Product documentation Docs
    • English
    • Deutsch
    • 日本語
    • 한국어
    • Français
  • More Sites
    • Now Community
    • Developer Site
    • Knowledge Base
    • Product Information
    • ServiceNow.com
    • Training
    • Customer Success Center
    • ServiceNow Support Videos
  • Log in

Product documentation

  • Home
How search works:
  • Punctuation and capital letters are ignored
  • Special characters like underscores (_) are removed
  • Known synonyms are applied
  • The most relevant topics (based on weighting and matching to search terms) are listed first in search results
Topics are ranked in search results by how closely they match your search terms
  • A match on the entire phrase you typed
  • A match on part of the phrase you typed
  • A match on ALL of the terms in the phrase you typed
  • A match on ANY of the terms in the phrase you typed

Note: Matches in titles are always highly ranked.

  • Release version
    Table of Contents
    • Now Platform administration
Table of Contents
Choose your release version
    Home Orlando Now Platform Administration Now Platform administration Platform security Instance Security Center

    Instance Security Center

    • Save as PDF Selected topic Topic & subtopics All topics in contents
    • Unsubscribe Log in to subscribe to topics and get notified when content changes.
    • Share this page

    Instance Security Center

    Monitor the compliance level of instance security controls, view security event monitoring metrics, and configure and maintain instance security settings all from within the Instance Security Center. The Instance Security Center consolidates several key security components into a single control console that helps you detect, protect, and respond to instance-based security events.

    From the Instance Security Center homepage, you can view the security compliance score for your instance and monitor its overall security health. You can then configure or update system properties that are related to your instance security so that they comply with security requirements.
    Note: The Instance Security Center does not support domain separation.

    To access the Instance Security Center, navigate to System Security > Instance Security Center or the System Administration homepage.

    Instance security center homepage

    User roles

    To use the Instance Security Center, you must have the admin or security_dashboard_user role.

    User Required role Benefits
    Security personnel in your organization who monitor security-related information for an instance and have authorization to change security hardening settings. They should be able to return to the Instance Security Center at any time to adjust settings and manage the overall security health of an instance. admin Continually monitoring and managing instance security compliance.
    Security personnel in your organization who monitor security-related information for an instance but do not have authorization to change security hardening settings. For example, a security analyst with this role can view instance security information. However, another user with an admin role would have to make actual security setting updates. security_dashboard_user Continually monitoring instance security compliance to detect and respond to security threats.
    Warning: To ensure that the Instance Security Center receives up-to-date security information with every upgrade, do not customize this module. If you change any security settings on your instance, make sure that you test them in a non-production environment first.
    The Instance Security Center homepage contains the following security components:
    • Rotating security banner
    • Search
    • Event ribbon
    • Daily compliance score
    • Top Recommendations
    • Session Management
    • Hardening
    • Metrics (user, email, and antivirus)
    • Resources
    • Notifications
    • Tours
    • Security testing portal
    • Security center
    • Help

    Rotating security banner

    To assist you in monitoring the security health of your instance, critical instance security messages appear in the rotating banner.
    • Two to three security messages normally rotate at a regular interval.
    • The dots at the bottom of the banner show you the total number of current security messages.
    • To navigate through them, click the dots, or click the arrows that appear on either side of the messages.

    The banner background colors indicate the relative severity of the messages.

    Color Description
    Red Critical security situation requiring a timely response, or a recommendation on how to protect or respond to critical security events.
    Dark gray Non-critical warning message.
    Blue General information message.
    To collapse or minimize the text content in the banner, click Collapse/expand banner. To maximize the text content, click it again.
    • When you use the Instance Security Center again, the text content appeared as collapsed or expanded, depending on how you used it during your previous session.
    • If the text content itself changes, it appears as maximized for all users.

    Search

    Use the search bar to search the entire Instance Security Center for security resources that assist you with understanding and resolving security issues. You can search the following security-related resources:
    • Now Support Knowledge Base articles
    • Instance Security Center pages
    • External Now Support links
    • PA security widgets, such as the Daily Compliance Score and External Incoming Emails
    • Banner content

    Event ribbon

    Use the event ribbon to view key security event monitoring metrics for the current instance.
    • To manually scroll through the metrics, click the right or left arrow keys.
    • To configure the event ribbon, click Edit.

