1/ When creating an alert management rule, where would you specify a workflow to resolve a given

condition?

From the Remediation tab

From the Actions tab

From the Launcher tab

In the Related Links section

2/ What types of system can a MID Server install on? (Choose two.)

OpenVMS System

Microsoft Windows Server

Linux System

Microsoft Windows Desktop

Any system inside the customer firewall

Mac OS X System

3/ What would be the primary use case for creating Javascripts in Event Management?

To create a customized pull connector to retrieve events on behalf of an event source

To automatically populate the Configuration Management Database (CMDB)

To parse a nodename out of your raw event data in an event rule

To run as part of a remediation workflow for IT alerts that fail to execute

4/ What would you use to define the monitoring sources allowed to communicate with the
ServiceNow instance for Operational Intelligence?

Metric Registration

Metric Config Rules

Metric Type Actions

Metric to CI

5/ The value of the Alert Priority score is a composite of what?

The value of the alert's category and its relative weight

The value of the alert's category and its Priority Group

The value of the alert's Severity and its Priority Group

The value of the alert's Severity and its relative weight

6/ Which attribute is responsible for de-duplication?

Metric_name

Message_key

Short_description

Additional_info

7/ How would you interpret (diễn tả) the following data in the Operational Intelligence Insights
Explorer?
win-ces882ierw is one of your hottest Configuration Items (CIs) that is currently experiencing a
high probability of anomalies and should be checked immediately

win-ces882ierw is one of your hottest Configuration Items (CIs), but is currently experiencing a
low probability of anomalies

win-ces882ierw is one of your customized list of monitored Configuration Items (CIs) that is
currently experiencing a high probability of anomalies and should be checked immediately

win-ces882ierw is one of your customized list of monitored Configuration Items (CIs), but is
currently experiencing a low probability of anomalies

8/ What is the default collection/polling interval applied to all event connectors?

Every 120 seconds

Every 5 seconds

Every 40 seconds
Every 60 seconds

Every 10 seconds

9/ Where can you look to determine what event rule created an alert? (Choose two.)

Alert Activity

Event Additional Information

Event Processing Notes

Alert Message Key

Alert Source

10/ What feature would you use to trigger a workflow or automatically generate tasks via
templates?

Event rules

Task rules

Alert management rules

Alert correlation rules

11/ What are the valid states an alert can be in during its lifecycle?
Open, Reopen, Flapping, Closed

New, Updating, Waiting, Complete

Open, Updating, Swinging, Closed

Open, Warning, Flapping, Clear

12/ What Event Management module allows for configuration of automatic task creation?

Alert management rules

Task rules

Event rules

Alert correlation rules

13/ You have a system configured with a MID Web Server using Basic authentication to enable
Operational Management Intelligence (OI) to push raw metric data to the MID Server. No data is
getting through to the MID Server.
What is the most likely cause of the issue?

The MID Web Server needs to be Restarted

The MID Web Server needs to be Started

An invalid secret key is being passed in the header information of the URL for the REST request

An invalid password is set in the MID Web Server Context

14/ In the event table, which field maps the external attributes from the target system?

Resource

Description

Source

Additional Information

15/ By default, the Alert Console displays what type of alerts?

All Primary, Open alerts and anomaly alerts with a Severity of Critical, Major, Minor, and
Warning that are not in Maintenance mode

All Primary and Secondary Open alerts and anomaly alerts with a Severity of Critical, Major,
Minor, and Warning that are not in Maintenance mode

All Primary alerts with a Severity of Critical, Major, Minor, Warning that are not in Maintenance
mode

All Primary, Open alerts with a Severity of Critical, Major, Minor, and Warning that are not in
Maintenance mode

All Primary and Secondary Open alerts with a Severity of Critical, Major, Minor, and Warning
that are not in Maintenance mode

16/ Which are recommend best practices for Event Management? (Choose three.)
Filter out events on ServiceNow Instance for easier consolidation and aggregation.

Promote all events to alerts during initial implementation until you fully understand which should
be ignored.
Filter out events at source rather than in the ServiceNow instance.

