Suspicious SYS ID

Pongo
Tera Contributor

Discovered there was a record created by an integration whereby the sys id is an email - not sure how this is even possible. Has anyone ever come across something like this?

2 REPLIES 2

Dr Atul G- LNG
Tera Patron
Tera Patron

Hi @Pongo 

 

look like some cyber attack better report this to SN via case with Now Support.

*************************************************************************************************************
If my response proves useful, please indicate its helpfulness by selecting " Accept as Solution" and " Helpful." This action benefits both the community and me.

Regards
Dr. Atul G. - Learn N Grow Together
ServiceNow Techno - Functional Trainer
LinkedIn: https://www.linkedin.com/in/dratulgrover
YouTube: https://www.youtube.com/@LearnNGrowTogetherwithAtulG
Topmate: https://topmate.io/atul_grover_lng [ Connect for 1-1 Session]

****************************************************************************************************************

JC Moller
Giga Sage

Have you had a look into your data for a longer time period backwards? Search with gliderecord for matches in the sys_id field's values for something that is not a sys_id (32 char long). Could this be an issue that has occurred previously but you just now have noticed it? Maybe you have some additional data in the syslog or localhost logs, that could open the issue for you. A cyberattack or something similar is not on my list of possible causes. Something went wrong with code handling and the sys_id was replaced by another value.


We have seen data in the sys_id column for the task table when code executions e.g. for an inbound integration's e-bonding have failed and then value "undefined" has been written into  sys_id column (i.e database). Can cause issues later on when record's sys_id is actually used for something. In our case we noticed a small logic error in code handling and have now resolved the issue.

So technically it is possible to write other data into the sys_id column, but these instances are very rare and have only witnessed a few of them in the 13 years I have been working with Servicenow.