    To learn more about the event ribbon and how to configure it, see Identifying potential security events and Configure the event ribbon.

    Daily compliance score

    The Daily Compliance Score section contains the Daily Compliance Score, Session Management, Antivirus, Top Recommendations, and Resources tiles. You use the Daily Compliance Score to gauge how healthy your instance is from a security standpoint.

    The Daily Compliance Score is a percentage score. It is based on how compliant the current settings of your instance security properties are with the compliance values published in the Instance Security Hardening Settings.

    • To learn more about Daily Compliance Score calculations, and how hardening settings impact it, see Checking the daily compliance score and hardening security settings.
    • The Refresh button enables an administrator to instantly recalculate the Daily Compliance Score. To learn more, see Refreshing trend and graph data.

    Top recommendations and hardening

    Use this two-step process to manage specific security configuration settings that affect the Daily Compliance Score:
    1. To access the questionnaire that you use to perform initial instance security hardening, click the Top Recommendations tile or link.

      You can select a series of controls in each category to enhance the security of your instance. To learn more about how to harden recommended security settings that are currently in non-compliance, see Gather security requirements and enable controls.

    2. To access the Hardening Configurations page and adjust the remaining non-compliant settings, click the Daily Compliance Score tile or the Hardening link.

      To learn how to adjust hardening settings to further increase compliance, see Adjust instance security settings to increase compliance.

    Session management

    Use Session Management to:
    • View and manage user login sessions.
    • See all users who are currently logged in to the instance.
    • See detailed information about each session, such as the user name and IP address.
    • Isolate and lock out specific user sessions that pose security risks.
    To access the Session Management page, click the Session Management tile or link.
    Field Description
    User Name of the user associated with this login session.
    • To locate a specific user session, click the spotlight search icon ( Search) to search by user, user agent keyword, or IP address.

      For example, if you want to find all current logins from a specific type of browser, enter the browser name as a keyword into the User Agent field.

    • Click a user name to access the user profile record. You can modify the user profile only if you have an assigned admin role.
      Note: To learn more about user profiles, see Create a user.
    MFA Check box indicating if Multifactor Authentication (MFA) is enabled for the logged in user. To learn more about MFA, see Multifactor authentication (MFA).
    Active Check box indicating if the logged in user is active or inactive.
    User Agent Type of browser and the device operating system for the user login session.
    IP Address IP address of the logged in user.
    Last Accessed Date and time this user session last accessed the instance.
    Note: To view detailed information for a particular login session, or to lock out the session itself, click the User Agent, IP Address, or Last Accessed fields.

    Metrics (user, email, and antivirus)

    View detail for the following types of metrics:
    User
    Security metrics that are associated with user activity in the instance. To access the User Metrics page, click the Metrics link, and then select User Metrics.
    Email
    Single score metrics that are related to email activity in the instance. You can review detailed information for each metric, and designate untrusted or trusted email domains. To access the Email page, click the Metrics link, and then select Email.
    Antivirus
    Security metrics that are associated with antivirus event activity in the instance. To access the Antivirus Metrics page, click the Antivirus tile or click the Metrics link, and then select Antivirus.
    Note: To learn more about monitoring each type of metric, see Monitoring user, email, and antivirus metrics. To learn more about designating specific email domains as untrusted or trusted, see Designate email domains as untrusted or trusted.