Base-line "normal-state" events to filter out background noise.

Ignore all non-critical events during initial implementation to streamline processing; add alerts
over time as time and resources allow.

17/ For an incoming event with a matching message key, what allows an existing alert to be
automatically closed?

In the event rule, set the Severity to 0

In the alert rule, set the Severity to 0

In the alert rule, set the Severity to -1

In the event rule, set the Severity to -1

18/ A support agent resolves an incident associated with an alert, but the alert does
automatically close even though the evt_mgmt.incident_closes_alert property is set
appropriately to close the alert.
What is the most likely cause of this issue?

The support agent does not have the evt_mgmt_user role.

The support agent only has the evt_mgmt_admin role.

The support agent has the evt_mgmt_operator role, but not the evt_mgmt_user role.

The support agent has the evt_mgmt_user role, but not the evt_mgmt_operator role.
19/ What are the two most accurate statements regarding the ServiceNow CMDB (configuration
management database) and CIs (configuration items)?

The CMDB is a series of tables that contain only key hardware components located in critical
paths within your platform that must be managed.

The CMDB is a dynamic list that tracks both the CIs within your platform and the relationship
between those items.

All CIs stored in the CMDB must have an assigned IP address within your infrastructure.

A CI is any component within your infrastructure that needs to be managed in order to deliver
Services.

20/ What would you use as a central location to explore the CMDB class hierarchy, CI table
definitions, and CIs?

CI Remediations

CI Relation Types

CI Identifiers

Process to CI Type Mapping

CI Class Manager

21/ A four node cluster makes up the components (CIs) of a Business Service. The impact
influence for the cluster is set to 60%.
How many members of the cluster must be in a Critical state in order for the Business Service to
display as Critical in the Impact Tree?
1

22/ Which the following alert promotion rule defined in your ServiceNow instance, which of the
anomalies below would be automatically promoted into IT alerts on the Alert Console?

1/ A
2/ B
3/ Both anomaly A and anomaly B
4/ Neither anomaly A or anomaly B

23/ By default, Event Management tries to bind an alert to CI (configuration item), by matching
the node name in the event to which three items in the CMDB (configuration management
database)?

CI name, Fully qualified domain name, IP or MAC address

CI name, Webserver name, IP or MAC address

CI name, Fully qualified domain name, SSH public host keys

System class name, Fully qualified domain name, IP or MAC address

24/ The MID Server requires an outbound connection on which port?

445

161

443

143

25/ If more than one event rule applies to a particular event or metric, which of the event rules
will run based upon the Order of execution number?

Only the event rule with the highest Order of execution number will run.

Only the event rule with the lowest Order of execution number will run.

All event rules will run, from the lowest to the highest Order of execution numbers.

All event rules will run, from the highest to the lowest Order of execution numbers.

26/ When creating event rules, is it best practice to create:

Two rules for every event

As many rules as possible

As few rules as possible

One rule for every event

27/ During processing of the event and if the event Severity is blank, the state of the event is set
to:

Ready

Ignored

Error

Processing

28/ What two key steps must be performed after creating a new connector instance? (Choose
two.)

Assign a MID Server to the connector

Enter credentials for the connector

Debug the connector

Test the connector

Activate the connector

29/ A customer informs you that they already have monitoring and event management tools.
Which of the following describes the extra value that ServiceNow Event Management provides?
(Choose four.)

ServiceNow Event Management Alerts, Incidents, Problems, and changes are automatically
correlated with CIs and Business Services that can be visualized in Business Service maps.

ServiceNow Event Management manages relationships between alerts and related incidents to
maintain an end-to-end event management lifecycle.

ServiceNow Event Management provides a business-centric platform and single system of

record for service monitoring and remediation results, to better control and manage
performance and availability.

ServiceNow Event Management provides state-of-the-art performance monitoring capabilities

across a wide array of different types of infrastructures.

ServiceNow Event Management utilizes the power of MID Servers provide important functions
in your ITOM Health deployment.

30/ What does MID stand for?

