Troubleshooting Methodology 🩺

Global IT Troubleshooting Methodology

Step Phase Name   Purpose       Key Keywords      Concrete Example

1 Problem Identification Define the symptom objectively symptom, error code, scope, impact

VPN error 809 after login

2 Information Gathering Collect technical evidence logs, user input, environment

Event Viewer, firewall logs

3 Scope & Impact Analysis Measure blast radius single user, global, intermittent

One user vs all users

4 Hypothesis Formation Form testable causes root cause, probability, OSI

Firewall blocking UDP 500

5 Testing & Isolation Validate or eliminate causes test, rollback, isolate

Disable firewall temporarily

6 Root Cause Identification Explain why failure occurred underlying cause, failure mechanism

Policy update blocked traffic

7 Resolution Implementation Apply stable fix configuration, change control

Add firewall exception

8 Verification & Monitoring Confirm resolution durability monitoring, validation

VPN stable 30 minutes

9 Documentation Preserve organizational knowledge KB, incident record

Internal troubleshooting article

10 Prevention & Improvement Reduce recurrence risk alerting, baseline, automation

Certificate expiry alert

Below is a clear, simplified explanation of ITSM, followed by how ServiceNow implements it, and how APM ties into ITIL processes. This is interview-ready and operational, not theoretical.

1️⃣ What is ITSM (IT Service Management)

⭐ ITSM is a structured way to design, deliver, operate, and improve IT services so they support business needs, not just technology.

Key idea:
IT is treated as a service, not a collection of servers or tickets.

Example:
❌ “We fix computers.”
✅ “We provide a reliable workplace computing service with defined response times.”

ITSM answers four core questions:
⭐ What service is provided?
⭐ Who is responsible?
⭐ How issues are handled?
⭐ How quality is measured and improved?

2️⃣ ITIL vs ITSM (important distinction)

1️⃣ ITIL
⭐ A framework of best practices
⭐ Explains what processes should exist
⭐ Not a tool, not software

2️⃣ ITSM
⭐ The operational implementation of those practices
⭐ Can exist with or without ITIL

3️⃣ ServiceNow
⭐ An ITSM platform
⭐ Implements ITIL concepts in a workflow-based system

Short interview sentence:

“ITIL defines best practices, ITSM applies them operationally, and ServiceNow is a platform that automates ITSM workflows.”

3️⃣ What is ServiceNow (in practical terms)

⭐ ServiceNow is a cloud-based ITSM platform that centralizes:

⭐ Tickets
⭐ Workflows
⭐ Automation
⭐ Reporting
⭐ Configuration data

It acts as the single source of truth for IT operations.

Think of it as:
⭐ Ticketing system +
⭐ Workflow engine +
⭐ CMDB +
⭐ Reporting dashboard

4️⃣ Core ITIL Processes in ServiceNow (simplified)

⭐ Event Management

Purpose: Detect issues automatically.

How ServiceNow handles it:
⭐ Monitoring tools send alerts
⭐ Events are logged
⭐ Thresholds trigger actions

Example:
CPU usage > 90% → Event generated → Possible incident created.

⭐ Incident Management

Purpose: Restore service as fast as possible.

ServiceNow actions:
⭐ Incident ticket creation
⭐ Priority assignment (Impact × Urgency)
⭐ SLA tracking

Example:
User cannot access email → Incident → Resolved → Closed.

Important:
Incident Management focuses on speed, not deep analysis.

⭐ Problem Management

Purpose: Prevent recurrence.

ServiceNow actions:
⭐ Link incidents to a problem record
⭐ Root cause analysis (RCA)
⭐ Known Error Database (KEDB)

Example:
Multiple VPN incidents → One underlying firewall misconfiguration → Permanent fix.

Key distinction:
Incident = fire extinguisher
Problem = fire prevention system

⭐ Change Management

Purpose: Control risk when modifying systems.

ServiceNow actions:
⭐ Change requests (Standard / Normal / Emergency)
⭐ Approval workflows
⭐ Change calendars

Example:
Firewall rule update requires approval before deployment.

This avoids:
“Fixing one issue and breaking five others.”

⭐ Continual Service Improvement (CSI)

Purpose: Improve services over time.

ServiceNow enables:
⭐ Metrics (MTTR, incident volume)
⭐ Trend analysis
⭐ Improvement initiatives

Example:
Repeated Wi-Fi issues → Upgrade access points → Fewer incidents.

CSI turns data into decisions.

