Servicenow-CIS-EM Exam Format | Servicenow-CIS-EM Course Contents | Servicenow-CIS-EM Course Outline | Servicenow-CIS-EM Exam Syllabus | Servicenow-CIS-EM Exam Objectives

Exam Code: CIS-EM
Exam Name: ServiceNow Certified Implementation Specialist - Event Management
Number of Questions: 30 scored questions (multiple-choice- multiple-select- and true/false formats; may include up to 4 additional unscored questions for future exam development)
Time Allotted: 90 minutes
Passing Marks: Estimated ~70%
Exam Format: Online proctored or at a testing center

Event Management Overview 15-20%

- Event Management Fundamentals:
- Definition of events as discrete occurrences that have significance for IT operations management or business processes.
- Distinction between events- alerts- and incidents: Events are raw data points; alerts are processed events indicating potential issues; incidents are confirmed disruptions requiring resolution.
- Value proposition: Reduces mean time to detect (MTTD) and mean time to resolve (MTTR) by automating event processing and correlating with configuration items (CIs).

- ITOM Visibility and Event Management Role:
- Overview of IT Operations Management (ITOM) suite: Event Management as a component alongside Discovery- Service Mapping- and Cloud Management.
- Business outcomes: Improved service availability- reduced downtime- and enhanced operational efficiency through real-time monitoring.

- Event Processing Workflow:
- High-level flow: Event ingestion → Processing (rules- filters) → Alert creation → Notification and task generation.
- Event: A record in the em_event table representing an occurrence (e.g.- threshold breach).
- Alert: A record in the em_alert table- created when an event matches criteria indicating a potential issue.
- CI Relation: Association of events/alerts to Configuration Items (CIs) from the cmdb_ci table for impact analysis.
- Additional Information (Additional Info): JSON payload in events carrying contextual data like node- metric- and severity.

- Roles and Permissions:
- Core roles: evt_mgmt_admin (full access to Event Management)- evt_mgmt_operator (view and update alerts/tasks)- itil (basic incident-related access).
- Security considerations: Field-level access controls on em_event and em_alert tables.

Architecture and Discovery 20-25%

- Event Management Architecture:
- Core components: Event Management engine- MID Servers for connector communication- and integration with the Common Event Format (CEF) or SNMP traps.
- Scalability: Horizontal scaling via multiple nodes- use of ECC Queue for inbound event queuing.
- Integration points: With ITOM Health (AIOps) for anomaly detection and Orchestration for automated remediation.

- Discovery Integration:
- Role of ServiceNow Discovery: Populates the CMDB with CIs- enabling event correlation to business services.
- Event rules leveraging Discovery data: Mapping events to CIs via identification rules and relationship mapping.
- MID Server: Managed Instance Discovery Server- a lightweight agent for secure communication between ServiceNow instance and external sources.
- Connector: Plugins like REST Message or SNMP Connector for event ingestion (e.g.- ServiceNow Event Management Connector).
- CMDB (Configuration Management Database): Central repository of CIs; events query cmdb_ci for impact assessment.
- Identification and Reconciliation Engine (IRE): Ensures unique CI identification during Discovery to avoid duplicates.

- System Requirements and Setup:
- Prerequisites: Activation of Event Management plugin (com.glide.itom.event_management)- MID Server installation.
- Monitoring setup: Configuring probes and sensors in Discovery for infrastructure monitoring.

- Data Ingestion Methods:
- Protocols: Syslog- SNMP- REST API- WMI.
- Queue management: Inbound actions on ecc_agent queues for processing.

Event Configuration and Use 25%

- Event Rules and Processing:
- Event Rule sets: Collections of rules applied to incoming events for transformation- filtering- and alert creation.
- Rule types: Transform & Compose (modifies event fields)- Manual (custom scripts)- Auto (AI-based classification).
- Workflow: Event arrives → Matches rule set → Applies filters/transforms → Creates alert if criteria met.

- Alert Management:
- Alert policies: Define aggregation (grouping similar alerts)- correlation (linking to incidents)- and notification rules.
- Use cases: Deduplication of events from the same source- severity mapping (e.g.- Critical- Major- Minor).

- Configuration Best Practices:
- Field mapping: Standardizing event fields like source- type- severity- node- description- metric- resource.
- CI binding: Using transform maps to associate events with CIs.
- Event Filter: Conditions to include/exclude events (e.g.- source IP != "blacklisted").
- Event Transform Map: Maps external event fields to ServiceNow em_event fields (e.g.- external "sev" to "severity").
- Alert Aggregation: Grouping alerts by CI or type to reduce noise (e.g.- bucket alerts in em_alert_aggregate).
- Event Field Dictionary: Core fields include type (default- operational- heartbeat)- severity (1-5 scale)- node (hostname/IP)- description (human-readable summary).
- Rule Set: Ordered list of event rules; default "Event Management Default" processes all events.

- Advanced Configuration:
- Custom scripts: Business rules on em_event for enrichment (e.g.- GlideRecord queries to CMDB).
- Integration with AIOps: Event Impact Analysis for prioritizing based on business impact.

Alerts and Tasks 20%

- Alert Lifecycle:
- States: New- Open- Resolved- Closed; transitions via business rules or manual assignment.
- Correlation: Linking alerts to incidents via alert groups or CI relations.

- Task Generation:
- Automated workflows: From alerts to incidents (em_incident table) or problems using Flow Designer or Orchestration.
- Assignment rules: Based on CI owner- assignment groups- or event source.

- Notifications and Reporting:
- Notification policies: Email/SMS triggers on alert creation/update.
- Dashboards: Event Management Dashboard for alert trends- using Performance Analytics.
- Alert Group: Logical grouping of related alerts (e.g.- by service) for bulk management.
- Event Task: Generic task (task table) spawned from alerts; subtypes include em_alert_task for custom actions.
- Correlation ID: Unique identifier for linking related events/alerts (e.g.- UUID in additional_info).
- Impact Tree: Visual representation of CI dependencies affected by an alert.
- Remediation Task: Workflow-generated task for resolution- often integrated with Change Management.

- Incident Integration:
- Event-to-Incident rules: Criteria for auto-creating incidents (e.g.- severity > 3).
- Closure policies: Auto-resolve incidents when related alerts close.

Event Sources 15-20%

- Common Event Sources:
- Monitoring tools: Nagios- SolarWinds- SCOM (System Center Operations Manager) via connectors.
- Cloud providers: AWS CloudWatch- Azure Monitor- GCP Stackdriver events.
- Network devices: SNMP traps- Syslog messages.

- Connector Configuration:
- REST/SOAP APIs: Polling or push-based ingestion using REST Message V2.
- Third-party integrations: Pre-built connectors in IntegrationHub (e.g.- for IBM Tivoli).

- Payload Handling:
- Parsing: Using transform scripts to extract fields from JSON/XML payloads.
- Security: Authentication via OAuth- API keys; encryption for sensitive data.
- SNMP Trap: Simple Network Management Protocol notification from devices (processed via SNMP MIB).
- Syslog: Standard protocol for log messages; forwarded to ServiceNow via MID Server.
- Webhook: HTTP callback for real-time event push (configured in Event Management Webhooks).
- Connector Instance: Specific configuration of a connector (e.g.- "SolarWinds Connector" with credentials).
- Payload: Raw data in events- often in additional_info as key-value pairs (e.g.- {"cpu_usage": 95}).

- Troubleshooting Sources:
- Logs: Event Management logs (syslog table filtered by source "Event Management").
- Testing: Simulate events via "Create Event" UI action.