Monitor service accounts authenticated in the instance through an API instead of login event

Jonatan _lvare1 · ‎03-11-2022

Hello,

We need to monitor the connections of service accounts that use APIs to connect to the Servicenow instances as we monitor logins of users into the instance.

For the users, we use the "login" event in sysevent table, where we can see the user and the IP address (and we have created a script action for this event that triggers the creation of a message) but for service accounts that use and API to connect (REST, SOAP...) we do not have this event. We have seen that we have, in sysevent table, actions performed by these accounts (like incident.created, problem.updated...) but we do not have the IP. In sys_transaction table, we have the IP but in sys_transaction table we do not have information to be matched with the event in order to try to identify when the service account has logged in the system (has connected to perform any action).

In the system log table we have records with the information like "svcSNSPikeBi authenticated" and this is useful for us to know when the account authenticated (this is what we need) but we do not have the IP address or any other information.

Anyone knows how to achieve this? Is it possible to know the moment that a user connects through an API and which IP is using? We can only think on joining system log table or sysevent table with sys log transaction table but we do not have any matching field on these tables.

Thank you very much in advance.
Kind regards.

Community Alums · ‎03-11-2022

Not sure if this helps- there is a 'REST & SOAP API Analytics' module.

There are some good reports and dashboards in there. Does that give you the information you need?

Jonatan _lvare1 · ‎03-11-2022

Hello timmo. Nope, but thank you! What I need is to have the moment the user connects through an API and the IP of the source, just the same as the "login" event in sysevent table. Thanks!