Password Reset and Password Change reports and logs
Summarize
Summary of Password Reset and Password Change reports and logs
The Password Reset application in ServiceNow enables users with thepasswordresetcredentialmanagerorpasswordresetadminroles to monitor and troubleshoot password reset activities effectively. It provides various reports and logs that help track reset requests, detect potential security threats, and ensure compliance with password security policies.
Show less
Key modules include Reset Requests, Activity Log, and Blocked Users, each offering detailed insights beyond the Overview module. To maintain system performance, password reset data is periodically purged based on configurable schedules.
Key Features
- Password Reset Overview Module: Displays customizable reports on password resets and changes, covering recent activity such as request counts, blocked users, request status, top users by request volume, failed verifications, and enrollment statistics. These reports help identify security concerns like repeated reset attempts or user lockouts.
- Activity Log: Provides detailed logs stored in the pwdresetactivity table, accessible to users with relevant roles for troubleshooting and metric reporting.
- Event Log: Accessible via Windows Event Viewer, this log requires admin role and can be enabled by adjusting a registry key. It is useful for in-depth troubleshooting of password reset events.
- Blocked User Notifications: Email alerts can be configured to notify administrators when the number of blocked users exceeds a defined threshold (default is 10), helping detect suspicious activity promptly.
- Data Purging Schedule: Password reset data is automatically purged to free system resources. Default purge intervals are generally set to 90 days for most tables, with some tables like SMS codes purged daily. These intervals can be customized on non-production instances or with assistance from ServiceNow Technical Support.
Practical Implications for ServiceNow Customers
- Administrators can proactively monitor password reset activities and identify potential security issues such as repeated failed attempts or unusually high reset requests by specific users.
- Customizable reports and logs enable compliance monitoring and timely troubleshooting, improving security posture and user experience.
- Configurable email notifications ensure that security teams are alerted quickly to possible lockout or attack scenarios.
- Understanding and managing data purge schedules helps maintain system performance without losing critical audit information prematurely.
- Access to detailed logs and event data requires appropriate roles, underscoring the importance of role management in securing password reset processes.
The Password Reset application provides several tools for monitoring and troubleshooting password reset activities.
Users with the password_reset_credential_manager or password_reset_admin role can view the status of password reset activities, identify potential security threats, and monitor for compliance with password security policies.
The Reset Requests, Activity Log, and Blocked Users modules are useful for monitoring password reset activities and for troubleshooting password reset issues. They also provide access to more detailed information than is provided on the Overview module.
To make room for new data, the system periodically purges the data that is used for password reset monitoring and reporting.
Password Reset Overview module
The module displays reports on password reset and password change activities. Users with the password_reset_admin role can customize the layout of the reports that appear in the Overview module.
| Title | Description |
|---|---|
| Password Requests (last 7 days) | Number of password reset requests by type during the last 7 days. |
| Blocked Users (last 7 days) | Number of users blocked over the last 7 days. |
| Password Reset Request Status (last 7 days) | Status of all password reset requests by process. |
| Password Reset Request by Action (last 30 days) | Number of password reset requests by action type: Reset Password, Unlock Account, or Reset and Unlock. |
| Password Reset Top Users (last 30 days) | Number of password reset requests per user. Many password reset requests from a single user could indicate a security issue. |
| Password Reset Failed Verifications (last 7 days) | Number of failed verification attempts, by verification instance. A failed verification occurs when a user attempts to reset the password, but fails for one reason or another, during the identity verification step. Many failed verification attempts for a specific type of verification could indicate that the process is too complicated or unclear. |
| Password Reset Enrollment By Verification | Number of users by verification type who enrolled and did not enroll in the password reset program. A large number for users who did not enrolled could indicate a compliance or communication issue within the organization. |
| Password Change Top Users (last 30 days) | Number of password change requests per user. Many password change requests from a single user could indicate a security issue. |
Password Reset activity log
The activity log () provides detailed information that you can use to troubleshoot and to generate reports on password reset metrics. Information contained in the activity log is stored in the Password Reset activity log [pwd_reset_activity] table.
You must have the password_reset_credential_manager or password_reset_admin role to view the log.
Password Reset event log
The event log is a valuable resource for troubleshooting. On the Start menu, click .
If the log does not appear, then, on the Windows Logs menu, click .You must have the admin role to view the log.
To write to the Password Reset event log
Edit the
DebugFlag registry key entry at: Computer > HKEY_LOCAL_MACHINE >
SOFTWARE > Microsoft > Windows > CurrentVersion > Authentication > Credential Providers >
{B6EFF27D-C1C4-481F-B81B-F3547C47D58A}
ServiceNowPwdReset event log.You must have the password_reset_credential_manager or password_reset_admin role to write to the log.
Password Reset blocked user notification
You can receive email notifications when the number of users that are blocked or locked exceeds the password blocked threshold. Notifications can alert you to suspicious activities. The default threshold is 10.
To subscribe: Add an email notification device or modify an existing device and then subscribe to the Password Reset-Activity Monitor Lockout notification.
You must have the password_reset_credential_manager or password_reset_admin role to subscribe.
Schedule for purging Password Reset data
To make room for new data, the system periodically purges the data that is used for password reset monitoring and reporting. Information contained in reports and monitoring tools could change dramatically immediately after a data purge.
- On a non-production instance: Navigate to .
- Modify the designated tables.
- Test all changes on the non-production instance.
- Modify the tables on your production instance and test.
| Table name | Purge interval |
|---|---|
| [pwd_reset_request] | 90 days (7,776,000 seconds). Depending on your organizational data monitoring
requirements, you could configure the rule to:
|
| [pwd_user_lockout] | 90 days (7,776,000 seconds). Depending on your organizational data monitoring
requirements, you could configure the rule to:
|
| [pwd_reset_activity] | 90 days (7,776,000 seconds). |
| [pwd_activity_monitor] | 90 days (7,776,000 seconds). |
| [pwd_dvc_enrollment_code] | 1 day (86,400 seconds). |
| [pwd_sms_code] | 1 day (86,400 seconds). |