- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎02-06-2025 05:33 AM
Hi Folks,
I am looking for some concrete information regarding failed login attempts.
So whenever user makes a failed login what servicenow does in the backend like where ServiceNow stores the attempted login details. Does it stores login information in servicenow if yes then which all tables keep those information?
I know there is a script action "SNC User Lockout Check" which manage number of times a user is locked out after a failed login attempt is defined.
Solved! Go to Solution.

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎02-06-2025 06:52 PM
Hey there - Good question.
Just a heads up, this forum is primarily for the ServiceNow SecOps Applications - you may have a better/quicker reply on the Community > Platform forum.
The Failed Logons generally will create an entry in the Event Log table... (System Policy > Events > Event Log), where the Event Name is (login.failed):
Also, on the Platform (Security Center) - you can actually see a whole bunch of User Activity, included Failed Logons and click into those reports to get to the actual events. I believe you can even explore the Security Center > Notifications as well if you want to have emails sent out for certain privileged user activity.
- https://www.servicenow.com/products/security-center.html

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎02-06-2025 06:52 PM
Hey there - Good question.
Just a heads up, this forum is primarily for the ServiceNow SecOps Applications - you may have a better/quicker reply on the Community > Platform forum.
The Failed Logons generally will create an entry in the Event Log table... (System Policy > Events > Event Log), where the Event Name is (login.failed):
Also, on the Platform (Security Center) - you can actually see a whole bunch of User Activity, included Failed Logons and click into those reports to get to the actual events. I believe you can even explore the Security Center > Notifications as well if you want to have emails sent out for certain privileged user activity.
- https://www.servicenow.com/products/security-center.html