    Resources

    Access Now Support Knowledge Base articles, resources, and blogs that are related to instance security. These resources include security settings, coding, compliance, fixes, and related topics. To access the Resources page:
    • Click the Resources tile or link.
    • In the Resources page, click a category:
      Category Description
      Recommended Guidelines Access to recommended security guidelines, including the ServiceNow Instance Hardening [KB0550654] article in the Now Support Knowledge Base and ServiceNow Secure Coding Guide [KB0623354] articles.
      Security Resources Access to security-related resources in the Knowledge Base, including:
      • Customer Instance Security Testing
      • Cloud Security, Trust, and Compliance Center KB articles

    Notifications

    The notifications bell icon (Notification icon) appears in the upper-right corner of the Instance Security Center.
    • A notification appears next to the bell icon whenever someone adds or assigns privileged roles to users in the instance. These roles include admin, security_admin, impersonator, or oath_admin.
    • A fourth notification groups the remaining notifications when there are more than three occurrences during the calendar day.
    • The bell icon does not appear when no users performed these actions during the calendar day.
    • When you click the bell icon and one of the notifications appear, you can view the Roles (sys_user_role) table. Use this table to see which users were assigned privileged roles during the calendar day. Using this history helps you to determine if roles have been properly assigned.

    Tours

    Click the Tours link to view a guided visual tour of the Instance Security Center.
    • The guided tour includes only the security monitoring functions that are listed on the homepage.
    • It does not include the security functions that you access when you click the tiles or links on the homepage.

    Security testing portal, security center, and help

    The Now Support Service Portal is a central resource that you use to manage instances, tasks, and accounts. You can also access useful resources you can use to diagnose and resolve security and technical issues in your instance. To access these resources, click Learn More or Get Help in the following tiles:

    Tile Description
    Security Testing Portal Access to the Security Dashboard in the Now Support Security Testing Portal.
    Security Center Access to Security Compliance in the Now Support Security Portal.
    Help Access to the following help resources in the Now Support Security Portal:
    • Ask an expert to find answers to common questions.
    • Report an issue or outage to ServiceNow Global Technical Support by opening a case.
    • Self-Service Support Resources, including:
      • Videos
      • Documentation
      • Now Community
      • Knowledge Base
      • Known Error Portal
      • Security RFX Database
    • Now Community questions that are recommended for your use.

    Refreshing trend and graph data

    Trend data and graphs that appear in the following Instance Security Center pages are updated after the performance analytics job executes at 02:00 local time:
    • Event ribbon tiles, and in the Analytics Hub page detail when you click one of the event tiles.
    • Daily Compliance Score tile.
    Alternately, if you have an assigned admin role, you can refresh and recalculate the Daily Compliance Score at any time by clicking Refresh.
    • The Refresh function performs the same tasks as the performance analytics job but does it in real time, rather than in a batch process.
    • You typically use it when you want to perform updates to the Daily Compliance Score to immediately view the impact of instance security activities.
    • There may be a slight delay before the updated score appears.
    Note: The Refresh button does not appear for users with an assigned security_dashboard_user role.
    If you see errors related to the number of records the performance analytics job is processing, you can increase the maximum number of records per query. To increase this count, use the following properties in the sys_properties table:
    • com.snc.pa.dc.max_row_count_indicator_source
    • com.snc.pa.dc.max_records

    To learn more about these properties, see Performance Analytics properties.

    Note: When you perform an upgrade (for example, from London to Orlando), the Instance Security Center (ISC) plugin is automatically activated. A ServiceNow-supplied fix script automatically assigns a custom user without any assigned roles.
    • Identifying potential security events

      Analyze the event metrics in your instance so that you can identify and prevent potential security events.

    • Checking the daily compliance score and hardening security settings

      Review the Daily Compliance Score metric and the hardening security settings to see if your instance complies with the suggested security requirements. You can affect the daily compliance score by updating system security settings from the Hardening Configurations page.

    • Monitoring user, email, and antivirus metrics

      Monitor user, email, or antivirus metrics for your instance. For example, you can monitor your email security by checking metrics for spam, external emails, and inbound emails from untrusted and trusted domains. Analyze these metrics to look for anomalous security behaviors that are related to activities that take place in your instance.

    Tags:

    Feedback
    On this page

    Previous topic

    Next topic

    • Contact Us
    • Careers
    • Terms of Use
    • Privacy Statement
    • Sitemap
    • © ServiceNow. All rights reserved.

