Monitor the compliance level of instance security
controls, view security event monitoring metrics, and configure and maintain
instance security settings all from within the Instance Security Center. The
Instance Security Center consolidates several key security components into a single
control console that helps you detect, protect, and respond to instance-based
security events.
From the Instance
Security Center homepage, you can view the security compliance score for your
instance and monitor its overall security health. You can then configure or update
system properties that are related to your instance security so that they comply
with security requirements. Note: The Instance Security Center does not support domain separation.
To access the Instance Security Center, navigate to or the System Administration homepage.
User roles
To use the Instance Security Center, you must have the admin or security_dashboard_user
role.
User
Required role
Benefits
Security personnel in your organization who monitor security-related
information for an instance and have authorization to change security hardening
settings. They should be able to return to the Instance Security Center at any
time to adjust settings and manage the overall security health of an
instance.
admin
Continually monitoring and managing instance security compliance.
Security personnel in your organization who monitor security-related
information for an instance but do not have authorization to change security
hardening settings. For example, a security analyst with this role can view
instance security information. However, another user with an admin role would have
to make actual security setting updates.
security_dashboard_user
Continually monitoring instance security compliance to detect and respond to
security threats.
Warning: To ensure that the Instance Security Center receives up-to-date security
information with every upgrade, do not customize this module. If you change any security
settings on your instance, make sure that you test them in a non-production environment
first.
The Instance Security Center homepage contains the following security components:
Rotating security banner
Search
Event ribbon
Daily compliance score
Top Recommendations
Session Management
Hardening
Metrics (user, email, and antivirus)
Resources
Notifications
Tours
Security testing portal
Security center
Help
Rotating security banner
To assist you in monitoring the security health of your instance, critical instance
security messages appear in the rotating banner.
Two to three security messages normally rotate at a regular interval.
The dots at the bottom of the banner show you the total number of current security
messages.
To navigate through them, click the dots, or click the arrows that appear on either
side of the messages.
The banner background colors indicate the relative severity of the messages.
Color
Description
Red
Critical security situation requiring a timely response, or a recommendation
on how to protect or respond to critical security events.
Dark gray
Non-critical warning message.
Blue
General information message.
To collapse or minimize the text content in the banner, click
. To maximize the text content, click it again.
When you use the Instance Security Center again, the text content appeared as
collapsed or expanded, depending on how you used it during your previous session.
If the text content itself changes, it appears as maximized for all users.
Search
Use the search bar to search the entire Instance Security Center for security resources
that assist you with understanding and resolving security issues. You can search the
following security-related resources:
Now Support
Knowledge Base articles
Instance Security Center pages
External Now Support links
PA security widgets, such as the Daily Compliance Score and External Incoming
Emails
Banner content
Event ribbon
Use the event ribbon to view key security event monitoring metrics for the current
instance.
To manually scroll through the metrics, click the right or left arrow keys.
To configure the event ribbon, click Edit .
To learn more about the event ribbon and how to configure it, see Identifying potential security events and Configure the event ribbon .
Daily compliance score
The Daily Compliance Score section contains the Daily Compliance
Score , Session Management ,
Antivirus , Top Recommendations , and
Resources tiles. You use the Daily Compliance Score to gauge how
healthy your instance is from a security standpoint.
The Daily
Compliance Score is a percentage score. It is based on how compliant the current
settings of your instance security properties are with the compliance values
published in the Instance Security Hardening Settings .
Top recommendations and hardening
Use this two-step process to manage specific security configuration
settings that affect the Daily Compliance Score:
To access the questionnaire that you use to perform initial instance security
hardening, click the Top Recommendations tile or link. You can
select a series of controls in each category to enhance the security of your instance.
To learn more about how to harden recommended security settings that are currently in
non-compliance, see Gather security requirements and enable controls .
To access the Hardening Configurations page and adjust the remaining non-compliant
settings, click the Daily Compliance Score tile or the
Hardening link. To learn how to adjust hardening settings to
further increase compliance, see Adjust instance security settings to increase compliance .
Session management
Use Session Management to:
View and manage user login sessions.
See all users who are currently logged in to the instance.
See detailed information about each session, such as the user name and IP
address.
Isolate and lock out specific user sessions that pose security risks.
To access the Session Management page, click the
Session Management
tile or link.
Field
Description
User
Name of the user associated with this login session.
MFA
Check box indicating if Multifactor Authentication (MFA) is enabled for the
logged in user. To learn more about MFA, see Multifactor authentication
(MFA) .