Management, Instrumentation. and Discovery

Messaging. Integration, and Data

Monitoring. Insight. and Domain

Maintenance, Information, and Distribution with leading monitoring systems to automatically

create actionable alerts.

31/ You have an event with a Source of 'Trap from Enterprise 111', but the alert created for this
event shows a Source of 'Oracle EM'. If you want to change what this is set to, where in the
event rule would you do this?
Transform and Compose Alert Output Tab

Event rule info tab

CI Binding tab

Event Filter tab

32/ Copies of checks that have been included in Agent Client Collector policies are known as
what?

Check definitions

Check models

Check clones

Check mirrors

Check instances

33/ How often do baseline event connectors retrieve events?

Every 30 seconds

Every 2 minutes

Every 10 minutes

Every 1 minute
Every 5 minutes

34/ Which attribute correlates multiple events to one alert?

Additional_info

Message_key

Metric_name

Short_description

35/ Which attribute within an event needs to be exactly the same to allow for deduplication?

Metric Name

Message Key

Type & Node

Description

Correlation ID

36/ In default configuration using baseline connectors, how often is event data collected from
event sources?

Once every minute

Every 2 minutes

Twice every minute

Every 5 minutes

37/ What applications are included in the ITOM Health product?

Event Management and Operational Intelligence

ITOM Visibility

Discovery and Service Mapping

Cloud Management

38/ What is one of the main benefits of using Event Management and Operational Intelligence?

To improve service availability by helping IT staff pinpoint service issue causes and evaluate the
impact of planned changes.

To increase service agility and produce fast, predictable results by automating manual, routine,
error-prone tasks.

To rapidly configure and launch secure, agentless discovery of hardware and software
resources and their relationships.

To proactively warn against possible service outages using a range of advanced predictive
machine learning methods.

39/ Out-of-the-box, how often do the events get processed in ServiceNow?

Every 5 seconds

Every minute via a scheduled job

As soon as the event record is inserted via a business rule

Depends on connectors used

40/ Re-arrange in order for following sentences, from 1 to 5:

Does the event Source matching the rule?
Does the event message key matching an existing alert?
Is the event filtered out?
Is there a matching threshhold?
Is a severity defined?

Source > Filter > Threshold > Severity > Message Key

Source > Threshold > Severity > Message Key> Filter

Source > Severity > Threshold > Severity > Filter

Source > Threshold > Threshold > Filter > Severity

41/ Which is not a valid method for accessing alert intelligence?

In the right-click menu of an alert list, select Open in Workspace

By appending/workspace to your instance URL

The application navigator Alerts Console menu item

The application navigator Alert Intelligence menu item

Within an open alert record, click the Open in Workspace button

Select the Lists tab in operator workspace

42/ To determine the top incidents for the CI associated with an alert, where is the best place to
look?

Alert Insights

Incident List View

CMDB Health Dashboard

Event Management Overview page

43/ Agent Client Collector is built on what framework that enables you to adopt and extend
monitoring checks from the community?

Icinga

Sensu

SolarWinds

Nagios
Zabbix

44/ Based on the information shown, which of the following three alerts should be processed
first?

The Alert Priority score 3106020.001 was calculated according to the following factors, ordered
by their respective priority (2018-06-01 19:34:01 GMT) Category (Score, Weight)
1. Business services - (3.0, 1000000)
2. Severity - (1.0, 100000)
3. CI type - (60.0, 100)
4. Role - (2.0, 10)
5. Secondary - (0)
6. State - (1.0, 0.001)

The Alert Priority score 4406020.001 was calculated according to the following factors, ordered
by their respective priority (2018-05-31 20:04:47 GMT) Category (Score, Weight)
1. Business services - (4.0, 1000000.0)
2. Severity - (4.0, 100000.0)
3. CI type - (60.0, 100.0)
4. Role - (2.0, 10.0)
5. Secondary - (0)
6. State - (1.0, 0.001)

The Alert Priority score 3306020.001 was calculated according to the following factors, ordered
by their respective priority (2018-05-31 19:56:54 GMT) Category (Score, Weight)
1. Business services - (3.0, 1000000.0)
2. Severity - (3.0, 100000.0)
3. CI type - (60.0, 100.0)
4. Role - (2.0, 10.0)
5. Secondary - (0)
6. State - (1.0, 0.001)
They should be processed in the order in which they were received.