    Release version
    Choose your release version

      Instance Security Center

      • Save as PDF Selected topic Topic & subtopics All topics in contents
      • Unsubscribe Log in to subscribe to topics and get notified when content changes.
      • Share this page

      Instance Security Center

      Monitor the compliance level of instance security controls, view security event monitoring metrics, and configure and maintain instance security settings all from within the Instance Security Center. The Instance Security Center consolidates several key security components into a single control console that helps you detect, protect, and respond to instance-based security events.

      From the Instance Security Center homepage, you can view the security compliance score for your instance and monitor its overall security health. You can then configure or update system properties that are related to your instance security so that they comply with security requirements.
      Note: The Instance Security Center does not support domain separation.

      To access the Instance Security Center, navigate to System Security > Instance Security Center or the System Administration homepage.

      Instance security center homepage

      User roles

      To use the Instance Security Center, you must have the admin or security_dashboard_user role.

      User Required role Benefits
      Security personnel in your organization who monitor security-related information for an instance and have authorization to change security hardening settings. They should be able to return to the Instance Security Center at any time to adjust settings and manage the overall security health of an instance. admin Continually monitoring and managing instance security compliance.
      Security personnel in your organization who monitor security-related information for an instance but do not have authorization to change security hardening settings. For example, a security analyst with this role can view instance security information. However, another user with an admin role would have to make actual security setting updates. security_dashboard_user Continually monitoring instance security compliance to detect and respond to security threats.
      Warning: To ensure that the Instance Security Center receives up-to-date security information with every upgrade, do not customize this module. If you change any security settings on your instance, make sure that you test them in a non-production environment first.
      The Instance Security Center homepage contains the following security components:
      • Rotating security banner
      • Search
      • Event ribbon
      • Daily compliance score
      • Top Recommendations
      • Session Management
      • Hardening
      • Metrics (user, email, and antivirus)
      • Resources
      • Notifications
      • Tours
      • Security testing portal
      • Security center
      • Help

      Rotating security banner

      To assist you in monitoring the security health of your instance, critical instance security messages appear in the rotating banner.
      • Two to three security messages normally rotate at a regular interval.
      • The dots at the bottom of the banner show you the total number of current security messages.
      • To navigate through them, click the dots, or click the arrows that appear on either side of the messages.

      The banner background colors indicate the relative severity of the messages.

      Color Description
      Red Critical security situation requiring a timely response, or a recommendation on how to protect or respond to critical security events.
      Dark gray Non-critical warning message.
      Blue General information message.
      To collapse or minimize the text content in the banner, click Collapse/expand banner. To maximize the text content, click it again.
      • When you use the Instance Security Center again, the text content appeared as collapsed or expanded, depending on how you used it during your previous session.
      • If the text content itself changes, it appears as maximized for all users.

      Search

      Use the search bar to search the entire Instance Security Center for security resources that assist you with understanding and resolving security issues. You can search the following security-related resources:
      • Now Support Knowledge Base articles
      • Instance Security Center pages
      • External Now Support links
      • PA security widgets, such as the Daily Compliance Score and External Incoming Emails
      • Banner content

      Event ribbon

      Use the event ribbon to view key security event monitoring metrics for the current instance.
      • To manually scroll through the metrics, click the right or left arrow keys.
      • To configure the event ribbon, click Edit.

      To learn more about the event ribbon and how to configure it, see Identifying potential security events and Configure the event ribbon.

      Daily compliance score

      The Daily Compliance Score section contains the Daily Compliance Score, Session Management, Antivirus, Top Recommendations, and Resources tiles. You use the Daily Compliance Score to gauge how healthy your instance is from a security standpoint.

      The Daily Compliance Score is a percentage score. It is based on how compliant the current settings of your instance security properties are with the compliance values published in the Instance Security Hardening Settings.

      • To learn more about Daily Compliance Score calculations, and how hardening settings impact it, see Checking the daily compliance score and hardening security settings.
      • The Refresh button enables an administrator to instantly recalculate the Daily Compliance Score. To learn more, see Refreshing trend and graph data.

      Top recommendations and hardening

      Use this two-step process to manage specific security configuration settings that affect the Daily Compliance Score:
      1. To access the questionnaire that you use to perform initial instance security hardening, click the Top Recommendations tile or link.

