Monitor security events

  • Release version: Australia
  • Updated March 12, 2026
  • 4 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Monitor Security Events

    ServiceNow provides tools to monitor security events within your instance, allowing you to analyze event metrics to identify and prevent potential security threats. The Instance Security Center (ISC) is no longer supported; ServiceNow Security Center (SSC) is the recommended solution moving forward. You can access and analyze metrics through the event ribbon on the ISC homepage, which updates automatically with real-time counts of various security events.

    Show full answer Show less

    Key Features

    • Event Metrics: Track several security events, including Admin Logins, Failed Logins, and Quarantined Files, with real-time scoring and compliance trend data.
    • Event Types: Monitor specific event types such as External Logins, Security Elevations, and Virus Types to assess security integrity and identify anomalies.
    • Trend Analysis: Click on event counts to view detailed analytics, including user information for failed logins and other metrics.
    • Threshold Triggers: Set up alerts for specific events when thresholds are crossed, helping you respond promptly to security incidents.
    • Configuration Options: Customize the security event ribbon to reflect only relevant events and adjust notification preferences for security alerts via email, mobile, or third-party applications.

    Key Outcomes

    By effectively monitoring these security events, you can enhance your instance's security posture, respond to potential threats quickly, and ensure compliance with security standards. The ability to configure notifications and analyze trends empowers you to proactively manage security risks in your ServiceNow environment.

    Analyze the event metrics in your instance so that you can identify and prevent potential security events.

    Important:

    Instance Security Center (ISC) has reached the end of sales as of September 2024, and is no longer supported or available for new activation.

    ServiceNow Security Center (SSC) is the recommended solution going forward. For more information, see Instance Security Center to ServiceNow Security Center migration.
    In the event ribbon, which is on the Instance Security homepage, you can analyze these metrics and accompanying detail to identify potential security events in the instance.
    • For each event metric, a real-time single score count appears, indicating how many times that the event occurred during the day in this instance. These single score reports are updated automatically as the corresponding events take place.
    • Each event metric also contains compliance trend and graph information over a range of dates. This information updates on a daily basis when you run the performance analytics job. To learn more, see the Analyzing event trend detail section.

    Event types

    You can monitor at least six of the following types of events. For more than six events, use the left or right arrows below the event ribbon to scroll through them. To learn how to configure the event ribbon, see Configure the security event ribbon.

    Notification preference Description
    Admin Logins Number of login attempts in this instance, during the calendar day, by users who have an assigned admin role.
    Admin Users Added Number of users with an admin role that were added in this instance during the calendar day. For example, your instance may have a security issue if the count is 10, but 4 users are known to have an assigned admin role.
    External Incoming Email To learn more, see Email metrics.
    External Logins Number of users with an assigned snc_external role who logged into this instance during the calendar day. These logins typically occur for maintenance, support, consulting, or audit purposes. Monitoring this metric enables you to verify that the external login attempts are legitimate and not potential security issues.

    To learn more about assigning external user roles, see Explicit Roles.
    Failed Logins Number of attempted logins that failed in this instance during the calendar day.

    This metric may indicate that attempts are being made to log in and compromise your instance security.
    Impersonations Number of impersonation logins in this instance during the calendar day. To learn about impersonating users, see Impersonate a user.
    Quarantined Files

    Number of files that were quarantined when you ran Antivirus Scanning in this instance during the calendar day. To learn more about quarantined files and Antivirus Scanning, see Antivirus metrics and Antivirus Scanning.
    Security Elevations Number of times that a security administrator has elevated security for standard users by changing their assigned user role to a high privilege security role during the calendar day. These high privilege security roles include oauth_admin, admin, security_admin, and impersonator.
    • This metric indicates that someone might have tried to elevate the security of an unauthorized user. Do not use this metric by itself to detect a specific security compromise. Instead, treat this metric as an indication that you should check another metric to see if a security compromise has occurred.
    • To learn more about elevating user security, see Elevate to a privileged role and Elevated privilege roles.
    SNC Logins Number of Customer Service and Support personnel who logged into this instance using the hi-hopping technique during the calendar day. These logins typically occur for maintenance, support, consulting, or audit purposes.

    For information on how to control ServiceNow corporate employee access, see ServiceNow access control.
    Spam To learn more, see Email metrics.
    Trusted Incoming Email To learn more, see Email metrics.
    Untrusted Incoming Email To learn more, see Email metrics.
    Virus Types Number of different types of antivirus events that occurred in this instance during the calendar day. To learn more about antivirus event types, see Antivirus metrics.

    Analyzing event trend detail

    To view trend details for an event metric, click the event count to access the Analytics Hub page. The details that appear for the instance depend on the type of metric.

    For example, to view a listing of each failed attempt on the Security Dashboard Event Logs page:
    • Select the Failed Logins metric.
    • In the KPI Details page, click Show Records.
    • Click one of the failed login attempts.
    • The detail includes the name of the user who attempted to log in, their IP address, and the table name that they tried to access.

    You can set up event threshold triggers in the Core UI Analytics Hub or Platform Analytics KPI Details to provide alerts when a certain event occurs within a range of scores for an indicator. You can also set targets that enable you to visualize the difference between the desired score and the actual score of an event.

    For example, you can set a threshold of 10 for the Failed Logins metric. When ten or more failed login attempts occur during the day, an alert is sent to specific security personnel. You can also set a similar target that provides a visual highlight in the KPI Details when 10 failed logins occur during a day.

    Trend data and graphs that appear in Event ribbon tile and the KPI Details are updated after the performance analytics job executes at 02:00 local time. To learn more, see How Daily Compliance score, trend, and graph data is refreshed.