45/ Applying recommended Event Management best practice guidelines, which of the following
events should generate an alert?

Every event should generate an alert so you have the opportunity to resolve them all.

Only events that necessitate action should generate an alert.

Only the most critical events on every CI in the CMDB should generate an alert.

Every event on every critical CI in the CMDB should generate an alert.

46/ What attribute is used to consolidate events into a single alert?

Event Rules

Message Key

Alert Priority

Severity

47/ What makes all ServiceNow metrics, tasks, services, configuration items, assets, people,
locations, and information a single system of record for IT and business processes?

ServiceNow is installed within your datacenter providing you complete control

All applications that are built by ServiceNow utilize the same data model and code base
ServiceNow runs on supported Windows servers and is managed through Windows Update

A single table houses all data elements within ServiceNow

ServiceNow utilizes the AWS MariaDB cloud database structure, providing a single system of
record

All applications are built on the Oracle database standard, providing uniformity across products

48/ You have a very large networking environment and have noticed that your event
notifications are either not being triggered or are delayed.
What are best options to try to resolve this issue? (Choose two.)

Ensure all Event Management – process events jobs are set to a Ready state

Verify that the Bucket field in the event table is set to zero (0)

Add additional event processor jobs

Ensure multi-node event processing is disabled

49/ What event value will auto close an alert?

Severity of -1/OK

Type of Clear

Resolution State of Closing

Resolution State of Clear

Severity of 0/Clear

50/ Given the following Impact settings and Alerts in a three node cluster that makes up the
components of a Business Service, what is the overall service health of this Business Service?

Critical

Error

Major

Minor

Warning

Clear

51/ What does Operational Intelligence proactively identify before they cause service outages?

Missing CMDB data

Defects
Alert correlations

Orphaned CIs

Anomalies

52/ What is the function of the External Communication Channel (ECC) Queue? (Choose three.)

It is a connection point between a ServiceNow instance and the MID Server.

It contains probe records to be executed on the customer’s network.

It holds jobs that the MID Server needs to perform.

It is a connection point between a hardware CI on a customer’s network and the MID Server.

It contains records of CIs that the ServiceNow admin has submitted for entry into the CMDB.

53/ The correct regex to capture the name of the server in "the server webserver3.domain.com
is down" would be:

.(\w+\.\w+\.\w+).

The server (.)\s.

.\s(\w+\.\w+\.\w+).

the server (.).

54/ What is the recommended approach to normalizing data from a source system to the default
values in Event Management?

Event field mapping

Transform maps

Alert management rules

Business rules

55/ You have an event that needs to be bound to a non-host CI.

Which attribute needs to be removed from the Transform and Compose tab?

Source Instance

Metric Name

Node

Resource

56/ When are anomaly alerts generated by Operational Intelligence displayed in alert
intelligence?

When the statistical model threshold is breached

When they are promoted to IT alerts

When it is manually promoted in insights explorer

When the anomaly score is greater than 100

57/ What are the possible actions available in alert management? (Choose three.)

Execute remediation subflows

Execute remediation workflows

Launch applications

Evaluate business rule

Create a service catalog request

58/ What ServiceNow feature would you configure to process incoming email to create events?

Transforms

Inbound actions

Event processing jobs

Event Filter

Event field mapping

59/ Within a PowerShell script, which two URI’s could you use to log events directly to the
ServiceNow event table? (Choose two.)

https://[Your_ServiceNow_instance_URL]/rest_api/now/my_tables/em_event
https://[Your_ServiceNow_instance_URL]/api/global/em/jsonv2

https://[Your_ServiceNow_instance_URL]/api/now/table/em_event

https://[Your_ServiceNow_instance_URL]/api/table/em_event

https://[Your_ServiceNow_instance_URL]/rest_api/now/table/em_event

60/ If more than one alert management rule applies to a particular alert, which of the rules will
run based upon the Order of execution field?