5️⃣ Where APM (Application Performance Monitoring) fits

⭐ APM observes application health in real time
⭐ It feeds ITSM processes with objective data

APM → ITIL mapping:
⭐ Event Management → Detect anomalies
⭐ Incident Management → Auto-create incidents
⭐ Problem Management → Identify recurring patterns
⭐ Change Management → Validate post-change impact
⭐ CSI → Measure performance trends

In ServiceNow:
⭐ APM alerts can automatically open incidents
⭐ Metrics populate dashboards
⭐ Correlation reduces false positives

6️⃣ One-sentence interview answer (very strong)

“ITSM is the structured management of IT services; ITIL defines the best practices, and ServiceNow operationalizes them by automating incident, problem, change, and improvement workflows, often fed by monitoring tools like APM.”

1️⃣ 802.1X (Network Access Control)
⭐ Access: Permission to connect to a network
⭐ Authentication: Identity verification process
⭐ Authorization: Granting network privileges
⭐ EAP: Authentication framework
⭐ RADIUS: Centralized authentication server
⭐ Supplicant: Device requesting access
⭐ Authenticator: Switch or AP enforcing access
⭐ Port-Based: Controls physical/logical ports
⭐ Secure: Prevents unauthorized connections
⭐ Enterprise: Common in corporate networks

2️⃣ Active Directory (AD)
⭐ Directory: Central identity database
⭐ Domain: Administrative boundary
⭐ Forest: Collection of domains
⭐ LDAP: Directory access protocol
⭐ Kerberos: Ticket-based authentication
⭐ GPO: Policy enforcement mechanism
⭐ Controller: Domain authentication server
⭐ User: Identity object
⭐ Computer: Managed endpoint
⭐ Trust: Relationship between domains

3️⃣ ARP (Address Resolution Protocol)
⭐ Resolution: IP-to-MAC mapping
⭐ IP Address: Logical network identifier
⭐ MAC Address: Hardware identifier
⭐ Broadcast: Network-wide request
⭐ Request: ARP query message
⭐ Reply: MAC address response
⭐ Cache: Stored mappings
⭐ Layer 2: Data link operation
⭐ Local: Same subnet only
⭐ Spoofing: ARP poisoning attack

4️⃣ Bridge (Layer-2 Device)
⭐ Connects: Network segments
⭐ Filters: Reduces traffic
⭐ MAC-Based: Uses hardware addresses
⭐ Forwarding: Sends frames selectively
⭐ Collision Domain: Reduced size
⭐ Learning: Builds MAC table
⭐ Transparent: No host changes required
⭐ Spanning Tree: Prevents loops
⭐ Legacy: Rarely used today
⭐ LAN: Local networks

5️⃣ CI/CD Pipeline
⭐ Integration: Frequent code merging
⭐ Delivery: Automated releases
⭐ Automation: Removes manual steps
⭐ Build: Compiling code
⭐ Test: Validation stage
⭐ Deploy: Release to environment
⭐ Pipeline: Sequential workflow
⭐ Repository: Source control system
⭐ Artifact: Build output
⭐ Feedback: Test/deploy results

6️⃣ CRM (Customer Relationship Management)
⭐ Customer: Client entity
⭐ Sales: Deal tracking
⭐ Marketing: Campaign automation
⭐ Support: Case management
⭐ Database: Customer records
⭐ Analytics: Insights generation
⭐ Automation: Workflow efficiency
⭐ Integration: Connects with ERP
⭐ Lifecycle: Customer journey
⭐ Retention: Relationship management

7️⃣ DDoS (Distributed Denial of Service)
⭐ Distributed: Multiple attack sources
⭐ Denial: Service disruption
⭐ Traffic: Malicious volume
⭐ Botnet: Compromised devices
⭐ Flooding: Resource exhaustion
⭐ Amplification: Attack magnification
⭐ Mitigation: Defensive measures
⭐ Bandwidth: Saturated capacity
⭐ Availability: Targeted principle
⭐ Protection: Rate limiting, scrubbing

8️⃣ DHCP (Dynamic Host Configuration Protocol)
⭐ Automatic: No manual IP assignment
⭐ IP Address: Network identifier
⭐ Lease: Time-bound assignment
⭐ Scope: IP range pool
⭐ Server: Address distributor
⭐ Client: Requesting device
⭐ Renewal: Lease extension
⭐ Reservation: Fixed IP assignment
⭐ Option: Additional config (DNS, GW)
⭐ Broadcast: Initial discovery