        You can select a series of controls in each category to enhance the security of your instance. To learn more about how to harden recommended security settings that are currently in non-compliance, see Gather security requirements and enable controls.

      2. To access the Hardening Configurations page and adjust the remaining non-compliant settings, click the Daily Compliance Score tile or the Hardening link.

        To learn how to adjust hardening settings to further increase compliance, see Adjust instance security settings to increase compliance.

      Session management

      Use Session Management to:
      • View and manage user login sessions.
      • See all users who are currently logged in to the instance.
      • See detailed information about each session, such as the user name and IP address.
      • Isolate and lock out specific user sessions that pose security risks.
      To access the Session Management page, click the Session Management tile or link.
      Field Description
      User Name of the user associated with this login session.
      • To locate a specific user session, click the spotlight search icon ( Search) to search by user, user agent keyword, or IP address.

        For example, if you want to find all current logins from a specific type of browser, enter the browser name as a keyword into the User Agent field.

      • Click a user name to access the user profile record. You can modify the user profile only if you have an assigned admin role.
        Note: To learn more about user profiles, see Create a user.
      MFA Check box indicating if Multifactor Authentication (MFA) is enabled for the logged in user. To learn more about MFA, see Multifactor authentication (MFA).
      Active Check box indicating if the logged in user is active or inactive.
      User Agent Type of browser and the device operating system for the user login session.
      IP Address IP address of the logged in user.
      Last Accessed Date and time this user session last accessed the instance.
      Note: To view detailed information for a particular login session, or to lock out the session itself, click the User Agent, IP Address, or Last Accessed fields.

      Metrics (user, email, and antivirus)

      View detail for the following types of metrics:
      User
      Security metrics that are associated with user activity in the instance. To access the User Metrics page, click the Metrics link, and then select User Metrics.
      Email
      Single score metrics that are related to email activity in the instance. You can review detailed information for each metric, and designate untrusted or trusted email domains. To access the Email page, click the Metrics link, and then select Email.
      Antivirus
      Security metrics that are associated with antivirus event activity in the instance. To access the Antivirus Metrics page, click the Antivirus tile or click the Metrics link, and then select Antivirus.
      Note: To learn more about monitoring each type of metric, see Monitoring user, email, and antivirus metrics. To learn more about designating specific email domains as untrusted or trusted, see Designate email domains as untrusted or trusted.

      Resources

      Access Now Support Knowledge Base articles, resources, and blogs that are related to instance security. These resources include security settings, coding, compliance, fixes, and related topics. To access the Resources page:
      • Click the Resources tile or link.
      • In the Resources page, click a category:
        Category Description
        Recommended Guidelines Access to recommended security guidelines, including the ServiceNow Instance Hardening [KB0550654] article in the Now Support Knowledge Base and ServiceNow Secure Coding Guide [KB0623354] articles.
        Security Resources Access to security-related resources in the Knowledge Base, including:
        • Customer Instance Security Testing
        • Cloud Security, Trust, and Compliance Center KB articles

      Notifications

      The notifications bell icon (Notification icon) appears in the upper-right corner of the Instance Security Center.
      • A notification appears next to the bell icon whenever someone adds or assigns privileged roles to users in the instance. These roles include admin, security_admin, impersonator, or oath_admin.
      • A fourth notification groups the remaining notifications when there are more than three occurrences during the calendar day.
      • The bell icon does not appear when no users performed these actions during the calendar day.
      • When you click the bell icon and one of the notifications appear, you can view the Roles (sys_user_role) table. Use this table to see which users were assigned privileged roles during the calendar day. Using this history helps you to determine if roles have been properly assigned.

      Tours

      Click the Tours link to view a guided visual tour of the Instance Security Center.
      • The guided tour includes only the security monitoring functions that are listed on the homepage.
      • It does not include the security functions that you access when you click the tiles or links on the homepage.

