Thank you for your feedback.
Form temporarily unavailable. Please try again or contact to submit your comments.

Instance Security Center

Log in to subscribe to topics and get notified when content changes.

Instance Security Center

Monitor the compliance level of instance security controls, view security event monitoring metrics, and configure and maintain instance security settings all from within the Instance Security Center. The Instance Security Center consolidates several key security components into a single control console that helps you detect, protect, and respond to instance-based security events.

From the Instance Security Center homepage, you can view the security compliance score for your instance and monitor its overall security health. You can then configure or update system properties that are related to your instance security so that they comply with security requirements.

To access the Instance Security Center, navigate to System Security > Instance Security Center or the System Administration homepage.

Instance security center homepage

User roles

To use the Instance Security Center, you must have the admin or security_dashboard_user role.

User Required role Benefits
Security personnel in your organization who monitor security-related information for an instance and have authorization to change security hardening settings. They should be able to return to the Instance Security Center at any time to adjust settings and manage the overall security health of an instance. admin Continually monitoring and managing instance security compliance.
Security personnel in your organization who monitor security-related information for an instance but do not have authorization to change security hardening settings. For example, a security analyst with this role can view instance security information, but would need another user with an admin role to make actual security setting updates. security_dashboard_user Continually monitoring instance security compliance to detect and respond to security threats.
Warning: To ensure that the Instance Security Center receives up-to-date security information with every upgrade, do not customize this module. If you change any security settings on your instance, make sure that you test them in a non-production environment first.
The Instance Security Center homepage contains the following security components:
  • Rotating security banner
  • Search
  • Event ribbon
  • Daily compliance score
  • Hardening
  • Metrics
  • Email
  • Knowledge
  • Notifications
  • Tours
  • Security testing portal
  • Security center
  • Help

Rotating security banner

To assist you in monitoring the security health of your instance, critical instance security messages appear in the rotating banner. Two to three security messages at a time rotate at a regular interval. The dots at the bottom of the banner show you the total number of current security messages. To navigate through them, click the dots or click the arrows that appear on either side of the messages.

The banner background colors indicate the relative severity of the messages.
Color Description
Red Critical security situation requiring a timely response, or a recommendation on how to protect or respond to critical security events.
Dark gray Non-critical warning message.
Blue General information message.


Use the search bar to search the entire Instance Security Center for security resources that assist you with understanding and resolving security issues. You can search through security-related HI Knowledge Base articles, Instance Security Center pages, external HI links, PA security widgets (for example, Daily Compliance Score, Spam, and External Incoming Emails), or banner content.

Event ribbon

Use the event ribbon to view key security event monitoring metrics for the current instance.
  • To manually scroll through the metrics, click the right or left arrow keys.
  • To configure the event ribbon, click Edit.

To learn more about the event ribbon and how to configure it, see Identifying potential security events and Configure the event ribbon.

Daily compliance score

The Daily Compliance Score section contains the Daily Compliance Score, Hardening, Metrics, Email, and Knowledge tiles.

The Daily Compliance Score is a percentage that is based on how compliant your current instance security settings are with the suggested security setting guidelines that are published in the ServiceNow Instance Hardening [KB0550654] article in the HI Knowledge Base. You use this score as a relative gauge of how healthy your instance is from a security standpoint.


The Hardening Configurations page contains Mandatory, Recommended, and Optional hardening settings that you can update for your instance security.

To learn how the Daily Compliance Score is calculated, and how hardening settings impact it, see Checking the daily compliance score and hardening security settings.


View the key security metrics for the instance and the details for each metric. The details that appear for each metric depend on their type. To access the Metrics page, click the Metrics tile or link on the Instance Security Center homepage. Security metrics include:

Number of users with admin roles
Indicates the number of users with assigned admin, security_admin, impersonator, and oath_admin roles. When you click the metric, the User Roles page appears and lists users with either role. Click a user name to view more details about that user.

You can then determine if these security-critical roles are assigned to the proper personnel.

Events per user
Shows the metrics for different security events, indicates the number of users in admin and high-privileged roles, and breaks down security events by user. These security events include Admin Login, External Login, Failed Login, Security Elevation, and Impersonation. To learn more about each type of event, see Identifying potential security events.
  • When you click the metric, the Security Dashboard Event Logs page appears and lists each event for the corresponding user login.
  • Click an event link to view more details about the event. You can then gain insights into the types of activities that users with certain assigned roles are attempting to perform. You can also determine if these events are legitimate activities from a security standpoint.


You can view single score metrics that are related to emails, review detailed information about each metric, and designate blacklisted or whitelisted email domains.

To learn more about email security and blacklisting or whitelisting of email domains, see Monitoring email security and Designate email domains as blacklisted or whitelisted.


Access HI Knowledge Base articles, resources, and blogs that are related to instance security. These resources include security coding, security compliance, security fixes, and related topics.


The notifications bell icon (Notification icon) appears in the upper-right corner of the Instance Security Center.
  • Whenever someone adds or assigns privileged roles (admin, security_admin, impersonator, or oath) to users in the instance, a notification appears next to the bell icon. If there are more than three occurrences during the calendar day, a fourth notification groups the remaining notifications. If these actions were not taken during the calendar day, the bell icon does not appear.
  • When you click the bell icon and one of the notifications appear, you can view the Roles (sys_user_role) table. Use this table to see which users were assigned privileged roles during the calendar day. Using this history helps you to determine if roles have been properly assigned.


View a guided visual tour of the Instance Security Center homepage components by clicking the Tours link in the upper-right corner of the Instance Security Center.
Note: The guided tour only includes the security monitoring functions that are listed on the homepage. It does not include the security functions that you access when you click the tiles or links on the homepage.

Security testing portal, security center, and help

The HI Service Portal is a central resource that you use to manage instances, tasks, and accounts. Click the tiles at the bottom of the Instance Security Center homepage to access the HI Security Testing Portal, the Security Testing Portal, or to submit an incident to ServiceNow Technical Support.

Running performance analytics

Trends and graphs that appear in the Daily Compliance Score tile are updated every night after the performance analytics job executes at 02:00 local time. A user with an assigned admin role typically runs performance analytics jobs.
Note: When you perform an upgrade (for example, from London to Madrid), the Instance Security Center (ISC) plugin is automatically activated. A ServiceNow-supplied fix script automatically assigns a custom user without any assigned roles.
Note: If you see errors that may be due to the number of records being processed when running the performance analytics job, you can increase the maximum number of records per query. To increase this count, use the and properties in the sys_properties table. To learn more about these properties, see Performance Analytics properties.
Note: When you perform an upgrade (for example, from London to Madrid), the Instance Security Center (ISC) plugin is automatically activated. A ServiceNow-supplied fix script automatically assigns a custom user without any assigned roles.