9️⃣ DMARC (Email Authentication Policy)
⭐ Domain: Email identity
⭐ Policy: Fail handling rules
⭐ Alignment: Header consistency
⭐ Reporting: Authentication feedback
⭐ Authentication: Sender verification
⭐ SPF: Sender IP validation
⭐ DKIM: Message integrity
⭐ Phishing: Fraud prevention
⭐ Enforcement: Reject/quarantine actions
⭐ DNS: Policy publication

🔟 DNS (Domain Name System)
⭐ Resolution: Name-to-IP translation
⭐ Domain: Namespace segment
⭐ Query: Lookup request
⭐ Server: Resolver/authoritative
⭐ Record: A, AAAA, MX, TXT
⭐ Zone: Administrative portion
⭐ Cache: Performance optimization
⭐ Hierarchy: Root → TLD → Domain
⭐ TTL: Cache duration
⭐ Availability: Critical infrastructure

1️⃣1️⃣ DNSSEC (DNS Security Extensions)
⭐ Security: Spoofing prevention
⭐ Signature: Cryptographic proof
⭐ Validation: Authenticity check
⭐ Key: Cryptographic material
⭐ Trust Chain: Root to domain
⭐ Zone: Signed namespace
⭐ Integrity: Data protection
⭐ Authenticity: Verified origin
⭐ Record: DNSSEC-specific entries
⭐ Protection: Cache poisoning defense

1️⃣2️⃣ EDR (Endpoint Detection & Response)
⭐ Endpoint: User device
⭐ Detection: Threat identification
⭐ Response: Automated remediation
⭐ Monitoring: Continuous visibility
⭐ Behavior: Activity analysis
⭐ Threat: Malicious action
⭐ Forensics: Incident investigation
⭐ Automation: Rapid containment
⭐ Telemetry: Endpoint data
⭐ Integration: SIEM/XDR

1️⃣3️⃣ ERP (Enterprise Resource Planning)
⭐ Enterprise: Organization-wide scope
⭐ Resources: Assets and processes
⭐ Integration: Unified platform
⭐ Finance: Accounting module
⭐ HR: Workforce management
⭐ Supply Chain: Logistics tracking
⭐ Database: Centralized data
⭐ Automation: Process efficiency
⭐ Reporting: Business intelligence
⭐ Scalability: Organizational growth

1️⃣4️⃣ Firewall
⭐ Filtering: Traffic control
⭐ Rules: Allow/deny logic
⭐ Packet: Network data unit
⭐ Stateful: Connection tracking
⭐ Inspection: Payload analysis
⭐ Port: Communication endpoint
⭐ Zone: Trust boundary
⭐ NAT: Address translation
⭐ Security: Perimeter defense
⭐ Policy: Enforcement logic

1️⃣5️⃣ HTTP / HTTPS
⭐ Protocol: Web communication
⭐ Request: Client call
⭐ Response: Server reply
⭐ Stateless: No session memory
⭐ Header: Metadata container
⭐ Method: GET, POST, PUT
⭐ Port: 80 / 443
⭐ TLS: Encryption layer
⭐ Secure: HTTPS protection
⭐ Web: Application transport

1️⃣6️⃣ IaC (Infrastructure as Code)
⭐ Infrastructure: IT resources
⭐ Code: Declarative definitions
⭐ Automation: Provisioning logic
⭐ Version Control: Change tracking
⭐ Template: Reusable configs
⭐ Consistency: Environment parity
⭐ Deployment: Apply changes
⭐ Scalability: Elastic growth
⭐ Tooling: Terraform, Ansible
⭐ Auditable: Traceable changes

1️⃣7️⃣ IP Addressing
⭐ Logical: Software-assigned
⭐ IPv4: 32-bit format
⭐ IPv6: 128-bit format
⭐ Public: Internet-routable
⭐ Private: Internal-only
⭐ Static: Manual assignment
⭐ Dynamic: DHCP-based
⭐ Subnet: Network segmentation
⭐ Gateway: Exit route
⭐ Host: Device identifier

1️⃣8️⃣ IP Spoofing
⭐ Spoofing: Identity falsification
⭐ Source: Fake sender IP
⭐ Packet: Forged headers
⭐ Attack: Trust exploitation
⭐ DDoS: Common technique
⭐ Detection: Anomaly analysis
⭐ Filtering: Ingress rules
⭐ Firewall: Blocking spoofed traffic
⭐ Authentication: Source validation
⭐ Prevention: Network hygiene

1️⃣9️⃣ ITIL (IT Service Management Framework)
⭐ Framework: Best practices
⭐ Service: Value delivery
⭐ Incident: Service disruption
⭐ Problem: Root cause
⭐ Change: Controlled modification
⭐ Release: Deployment planning
⭐ Asset: Configuration item
⭐ Continual Improvement: Optimization cycle
⭐ SLA: Service commitments
⭐ Governance: Process oversight