Only the alert management rule with the highest Order of execution number will run.

Only the alert management rule with the lowest Order of execution number will run.

All alert management rules will run, from the lowest to the highest Order of execution numbers.

All alert management rules will run, from the highest to the lowest Order of execution numbers.

61/ Alerts are processed using which of the following? (Choose three.)

Alert management rules

Event action rules

Event rules

Scheduled jobs
Java and Groovy scripts

62/ The individual commands that the Agent Client Collector executes on the host are known as
what? (Choose three.)

Events

Checks

Parameters

Policies

Metrics

Scripts

63/ What is Event Management licensing based on?

The number of unique nodes that can send events to the instance

The number of connectors and listeners it will collect data from

The number of connectors it will collect data from

The number of CIs in the CMDB that it will be monitoring

64/ What missing attribute would cause an event to have a state of Error?

Metric Name
Source

Classification

Node

Severity

65/ Modified Agent Client Collector policies do not take effect until what action is taken?

The check is tested on an existing agent/host

The policy is republished

Agents re-run the discovery policy

MID server synchronization is initiated

Agents are restarted

66/ What does the Asynchronous Messaging Bus (AMB) channel do on the MID Server?

Opens an inbound connection to the MID Server

Allows Web Server transactions to be passed to ServiceNow

Sends heartbeat information to the ServiceNow instance to ensure MID is communicating

Continually queries the External Communication Channel (ECC) queue via a persistent query
67/ Within the ServiceNow IT Operations Management solution set, which statement most
accurately describes what Event Management is?

The process responsible for defining, analyzing, planning, measuring, and improving all aspects
of the availability of IT services

The process responsible for ensuring the capacity of IT Services and IT infrastructure is able to
deliver agreed upon service level targets in a cost-effective manner

The process responsible for monitoring all abnormal occurrences throughout the IT
infrastructure, allowing for normal operations, and detecting and escalating exception conditions

The process responsible for recovery action and planning through machine learning

68/ When creating a task from an alert what Event Management Module would be used?

Event Rules

Alert Correlation Rules

Task Management

Alert Management

69/ What is the preferred method of parsing in the Transform/Compose step of an event rule?

Python

Regex

sed/awk
JavaScript

70/ What are the server requirements to allow Operational Intelligence to successfully collect
operational metric data via a push?

This requires a minimum of three MID Servers - two for Event Management and one additional
MID Server dedicated for use by Operational Intelligence (OI).

This requires a MID Web Server in addition to the MID Server.

Nothing additional is required; this is handled by the MID Server.

This requires a minimum of two MID Servers - one for Event Management and one additional
MID Server dedicated for use by Operational Intelligence (OI).

71/ What would be an appropriate use case for having to write JavaScript in Event
Management?

To change the value of the message key

To create a custom action within a subflow

To parse a node name out of your raw event data in an event rule

To automatically create an incident

72/ A dynamic grouping of CIs based upon common criteria (filtered CI classes) that can be
visualized in operator workspace is called?

A business service
A technical service

An application service

A manual service

A scoped service

73/ During CI binding, CI matching is done using which two fields? (Choose two.)

Message Key

Additional Information

Source

Node

74/ What three areas of data quality does the CMDB Health Dashboard focus on? (Choose
three.)

Correctness

Completeness

Configuration

Conciseness

Conformity
Compliance

75/ When sending data from the monitoring source to the additional_info field, what format is
supported?

XML

JSON

YAML

Comma separated

76/ Which step in the event rule configuration process enables you to ignore events and prevent
alert generation?

Transform and compose alert output

Event filter

Event options

Threshold

77/ What is an alert called that moves from an open to a closed state multiple times within a
designated time-frame?

Fluctuating

Swinging
Flipping

Flapping

78/ How would you ensure the quality of data in your Configuration Management Database
(CMDB) over time?

Manually inventorying configuration items in the CMDB and eliminating duplicate configuration
items (CIs)

Only use the ServiceNow Discovery application to populate your CMDB

Using only scripts to automatically monitor for and remediate duplicate configuration items (CIs)

Having well-defined Identification, Reconciliation, and Relationship rules

79/ Which is an invalid state for an alert?