      Security testing portal, security center, and help

      The Now Support Service Portal is a central resource that you use to manage instances, tasks, and accounts. You can also access useful resources you can use to diagnose and resolve security and technical issues in your instance. To access these resources, click Learn More or Get Help in the following tiles:

      Tile Description
      Security Testing Portal Access to the Security Dashboard in the Now Support Security Testing Portal.
      Security Center Access to Security Compliance in the Now Support Security Portal.
      Help Access to the following help resources in the Now Support Security Portal:
      • Ask an expert to find answers to common questions.
      • Report an issue or outage to ServiceNow Global Technical Support by opening a case.
      • Self-Service Support Resources, including:
        • Videos
        • Documentation
        • Now Community
        • Knowledge Base
        • Known Error Portal
        • Security RFX Database
      • Now Community questions that are recommended for your use.

      Refreshing trend and graph data

      Trend data and graphs that appear in the following Instance Security Center pages are updated after the performance analytics job executes at 02:00 local time:
      • Event ribbon tiles, and in the Analytics Hub page detail when you click one of the event tiles.
      • Daily Compliance Score tile.
      Alternately, if you have an assigned admin role, you can refresh and recalculate the Daily Compliance Score at any time by clicking Refresh.
      • The Refresh function performs the same tasks as the performance analytics job but does it in real time, rather than in a batch process.
      • You typically use it when you want to perform updates to the Daily Compliance Score to immediately view the impact of instance security activities.
      • There may be a slight delay before the updated score appears.
      Note: The Refresh button does not appear for users with an assigned security_dashboard_user role.
      If you see errors related to the number of records the performance analytics job is processing, you can increase the maximum number of records per query. To increase this count, use the following properties in the sys_properties table:
      • com.snc.pa.dc.max_row_count_indicator_source
      • com.snc.pa.dc.max_records

      To learn more about these properties, see Performance Analytics properties.

      Note: When you perform an upgrade (for example, from London to Orlando), the Instance Security Center (ISC) plugin is automatically activated. A ServiceNow-supplied fix script automatically assigns a custom user without any assigned roles.
      • Identifying potential security events

        Analyze the event metrics in your instance so that you can identify and prevent potential security events.

      • Checking the daily compliance score and hardening security settings

        Review the Daily Compliance Score metric and the hardening security settings to see if your instance complies with the suggested security requirements. You can affect the daily compliance score by updating system security settings from the Hardening Configurations page.

      • Monitoring user, email, and antivirus metrics

        Monitor user, email, or antivirus metrics for your instance. For example, you can monitor your email security by checking metrics for spam, external emails, and inbound emails from untrusted and trusted domains. Analyze these metrics to look for anomalous security behaviors that are related to activities that take place in your instance.

      Tags:

      Feedback

          Share this page

          Got it! Feel free to add a comment
          To share your product suggestions, visit the Idea Portal.
          Please let us know how to improve this content

          Check any that apply

          To share your product suggestions, visit the Idea Portal.
          Confirm

          We were unable to find "Coaching" in Jakarta. Would you like to search instead?

          No Yes
          • Contact Us
          • Careers
          • Terms of Use
          • Privacy Statement
          • Sitemap
          • © ServiceNow. All rights reserved.

          Subscribe Subscribed Unsubscribe Last updated: Tags: January February March April May June July August September October November December No Results Found Versions Search preferences successfully updated My release version successfully updated My release version successfully deleted An error has occurred. Please try again later. You have been unsubscribed from all topics. You are now subscribed to and will receive notifications if any changes are made to this page. You have been unsubscribed from this content Thank you for your feedback. Form temporarily unavailable. Please try again or contact  docfeedback@servicenow.com  to submit your comments. The topic you requested does not exist in the release. You were redirected to a related topic instead. The available release versions for this topic are listed There is no specific version for this documentation. Explore products Click to go to the page. Release notes and upgrades Click to open the dropdown menu. Delete Remove No selected version Reset This field is required You are already subscribed to this topic Attach screenshot The file you uploaded exceeds the allowed file size of 20MB. Please try again with a smaller file. Please complete the reCAPTCHA step to attach a screenshot
          Log in to personalize your search results and subscribe to topics
          No, thanks Login