2️⃣0️⃣ ITSM (IT Service Management)
⭐ Service: User-facing IT
⭐ Support: Helpdesk operations
⭐ Delivery: Service execution
⭐ Incident: User issue
⭐ Problem: Recurring faults
⭐ Change: Controlled updates
⭐ Asset: Hardware/software tracking
⭐ Request: User demand
⭐ Workflow: Process automation
⭐ Customer: End user

2️⃣1️⃣ Load Balancing
⭐ Load: Incoming requests
⭐ Distribution: Traffic spreading
⭐ Algorithm: Round-robin, least-conn
⭐ Server: Backend node
⭐ Availability: Uptime assurance
⭐ Redundancy: Failover design
⭐ Health Check: Node monitoring
⭐ Scalability: Horizontal growth
⭐ Performance: Response optimization
⭐ Resilience: Fault tolerance

2️⃣2️⃣ Malware (General Category)
⭐ Malicious: Harmful intent
⭐ Virus: Host-dependent
⭐ Worm: Self-propagating
⭐ Trojan: Disguised payload
⭐ Ransomware: Encrypted extortion
⭐ Spyware: Data theft
⭐ Adware: Unwanted advertising
⭐ Payload: Malicious code
⭐ Detection: AV/EDR tools
⭐ Prevention: Patching, awareness

2️⃣3️⃣ Phishing
⭐ Social Engineering: Human exploitation
⭐ Email: Primary vector
⭐ Spoofing: Fake sender
⭐ Link: Malicious URL
⭐ Attachment: Infected file
⭐ Credentials: Targeted data
⭐ Awareness: User training
⭐ Filtering: Email gateways
⭐ Reporting: Incident response
⭐ Simulation: Training campaigns

2️⃣4️⃣ Ransomware
⭐ Encryption: Data locking
⭐ Ransom: Payment demand
⭐ Cryptocurrency: Payment method
⭐ Attack Vector: Phishing, RDP
⭐ Backup: Recovery mechanism
⭐ Decryption: Key release
⭐ Downtime: Business impact
⭐ Prevention: Security controls
⭐ Response: Incident handling
⭐ Recovery: System restoration

2️⃣5️⃣ SIEM (Security Information & Event Management)
⭐ Logs: Collected events
⭐ Correlation: Pattern detection
⭐ Alerting: Threat notification
⭐ Dashboard: Security visibility
⭐ Compliance: Regulatory support
⭐ Retention: Log storage
⭐ Analytics: Threat analysis
⭐ Automation: SOAR integration
⭐ Integration: Multiple sources
⭐ Monitoring: Central oversight

2️⃣6️⃣ SSL / TLS
⭐ Encryption: Data protection
⭐ Certificate: Identity proof
⭐ CA: Certificate authority
⭐ Handshake: Secure setup
⭐ Asymmetric: Key exchange
⭐ Symmetric: Session encryption
⭐ Authentication: Server verification
⭐ Integrity: Data protection
⭐ HTTPS: Secure web traffic
⭐ Trust: PKI model

2️⃣7️⃣ Subnetting
⭐ Segmentation: Network division
⭐ Mask: Address boundary
⭐ CIDR: Notation standard
⭐ Broadcast: Subnet-wide traffic
⭐ Range: IP allocation
⭐ Isolation: Traffic control
⭐ Routing: Inter-subnet paths
⭐ Efficiency: Address optimization
⭐ Design: Network planning
⭐ Security: Reduced exposure

2️⃣8️⃣ VPN (Remote & Site-to-Site)
⭐ Tunnel: Encrypted channel
⭐ Encryption: Data security
⭐ Authentication: Identity verification
⭐ Remote Access: User connectivity
⭐ Site-to-Site: Network linking
⭐ IPSec: Secure protocol
⭐ SSL: Application-layer VPN
⭐ Gateway: Tunnel endpoint
⭐ Routing: Private traffic flow
⭐ Confidentiality: Data privacy

2️⃣9️⃣ XDR (Extended Detection & Response)
⭐ Extended: Multi-layer scope
⭐ Endpoint: Device telemetry
⭐ Network: Traffic analysis
⭐ Cloud: SaaS/IaaS coverage
⭐ Detection: Threat discovery
⭐ Response: Automated actions
⭐ Correlation: Cross-domain events
⭐ Analytics: Advanced insights
⭐ Automation: Rapid mitigation
⭐ Visibility: Unified security view