ServiceNow failed login

Vijay Baokar · ‎02-06-2025

Hi Folks,

I am looking for some concrete information regarding failed login attempts.

So whenever user makes a failed login what servicenow does in the backend like where ServiceNow stores the attempted login details. Does it stores login information in servicenow if yes then which all tables keep those information?

I know there is a script action "SNC User Lockout Check" which manage number of times a user is locked out after a failed login attempt is defined.

andy_ojha · ‎02-06-2025

Hey there - Good question.

Just a heads up, this forum is primarily for the ServiceNow SecOps Applications - you may have a better/quicker reply on the Community > Platform forum.

The Failed Logons generally will create an entry in the Event Log table... (System Policy > Events > Event Log), where the Event Name is (login.failed):

Also, on the Platform (Security Center) - you can actually see a whole bunch of User Activity, included Failed Logons and click into those reports to get to the actual events. I believe you can even explore the Security Center > Notifications as well if you want to have emails sent out for certain privileged user activity.

- https://www.servicenow.com/products/security-center.html

View solution in original post

andy_ojha · ‎02-06-2025

Hey there - Good question.

Just a heads up, this forum is primarily for the ServiceNow SecOps Applications - you may have a better/quicker reply on the Community > Platform forum.

The Failed Logons generally will create an entry in the Event Log table... (System Policy > Events > Event Log), where the Event Name is (login.failed):

Also, on the Platform (Security Center) - you can actually see a whole bunch of User Activity, included Failed Logons and click into those reports to get to the actual events. I believe you can even explore the Security Center > Notifications as well if you want to have emails sent out for certain privileged user activity.

- https://www.servicenow.com/products/security-center.html