Flapping

Closed

Reopen

Processed

80/ A support agent resolves an incident associated with an alert. What is the best method to
close the alert?

Set the evt_mgmt.incident_closes_alert

Set the evt_mgmt.alert_closes_incident

Switch over to the alert form and close the alert manually

Create a business rule on the alert table to match the associated Incident with its respective
alert

Create a business rule on the incident table

81/ Impacted services for alerts are calculated using data from which table?

cmdb_ci_hardware

em_impacted_svc

cmdb_ci_rei

svc_ci_assoc

82/ A monitoring tool notification of a notable occurrence is known as what?

An alert

An event

A metric

An alarm
83/ If a Message Key is not provided, which fields are concatenated to make our own?

Source, DNS, Node, Additional info, Metric Name

Source, Type, Node, Resource, Metric Name

Source, Type, DNS, Additional info, Metric Name

Source, Source Instance, Node, Type, Resource

84/ A load balanced web application has a cluster of 5 Apache nodes. When considering impact
calculation with application cluster member rule influence set to 45, how many impacted nodes
within that cluster would cause the overall application service to have a degradation of service?

85/ A Service is not viewable in Operator Workspace. What could be the issue?

The service is a manual service

The service is not set to operational

The service was created through Service Mapping

The service is a technical service

86/ What ServiceNow feature is an aid to rapid implementation of your Event Management and
Operational Intelligence features?

Deployment wizard

Step-by-step guide

Checklist application

Guided setup

87/ The ServiceNow standard and shared set of service-related definitions that enable and
support true service level reporting is known as what?

Service level data model

Business service data model

Application service data model

Common service data model

88/ A monitoring tool notification of a notable occurrence is known as what?

An alarm

An alert
An incident

A notice

An event

A metric

89/ Which is the best option to reduce latency issues when receiving events?

Verify bucket field in em_event table > 0

Verify event_processor_job_count = 2

Verify event_processor_job_count = 0

Verify event_processor_enable_multi_node = 2

90/ The default polling time to collect events from an event source is:

5 seconds

30 seconds

60 seconds

120 seconds

91/ Which two methods can be used to improve the processing of events in large network
environments? (Choose two.)
Enable multi-node processing

Increase the source polling interval

Ensure the bucket value in the event table is greater than 0

Increase the number of scheduled jobs processing events

92/ The Event Management operator workspace can display all of the following except?

Alert groups

Manual application services

Discovered application services from Service Mapping

Correlation groups

Technical services

93/ Within an event rule, how would you parse a nodename out of your raw event data?

JavaScript

Groovy script

PowerShell script

Regex statement
94/ If events are not matching to alerts as you would like, what field should be changed?

Resource

Message Key

Node

Metric Name

95/ If the Message Key is not populated, the default value is created from which fields?

Source, Type, Node, Resource, and Metric name

Source, source instance, node, and resource

Source, type, node, and metric name

Source, source instance, node, and type

Source, type, node, resource, and time of event

96/ Processing on an event will create a state of error if what value is not set?

Node

Source

Severity
Message Key

Resource

97/ When performing CI Binding, what fields does Event Management match to the Node?

CI Name, DNS, IP, MAC Address

System class name, FQDN, IP or MAC address

CI name, FQDN, SSH public host keys

CI Name, FQDN, IP, MAC Address

98/ Applying recommended Event Management best practice guidelines, which of the following
alerts should be processed first?
Alert00l0042

Alert0010003

Alert00l0075

Alert00l0074

99/ What is the minimum role needed to view alerts?

alert_operator

evt_mgmt_user

evt_mgmt_operator

alert_user

100/ By default, when are idle alerts are closed?

After 7 days

After 14 days

After 30 days

Never
101/ Tag-based alert clustering tags can contains many match methods, they are? (choose 3
answers)

Proximal

Subset

Fuzzy

Exact

Pattern

102/ A command which Agent Client Collector run on a host is considered as?

Scripts

Policies

Events

Checks

Metrics

Alerts