I am looking for some advice on extracting security logs from ServiceNow into our SIEM tool. We are looking to integrate via API to pull the logs from ServiceNow. An example of what events our security team are looking for is below:

• Account Successful Login Event
• Account Unsuccessful Login Event
• Account Successful Logoff
  • Include user to system and system to system login events
• Account Management
  • If a security group is created, modified, deleted. When a user is renamed, disabled or enabled.
• Directory Service Access
• Audit Policy Change
  • When user rights assignment policies change
• Audit Privileged Use
• System events
  • A generic catch all, though interesting would be system time changes, audit log deletions, and similar.
• Credential Validation
  • The results of validations tests on credentials submitted for a user account. e.g. for MFA would be useful. Is a user entering correct username/password and incorrect token?
• Authorisation Policy Change
  • Changes in authorisation policy for example permission changes in ACLs

We are planning on integrating ServiceNow with the SIEM tool to automate the access to logs, but I need to provide access to the correct log tables in ServiceNow. The syslog table does not provide an easy way to filter and identify just security/ audit related events, that could be pulled. I know there is the instance security center that ServiceNow provides which reports on some of this, but our Security team need real-time access to the raw logs, rather than the calculated metrics that are provided in the instance security center.

Please can you let me know what the best practice is for this?