails and
creates a record in which table?**

A. ar\_sn\_si\_phishing\_email

B. sn\_si\_incident

C. sn\_si\_phishing\_email\_header

D. sn\_si\_phishing\_email

**49). A flow consists of \_\_\_\_\_\_\_\_\_\_. (Choose two.)**

A. Scripts

B. Actions

C. Processes

D. Actors

E. Triggers

**50). Which of the following process definitions are not provided
baseline?**

A. NIST Open

B. SAN Stateful

C. NIST Stateful

D. SANS Open

**51). Which of the following tag classifications are provided baseline?
(Choose three.)**

A. Traffic Light Protocol

B. Block from Sharing

C. IoC Type

D. Severity

E. Cyber Kill Chain Step

F. Escalation Level

G. Enrichment whitelist/blacklist

**52). David is on the Network team and has been assigned a security
incident response task. What role does he need to be able to view and
work the task?**

A. Security Analyst

B. Security Basic

C. External

D. Read

**53). When a service desk agent uses the Create Security Incident UI
action from a regular incident, what occurs?**

A. The incident is marked resolved with an automatic security resolution
code

B. A security incident is raised on their behalf but only a notification
is displayed

C. A security incident is raised on their behalf and displayed to the
service desk agent

D. The service desk agent is redirected to the Security Incident Catalog
to complete the record producer

**54). Which of the following elds is used to identify an Event that is
to be used for Security purposes?**

A. IT

B. Classification

C. Security

D. CI

**55). What specific role is required in order to use the REST API
Explorer? (Pick two)**

A. admin

B. sn\_si.admin

C. rest\_api\_explorer

D. security\_admin

**56). Which of the following is an action provided by the Security
Incident Response application?**

A. Create Outage state V1

B. Create Record on Security Incident state V1

C. Create Response Task set Incident state V1

D. Look Up Record on Security Incident state V1

**57). Which one of the following reasons best describes why roles for
Security Incident Response (SIR) begin with \"sn\_si\"?**

A. Because SIR is a scoped application, roles and script includes will
begin with the sn\_si prex

B. Because the Security Incident Response application uses a Secure
Identity token

C. Because ServiceNow checks the instance for a Secure Identity when
logging on to this scoped application

D. Because ServiceNow tracks license use against the Security Incident
Response Application

**58). A Post Incident Review can contain which of the following?
(Choose three.)** A. Post incident questionnaires

B. An audit trail

C. Attachments associated with the security incident

D. Key incident fields

E. Performance Analytics reports

**59). Security tag used when a piece of information requires support to
be effectively acted upon, yet carries risks to privacy, reputation, or
operations if shared outside of the organizations involved.**

A. TLP:GREEN

B. TLP:AMBER

C. TLP:RED

D. TLP:WHITE

**60). Which Table would be commonly used for Security Incident
Response?**

A. sn\_si\_sec\_incident

B. sn\_sir\_incident

C. incident

D. sn\_si\_incident

**61). ServiceNow follows the basic guidelines of the NIST lifecycle.
Based on the best course of action, usually guided by runbooks and
established procedures, problems sought to be fixed in which phase?**

A. Analysis

B. Detection

C. Eradication

D. Review

**62). What is the main purpose of the Security Incident Response
Team?**

A. Manage vulnerability response

B. Escalate incidents to security incidents

C. Handle security incidents

D. Patch vulnerabilities

**63). What are some of the recommended duties each SIR team should
have?**

A. Coaching

B. Monitoring activities

C. Testing

D. All of the above

**64). Which role is needed to amend Security Incident Response Script
Includes?** A. script\_admin

B. activity\_admin

C. sn\_si.admin

D. admin

**65). Users can create and update security incidents, requests, and
tasks, as well as problems, changes, and outages related to their
incidents with which role?**

A. itil

B. sn\_si.manager

C. sn\_si.cisco

D. sn\_si.basic

**66). The sn\_si.external role is given to external users working on
security incidents. What activities can external users complete with
this role? (Choose two.)**

A. View related CI record

B. View the Security Incident record

C. View assigned Tasks

D. Work Tasks assigned to them

**67). What are the benefits of having an SIR Team? (Choose three.)**

A. Reduced cost of recovery

B. Increased headcount

C. Reduced security incidents

D. Quicker incident resolutions

E. Dedicated resources

**68). What measures activity outputs?**

A. Business metrics

B. Leading Indicators

C. Lagging indicators

D. Business trends

**69). Which Security Incident Response product tiers offer baseline
orchestration and automation? (Choose two.)**

A. Standard

B. Professional

C. Enterprise

D. Basic

**70). What are some of the ways SIR teams can increase their
productivity? (Choose three.)**

A. Process automation

B. Form personalization

C. Training

D. Utilizing spreadsheet pivot tables

E. Hire additional staff

**71). What roles are required to modify Security Incident Catalog
items?**

A. sn\_si.admin and sn\_si.analyst

B. (platform) admin and sn\_si.analyst

C. (platform) admin and sn\_si.admin

D. sn\_si.integration\_user and sn\_si.admin

**72). When designing the Security Incident Catalog what should happen
to all catalog items?**

A. All catalog items should be displayed. These represent incidents
common to all businesses.

B. All catalog items should be designed specifically to that customer\'s
agreed needs.

C. All catalog items should be removed. They\'re just examples, and must
be replaced by different ones specific to that customer.