Active
Check box indicating if the logged in user is active or inactive.
User Agent
Type of browser and the device operating system for the user login session.
IP Address
IP address of the logged in user.
Last Accessed
Date and time this user session last accessed the instance.Note: To view
detailed information for a particular login session, or to lock out the session
itself, click the User Agent , IP
Address , or Last Accessed
fields.
Metrics (user, email, and antivirus)
View detail for the following types of metrics:
User
Security metrics that are associated with user activity in the instance. To access
the User Metrics page, click the Metrics link, and then select
User Metrics .
Email
Single score metrics that are related to email activity in the instance. You can
review detailed information for each metric, and designate untrusted or trusted email
domains. To access the Email page, click the Metrics link, and
then select Email .
Antivirus
Security metrics that are associated with antivirus event activity in the instance.
To access the Antivirus Metrics page, click the Antivirus tile
or click the Metrics link, and then select
Antivirus .
Resources
Access
Now Support
Knowledge Base articles, resources,
and blogs that are related to instance security. These resources include security settings,
coding, compliance, fixes, and related topics. To access the Resources page:
Click the Resources tile or link.
In the Resources page, click a category:
Category
Description
Recommended Guidelines
Access to recommended security guidelines, including the ServiceNow Instance
Hardening [KB0550654] article in the Now Support
Knowledge Base and
ServiceNow Secure
Coding Guide [KB0623354] articles.
Security Resources
Access to security-related resources in the Knowledge Base ,
including:
Customer Instance Security Testing
Cloud Security, Trust, and Compliance Center KB articles
Notifications
The notifications bell icon (
) appears in the upper-right corner of the Instance Security Center.
A notification appears next to the bell icon whenever someone adds or assigns
privileged roles to users in the instance. These roles include admin, security_admin,
impersonator, or oath_admin.
A fourth notification groups the remaining notifications when there are more than
three occurrences during the calendar day.
The bell icon does not appear when no users performed these actions during the
calendar day.
When you click the bell icon and one of the notifications appear, you can view the
Roles (sys_user_role) table. Use this table to see which users were assigned privileged
roles during the calendar day. Using this history helps you to determine if roles have
been properly assigned.
Tours
Click the
Tours link to view a guided visual tour of the Instance
Security Center.
The guided tour includes only the security monitoring functions that are listed on the
homepage.
It does not include the security functions that you access when you click the tiles or
links on the homepage.
Security testing portal, security center, and help
The Now Support
Service Portal is a central resource that you use to manage instances, tasks,
and accounts. You can also access useful resources you can use to diagnose and resolve
security and technical issues in your instance. To access these resources, click
Learn More or Get Help in the following
tiles:
Tile
Description
Security Testing Portal
Access to the Security Dashboard in the Now Support Security Testing
Portal.
Security Center
Access to Security Compliance in the Now Support Security
Portal.
Help
Access to the following help resources in the Now Support Security
Portal:
Ask an expert to find answers to common questions.
Report an issue or outage to ServiceNow Global
Technical Support by opening a case.
Self-Service Support Resources, including:
Videos
Documentation
Now Community
Knowledge Base
Known Error Portal
Security RFX Database
Now Community questions that are recommended for your
use.
Refreshing trend and graph data
Trend data and graphs that appear in the following Instance
Security Center pages are updated after the performance analytics job executes at
02:00 local time:
Event ribbon tiles, and in the Analytics Hub page detail when you click one
of the event tiles.
Daily Compliance Score tile.
Alternately, if you have an assigned admin role, you can refresh and
recalculate the Daily Compliance Score at any time by clicking
Refresh .
The Refresh function performs the same tasks as the performance analytics
job but does it in real time, rather than in a batch process.
You typically use it when you want to perform updates to the Daily
Compliance Score to immediately view the impact of instance security
activities.
There may be a slight delay before the updated score appears.
Note: The Refresh button does not appear for users with
an assigned security_dashboard_user role.
If you see errors related to the number of records the performance analytics job is
processing, you can increase the maximum number of records per query. To increase this
count, use the following properties in the sys_properties table:
com.snc.pa.dc.max_row_count_indicator_source
com.snc.pa.dc.max_records
To learn more about these properties, see Performance Analytics
properties .
Note: When you perform an upgrade (for example, from London to Orlando ), the Instance Security Center (ISC) plugin is automatically
activated. A ServiceNow -supplied fix script automatically assigns a
custom user without any assigned roles.