Thank you for your feedback.
Form temporarily unavailable. Please try again or contact to submit your comments.

Identifying potential security events

Log in to subscribe to topics and get notified when content changes.

Identifying potential security events

Analyze the metrics from your instance so that you can identify and prevent potential security events.

In the event ribbon, which is on the Instance Security homepage, you can analyze these metrics and accompanying detail to identify potential security events in the instance.
  • For each event metric, a real-time single score count appears, indicating how many times that the event occurred during the day. These single score reports are updated automatically as the corresponding events take place.
  • Each event metric also contains compliance trend and graph information over a range of dates that is updated daily when the performance analytics job runs. To learn more, see the Analyzing event trend detail section.

Event types

You can monitor at least six of the following types of events. For more than six events, use the left or right arrows below the event ribbon to scroll through them. To learn how to configure the event ribbon, see Configure the event ribbon.

Admin Logins
Number of login attempts during the calendar day by users who have an assigned admin role.
Admin Users added
Number of users with an admin role that were added during the calendar day.
For example, if the count is 10, but 4 users are known to have an assigned admin role, your instance may have a security issue.
External Logins
Number of users with an assigned snc_external role who logged in during the calendar day. These logins typically occur for maintenance, support, consulting, or audit purposes. Monitoring this metric enables you to verify that the external login attempts are legitimate and not potential security issues.

To learn more about assigning external user roles, see Explicit Roles.

Failed Logins
Number of attempted logins that failed during the calendar day.

This metric may indicate that attempts are being made to log in and compromise your instance security.

Number of impersonation logins during the calendar day. To learn how you can impersonate users for testing and use impersonation logs, see Impersonate a user.
Security Elevations
Number of times that a security administrator elevates security for standard users by changing their assigned user role to a security_admin role during the calendar day. To learn more about elevating user security, see Elevate to a privileged role and Elevated privilege roles.

This metric indicates that someone might have tried to elevate the security of an unauthorized user. Do not use this metric by itself to detect a specific security compromise. Instead, treat this metric as an indication that you should check another metric to see if a security compromise has occurred.

SNC Logins
Number of ServiceNow Technical Support personnel who logged in using the hi-hopping technique during the calendar day. These logins typically occur for maintenance, support, consulting, or audit purposes.

For information on how to control ServiceNow corporate employee access, see ServiceNow access control.

Note: The Spam,External Incoming Email, Untrusted Incoming Email, and Trusted Incoming Email email counts also appear by default on the event ribbon. To learn more about each, see Monitoring email security.

Analyzing event trend detail

To view trend details for an event metric, click the event count to access the Analytics Hub page. The details that appear for the instance depend on the type of metric.

For example, when you select the Failed Logins metric and click Show Records in the Analytics Hub page, you see a list of each failed attempt on the Security Dashboard Event Logs page. Click one of the failed login attempts to view the name of the user who attempted to log in, their IP address, and the table name that they tried to access.

You can set up event threshold triggers in the Analytics Hub to provide alerts when a certain event occurs within a range of scores for an indicator. You can also set targets that enable you to visualize the difference between the desired score and the actual score of an event.

For example, you can set a threshold of 10 for the Failed Logins metric. When ten or more failed login attempts occur during the day, an alert is sent to specific security personnel. You can also set a similar target that provides a visual highlight in the Analytics Hub when ten failed logins occur during a day.

Trend data and graphs that appear in the following Instance Security Center pages are only updated after the performance analytics job executes at 02:00 local time:
  • Event ribbon tiles, and in the Analytics Hub page detail when you click one of the event tiles.
  • Daily Compliance Score tile.
A user with an assigned admin role typically runs performance analytics jobs.