D. All catalog items should be renamed to suit the language for that
customer, so users know which to pick.

**73). Which of the following are required to allow inbound emails to be
parsed into Security Incidents? (Choose three.)**

A. Set Properties

B. Set Parsing Rules

C. Set Field Transforms

D. Set Assignment Rules

E. Set Business Rules

**74). Select all of the following which are the target personas for
MITRE ATT&CK 2.0? (Choose three.)**

A. Security and Threat Intelligence Administrators

B. Security Analysis

C. IT Project Users

D. SOC Managers and CISO

**75). Rollup framework capability model congures linked records for
what purpose?**

A. Rollup Data Loss Prevention records to Major Security Incident

B. Rollup additional records information to Major Security Incident

C. Rollup additional records information to Data Loss Prevention
Incidents

D. Rollup additional records information to imported Security Incidents

**76). Events within the platform that are utilized for the creation of
Alerts and/or Security Incidents are held in which table?**

A. sir\_event

B. sysevent

C. em\_event

D. sys\_event

**77). Security Incidents can be created using a manual UI Action on
which one of the following record types?**

A. Event

B. Email Notification

C. Workow

D. Alert

**78). Select the one capability that retrieves a list of active network
connections from a host or endpoint.**

A. Sightings Search

B. Block Action

C. Get Running Processes

D. Publish Watchlist

E. Isolate Host

F. Get Network Statistics

**79). LDAP, Direct Web Service, and SOAP are types of what?**

A. Integration methods

B. Data mapping

C. ServiceNow access protocol

D. Reporting methods

**80). Events received from external tools should include what
information? (Choose three.)**

A. A list of similar indicators that were discovered in the event
details

B. Event description, which populates the description of the security
incident

C. Event classification set to Security to distinguish them from other
IT events

D. Whitelisted and Blacklisted IP addresses

E. Node set to the name, IP address, or sys\_id of the CI that becomes
the affected resource

**81). Select all of the following which are key features of Microsoft
Defender for Endpoint. (Choose three.)**

A. Perform host enrichment actions to gather more information about the
endpoint, which includes host details, logged-in users, and observable
related machines details.

B. Find indicators of compromise (IoC) and enrich security incidents
with threat intelligence data.

C. Perform Enterprise Security Search to sight potential malicious
observables across endpoints, and take remediation actions.

D. Perform response actions such as Isolate host, Remove isolation,
Restrict app execution, Run antivirus scan, Remove app restriction, and
Stop and quarantine le.

**82). The time zone of a CI is determined by:**

A. The time zone setting on the computer

B. The time zone eld on the Clock

C. The time zone of the asset owner

D. The time zone of the location

**83). Security tags can be applied to which of the following record
types? (Choose three.)**

A. Incidents

B. Problems

C. Indicators and observables

D. Response Tasks

E. Security Incidents

F. Change Orders

G. CMDB Ci records

**84). The creation of custom process definitions would require which of
the following platform components? (Choose two.)**

A. Client-Side Script

B. Process Denition record

C. Business Rule

D. Script Include

**85). Which Security tag is used when information is useful for the
awareness of all participating organizations as well as with peers
within the broader community or sector?**

A. TLP:PURPLE

B. TLP:AMBER

C. TLP:RED

D. TLP:GREEN

**86). Which of the following management activities are associated with
Major Security Incident Management?**

A. Link security incidents as child incidents to other child incidents,
so that all security incidents can be worked

B. Link security incidents as parent incidents to the major security
incident (MSI) so that all security incidents can be worked

C. Link security incidents as child incidents to the major security
incident (MSI) so that all security incidents can be worked

D. Link security incidents as minor incidents to the major security
incident (MSI) so that all security incidents can be worked

**87). Select all of the following which are key features of Major
Security Incident Management. (Choose three.)**

A. Organize response tasks across multiple parent security incidents

B. Chat channel manager and activity stream components to manage
communications across multiple security, IT, and functional groups via a
Microsoft Teams integration

C. Organize response tasks across multiple \'child\' security incidents

D. Dedicated workspace for managing major security incidents
specifically designed for the major security incident manager user role

**88). Select all of the following which are key features of the Malware
Information Sharing Platform. (Choose three.)**

A. Dedicated workspace for managing major security incidents
specifically designed for the major security incident manager user role

B. Auto-extract MITRE-ATT&CKTM information from MISP attributes and
associate the information to SIR security incidents.

C. Add security incident associated observables as attributes to a MISP
event.

D. Update a MISP event from SIR which includes adding or updating tags,
galaxies, or attributes.

**89). Which role must a user have to customize major security incident
reports based on the incremental progress since last summary update?**

