Automation and Standard Processes Flashcards

1
Q

Before performing Splunk Integration setup procedures, what roles would the integration user need?

A

sn_si.integration_user and sn_si.analyst

in addition, to perform imports you need the import_transformer role to obtain read and write permission to security tables. The sn_si.integration_user role should be defined with the import_transfomrer portion of the role.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What are the Automation Capabilities?

A
Existing solutions that require advanced skills 
Workflow
Orchestration
Scheduled Jobs
Business Rules

New innovations
Flow Designer
Integration Hub

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What is SOAR?

A

Security Orchestration, Automation, and Response

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What roles can activate a Security incident response flow?

A

sn_si.admin

action_designer

flow_designer

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

T or F The flows baseline for Security Incident Response are active once download

A

False

must download Security Operations Spoke - Search flow designer for Security operational applications for flows

then Copy flow

then hit activate button

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

How do you navigate to Runbooks?

A

Security Incident > Manual Runbook > View Runbook Documents

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What are Runbooks?

A

knowledge bases contains articles that provide users with information such as self-help, Troubleshooting, and Task resolution.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

what can Knowledge Articles do for Runbooks?

A

Provide detailed steps a Security Analyst should take under specific circumstances

can be related to Runbook Records where criteria for their use is defined

can be incorporated into a Playbook

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What role is do you need to create, read, open for Security Incident Runbooks?

A

sn.si.knowledge_admin

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

what is the process of a playbook processing chain to end with a Runbook?

A

New Security Incident is created

Workflow is triggered by new records created in the sn_si_incident table

Workflow begins once triggered

Certain Workflow have been created to address “Playbooks” containing tasks used to resolve a specific type of threat.

As the workflow progresses new Security Incident Tasks are generated

Runbooks evaluates new Incident Response Tasks on the sn_si_task table

If the Incident Response Task matches with the criteria set in the Runbook then it creates an association between a KB article and the SIR task.

The new Security Incident response task with the KB article is then displayed to the user in new Security Analyst UI with the playbook.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

How does a Playbook work within an Security analyst UI?

A

Resolves certain types of security threats in a step by step manner. Each group of tasks (analysis, Contain, Eradicate, Recovery, Review and closed) leads you through a series of questions and other activities for resolving the threat.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

How does a Playbook work within an Security analyst UI?

A

Resolves certain types of security threats in a step by step manner. Each group of tasks (analysis, Contain, Eradicate, Recovery, Review and closed) leads you through a series of questions and other activities for resolving the threat.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What happens when a user reports a phishing Email in the User Reported Phishing Version 2.0?

A

Emails are captured in Sys_Emails table in ServiceNow.

Inbound actions and email ingestion rules identifies phishing email to creat Phishing Email Records

Aggregation logic applied on Phishing Email Records to find duplicates

Create Security Incidents with Parent - child association

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Where is the Child Aggregation system property located?

A

User Reported Phishing properties module

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What happens when the Child Aggregation system property is set to true?

A

All other phishing emails are up as child incidents to the first (parent) phishing email.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly