Product documentation Docs
    • English
    • Deutsch
    • 日本語
    • 한국어
    • Français
  • More Sites
    • Now Community
    • Developer Site
    • Knowledge Base
    • Product Information
    • ServiceNow.com
    • Training
    • Customer Success Center
    • ServiceNow Support Videos
  • Log in

Product documentation

  • Home
How search works:
  • Punctuation and capital letters are ignored
  • Special characters like underscores (_) are removed
  • Known synonyms are applied
  • The most relevant topics (based on weighting and matching to search terms) are listed first in search results
Topics are ranked in search results by how closely they match your search terms
  • A match on the entire phrase you typed
  • A match on part of the phrase you typed
  • A match on ALL of the terms in the phrase you typed
  • A match on ANY of the terms in the phrase you typed

Note: Matches in titles are always highly ranked.

  • Release version
    Table of Contents
    • Now Platform administration
Table of Contents
Choose your release version
    Home New York Now Platform Administration Now Platform administration Platform security Instance Security Center Identifying potential security events

    Identifying potential security events

    • Save as PDF Selected topic Topic & subtopics All topics in contents
    • Unsubscribe Log in to subscribe to topics and get notified when content changes.
    • Share this page

    Identifying potential security events

    Analyze the metrics from your instance so that you can identify and prevent potential security events.

    In the event ribbon, which is on the Instance Security homepage, you can analyze these metrics and accompanying detail to identify potential security events in the instance.
    • For each event metric, a real-time single score count appears, indicating how many times that the event occurred during the day. These single score reports are updated automatically as the corresponding events take place.
    • Each event metric also contains compliance trend and graph information over a range of dates that is updated daily when the performance analytics job runs. To learn more, see the Analyzing event trend detail section.

    Event types

    You can monitor at least six of the following types of events. For more than six events, use the left or right arrows below the event ribbon to scroll through them. To learn how to configure the event ribbon, see Configure the event ribbon.

    Admin Logins
    Number of login attempts during the calendar day by users who have an assigned admin role.
    Admin Users added
    Number of users with an admin role that were added during the calendar day.
    For example, if the count is 10, but 4 users are known to have an assigned admin role, your instance may have a security issue.
    External Logins
    Number of users with an assigned snc_external role who logged in during the calendar day. These logins typically occur for maintenance, support, consulting, or audit purposes. Monitoring this metric enables you to verify that the external login attempts are legitimate and not potential security issues.

    To learn more about assigning external user roles, see Explicit Roles.

    Failed Logins
    Number of attempted logins that failed during the calendar day.

    This metric may indicate that attempts are being made to log in and compromise your instance security.

    Impersonations
    Number of impersonation logins during the calendar day. To learn how you can impersonate users for testing and use impersonation logs, see Impersonate a user.
    Security Elevations
    Number of times that a security administrator elevates security for standard users by changing their assigned user role to a security_admin role during the calendar day. To learn more about elevating user security, see Elevate to a privileged role and Elevated privilege roles.

    This metric indicates that someone might have tried to elevate the security of an unauthorized user. Do not use this metric by itself to detect a specific security compromise. Instead, treat this metric as an indication that you should check another metric to see if a security compromise has occurred.

    SNC Logins
    Number of ServiceNow Technical Support personnel who logged in using the hi-hopping technique during the calendar day. These logins typically occur for maintenance, support, consulting, or audit purposes.

    For information on how to control ServiceNow corporate employee access, see ServiceNow access control.

    Note: The Spam,External Incoming Email, Untrusted Incoming Email, and Trusted Incoming Email email counts also appear by default on the event ribbon. To learn more about each, see Monitoring email security.

    Analyzing event trend detail

    To view trend details for an event metric, click the event count to access the Analytics Hub page. The details that appear for the instance depend on the type of metric.

    Example

    For example, when you select the Failed Logins metric and click Show Records in the Analytics Hub page, you see a list of each failed attempt on the Security Dashboard Event Logs page. Click one of the failed login attempts to view the name of the user who attempted to log in, their IP address, and the table name that they tried to access.

    You can set up event threshold triggers in the Analytics Hub to provide alerts when a certain event occurs within a range of scores for an indicator. You can also set targets that enable you to visualize the difference between the desired score and the actual score of an event.

    Example

    For example, you can set a threshold of 10 for the Failed Logins metric. When ten or more failed login attempts occur during the day, an alert is sent to specific security personnel. You can also set a similar target that provides a visual highlight in the Analytics Hub when ten failed logins occur during a day.

    Trend data and graphs that appear in the following Instance Security Center pages are updated after the performance analytics job executes at 02:00 local time:
    • Event ribbon tiles, and in the Analytics Hub page detail when you click one of the event tiles.
    • Daily Compliance Score tile.
    • Configure the event ribbon

      Configure the event ribbon on the Instance Security Center homepage to include only those events that are relevant for tracking instance security in your operations. You can also change the order in which the event tiles appear on the ribbon.

    Related concepts
    • Checking the daily compliance score and hardening security settings
    • Monitoring email security
    • Instance Security Center
    Related topics
    • Analytics, Intelligence, and Reporting
    • Analytics Hub
    • Performance Analytics targets and thresholds

    Tags:

    Feedback
    On this page

    Previous topic

    Next topic

    • Contact Us
    • Careers
    • Terms of Use
    • Privacy Statement
    • Sitemap
    • © ServiceNow. All rights reserved.

    Release version
    Choose your release version

      Identifying potential security events

      • Save as PDF Selected topic Topic & subtopics All topics in contents
      • Unsubscribe Log in to subscribe to topics and get notified when content changes.
      • Share this page

      Identifying potential security events

      Analyze the metrics from your instance so that you can identify and prevent potential security events.

      In the event ribbon, which is on the Instance Security homepage, you can analyze these metrics and accompanying detail to identify potential security events in the instance.
      • For each event metric, a real-time single score count appears, indicating how many times that the event occurred during the day. These single score reports are updated automatically as the corresponding events take place.
      • Each event metric also contains compliance trend and graph information over a range of dates that is updated daily when the performance analytics job runs. To learn more, see the Analyzing event trend detail section.

      Event types

      You can monitor at least six of the following types of events. For more than six events, use the left or right arrows below the event ribbon to scroll through them. To learn how to configure the event ribbon, see Configure the event ribbon.

      Admin Logins
      Number of login attempts during the calendar day by users who have an assigned admin role.
      Admin Users added
      Number of users with an admin role that were added during the calendar day.
      For example, if the count is 10, but 4 users are known to have an assigned admin role, your instance may have a security issue.
      External Logins
      Number of users with an assigned snc_external role who logged in during the calendar day. These logins typically occur for maintenance, support, consulting, or audit purposes. Monitoring this metric enables you to verify that the external login attempts are legitimate and not potential security issues.

      To learn more about assigning external user roles, see Explicit Roles.

      Failed Logins
      Number of attempted logins that failed during the calendar day.

      This metric may indicate that attempts are being made to log in and compromise your instance security.

      Impersonations
      Number of impersonation logins during the calendar day. To learn how you can impersonate users for testing and use impersonation logs, see Impersonate a user.
      Security Elevations
      Number of times that a security administrator elevates security for standard users by changing their assigned user role to a security_admin role during the calendar day. To learn more about elevating user security, see Elevate to a privileged role and Elevated privilege roles.

      This metric indicates that someone might have tried to elevate the security of an unauthorized user. Do not use this metric by itself to detect a specific security compromise. Instead, treat this metric as an indication that you should check another metric to see if a security compromise has occurred.

      SNC Logins
      Number of ServiceNow Technical Support personnel who logged in using the hi-hopping technique during the calendar day. These logins typically occur for maintenance, support, consulting, or audit purposes.

      For information on how to control ServiceNow corporate employee access, see ServiceNow access control.

      Note: The Spam,External Incoming Email, Untrusted Incoming Email, and Trusted Incoming Email email counts also appear by default on the event ribbon. To learn more about each, see Monitoring email security.

      Analyzing event trend detail

      To view trend details for an event metric, click the event count to access the Analytics Hub page. The details that appear for the instance depend on the type of metric.

      Example

      For example, when you select the Failed Logins metric and click Show Records in the Analytics Hub page, you see a list of each failed attempt on the Security Dashboard Event Logs page. Click one of the failed login attempts to view the name of the user who attempted to log in, their IP address, and the table name that they tried to access.

      You can set up event threshold triggers in the Analytics Hub to provide alerts when a certain event occurs within a range of scores for an indicator. You can also set targets that enable you to visualize the difference between the desired score and the actual score of an event.

      Example

      For example, you can set a threshold of 10 for the Failed Logins metric. When ten or more failed login attempts occur during the day, an alert is sent to specific security personnel. You can also set a similar target that provides a visual highlight in the Analytics Hub when ten failed logins occur during a day.

      Trend data and graphs that appear in the following Instance Security Center pages are updated after the performance analytics job executes at 02:00 local time:
      • Event ribbon tiles, and in the Analytics Hub page detail when you click one of the event tiles.
      • Daily Compliance Score tile.
      • Configure the event ribbon

        Configure the event ribbon on the Instance Security Center homepage to include only those events that are relevant for tracking instance security in your operations. You can also change the order in which the event tiles appear on the ribbon.

      Related concepts
      • Checking the daily compliance score and hardening security settings
      • Monitoring email security
      • Instance Security Center
      Related topics
      • Analytics, Intelligence, and Reporting
      • Analytics Hub
      • Performance Analytics targets and thresholds

      Tags:

      Feedback

          Share this page

          Got it! Feel free to add a comment
          To share your product suggestions, visit the Idea Portal.
          Please let us know how to improve this content

          Check any that apply

          To share your product suggestions, visit the Idea Portal.
          Confirm

          We were unable to find "Coaching" in Jakarta. Would you like to search instead?

          No Yes
          • Contact Us
          • Careers
          • Terms of Use
          • Privacy Statement
          • Sitemap
          • © ServiceNow. All rights reserved.

          Subscribe Subscribed Unsubscribe Last updated: Tags: January February March April May June July August September October November December No Results Found Versions Search preferences successfully updated My release version successfully updated My release version successfully deleted An error has occurred. Please try again later. You have been unsubscribed from all topics. You are now subscribed to and will receive notifications if any changes are made to this page. You have been unsubscribed from this content Thank you for your feedback. Form temporarily unavailable. Please try again or contact  docfeedback@servicenow.com  to submit your comments. The topic you requested does not exist in the release. You were redirected to a related topic instead. The available release versions for this topic are listed There is no specific version for this documentation. Explore products Click to go to the page. Release notes and upgrades Click to open the dropdown menu. Delete Remove No selected version Reset This field is required You are already subscribed to this topic Attach screenshot The file you uploaded exceeds the allowed file size of 20MB. Please try again with a smaller file. Please complete the reCAPTCHA step to attach a screenshot
          Log in to personalize your search results and subscribe to topics
          No, thanks Login