A. sn\_msi.workspace\_admin

B. sn\_msi.workspace\_manager

C. sn\_msi.workspace\_user

D. sn\_msim.workspace\_manager

**90). Which statement about Security Incident Calculators is correct?**

A. All Calculator Groups run in order but only the calculator with the
highest order in that group runs

B. All Calculator Groups run in order but only the first matching
calculator from each group will apply

C. All Calculator Groups run in order but only the first matching group
will apply

D. All Calculator Groups run in order and all calculators in the first
matching group apply

**91). When a Post-Incident Review report is created, it can be
found...**

A. as a published article in a knowledge base

B. as an unpublished article in a knowledge base

C. as an attachment to the original security incident

D. as an article pending approval in a knowledge base

**92). What is the main goal of the Security Incident Response
process?**

A. Automate set processes

B. Reduce time to contain

C. Save the company money

D. Minimize impact

**93). What should you consider before helping customers automate
different processes?**

A. Customer\'s willingness to change

B. Understand expected benets

C. Understand internal processes

D. Understand baseline workflow

**94). Security Incidents can be created using which platform
functionality?**

A. Inbound Email Actions

B. Email matching rules

C. Email rules

D. Notifications

**95). Which platform functionality uses Conditions and Scripts to take
action on a target table when receiving emails?**

A. Email Matching Rules

B. Inbound Email Actions

C. User Reported Phishing Script Include

D. Email Scheduler

**96). Actions packaged in Scoped applications are called:**

A. Action Groups

B. Categories

C. Spokes

D. Subflows

**97). When testing a flow, the action outcomes can be found where?**

A. Configuration Details

B. System Log

C. Execution Details

D. Content Record

**98). Flow Logic in the baseline includes: (Choose two.)**

A. For Each Loops

B. Interrupts

C. If Then conditions

D. Function Calls

E. Wait until

**99). What contains a set of reusable operations that are designed to
be used in multiple playbooks?**

A. Flows

B. Actions

C. Trigger

D. Subflows

**100). What automates processes and supports triggers with a sequence
of reusable actions**

A. Subflows

B. Actions

C. Flows

D. Activities

**101). Once a Phishing Email record is created, which Flow creates a
new Security Incident record?**

A. Security Incident - Phishing Manual

B. Security Incident - Automated Phishing Playbook

C. Child Incident Automated Flow

D. Transform Phishing Email to Security Incident

**102). When an inbound email is processed and identified as a phishing
email what table is it stored in for URP v2?**

A. Security Incident Alert

B. Security Incident Phishing Email

C. Security Incident

D. Incident

**103). In order to use User Reported Phishing v2, what must occur in
Flow Designer?**

A. Transform Flow must be published

B. Transform Flow must be activated

C. Transform Action must be activated

D. Phishing Email Aggregation Subow must be activated

E. Transform Flow must be copied and activated

**104). When setting up a Playbook what eld in the Flow Action for
Creating a Response Task must contain the same value as the Runbook
name?**

A. Short Description

B. Action

C. Runbook

D. Knowledge article

**105). Runbook records utilize a link to what type record for
content?**

A. Knowledge article

B. Response Tasks

C. Managed Document

D. Instruction Details

**106). In a Flow, if the Create Response Task set Incident state V1
action is selected, what eld contains the yes\_no value that drives a
question being asked in the playbook?**

A. Question Type

B. Outcome Type

C. SI State

D. Answer Type

**107). Runbooks are used to create a relationship between what
components? (Choose two.)**

A. Events

B. Security Incident Response Task

C. Playbook Task

D. Alerts

E. Workflow Trigger

F. Knowledge article

**108). What is included in the real-time data model in the right pane
of the Flow Designer UI that may be dragged and dropped into elds in the
main ow workspace?**

A. Record Objects

B. Table References

C. Data Pills

D. Code Snippets

**109). What kind of rules can be used to congure how email phishing
incidents are processed? (Choose two.)**

A. Risk Rules

B. Inbound Property Rules

C. CI Lookup Rules

D. Ingestion Rules

E. Condition Rules

F. Duplication Rules

**110). Risk Score weighting uses which of the following components?
(Choose two.)**

A. Business impact of a CI or Security Incident

B. Severity and Priority of a Security incident

C. Cost and Risk of an affected service

D. SLA and Schedule of an impacted service

E. Impact and Urgency of a Security incident

**111). Select all of the following which are the target personas for
MITRE ATT&CK 2.0? (Choose three.)**

A. SOC Managers and CISO

B. Security and Threat Intelligence Administrators

C. Security Analysts

D. Compliance Managers

E. Penetration Testers

**112). How does a user modify Risk Scores to suit their organizational
needs?**

A. Alter values in the Risk Score Configuration module

B. Amend constants in the RiskScoreUtil script include

C. Change the business impact for affected Business Services and
Configuration Items

D. Recode logic in the Risk Score Calculator

**113). What are some of the ways SIR teams can increase their
productivity? (Choose three.)**

A. Red/Blue automation

B. Export to spreadsheet pivot tables

C. Process automation

D. Training

E. Form personalization