Vault tools and metrics

Release version: Australia

Updated May 26, 2026

4 minutes to read

Summarize

Summarized using AI

Summary of Vault tools and metrics

ServiceNow Vault provides integrated tools and metrics designed to help you discover, classify, protect, and monitor sensitive data within your ServiceNow instance. These capabilities enable you to gain a comprehensive view of your data security posture, apply appropriate protections, and detect potential threats or data leaks efficiently.

Show full answer Show less

Know your data

Vault uses Data Discovery to scan and identify sensitive data patterns across tables and attachments, presenting metrics such as occurrences and discovery status. Data Classification organizes data into manageable classes, highlighting what data can be classified and what has already been protected. This foundational understanding supports targeted data management and protection strategies.

Protect your data

ServiceNow Vault offers multiple protection mechanisms:

Anonymization: Removes sensitive data while preserving patterns, ideal for sanitizing data for development or complying with privacy rights. Metrics include anonymization status for existing and real-time data, along with job run times.
Cloud Encryption with Key Management: Uses block encryption with advanced key rotation and management to secure stored data. Viewing key metrics requires appropriate admin roles.
Field Encryption: Protects sensitive fields while allowing authorized access, enhancing security against unauthorized actors. Metrics track encryption status, protected classes, and active keys, with role-based access for viewing.
Log Export Service (LES): Forwards logs to external analytics to monitor data patterns, with default configurations available for new users.
Zero Trust Access (ZTA): Implements continuous authentication for accessing sensitive classified data, with metrics on classifications protected by this policy.

Monitor your data

The AI Insights section helps monitor user activities that may indicate threats or data leaks. It collects data from real-time discovery in tables and communication channels like Now Assist and Virtual Agent. Visual charts display metrics such as:

Users entering sensitive data in tables and channels
Occurrences of sensitive data per channel and table, categorized by data pattern types (e.g., driver license numbers, financial info)

This insight allows you to prioritize data protection efforts based on detected risks.

Additional Vault tools

Encryption Key Management and Field Encryption: Flexible encryption modules to enhance data security.
Code Signing: Validates sensitive application configurations and scripts for improved security.
Data Privacy plugin: Removes personally identifiable information (PII) during data migration from production to non-production instances.
Data Discovery plugin: Identifies PII for classification and further protection.
Log Export Service: Enables exporting log data to enterprise analytics platforms for security and performance monitoring.
Zero Trust Access: Dynamically reduces user privileges within web sessions to strengthen access control.

By leveraging these tools and metrics, ServiceNow customers can effectively discover sensitive data, apply robust protection measures, and continuously monitor for potential security risks within their ServiceNow environments.

Learn about the tools and metrics ServiceNow Vault uses to protect and discover sensitive data.

ServiceNow Vault integrates with several tools to provide you with a cohesive overview of your sensitive data security. You can hover over a widget to get further insight on the reported data. Select the Go to button on any tool to go to its respective page.

Know your data

ServiceNow Vault uses Data Discovery and Data Classification help you understand and know your data.

Table 1. Tools and metrics
Tool	Metric	Description
Discovery Use Data Discovery to run a discovery scan to look for data patterns that might be sensitive data. Once discovered, data can then be reviewed or classified for further protection and management.	Discovered data	Occurrences of sensitive data across tables in your instance, categorized by sensitive data pattern type.
	Discovery status	Current state of all discovered sensitive data patterns, including new findings pending review, classified, or marked as ignored.
	Discovered attachments	Total sensitive data occurrences in attachments across tables in your instance.
Classification Data Classification creates data classes and helps organize your data into data classes for better management. Classified data can be protected at the class level.	Classifiable data	Tables or columns that can be classified.
	Classified data	Dictionary entries, tables, or columns that are classified.

Protect your data

ServiceNow Vault uses data anonymization, cloud encryption, field encryption, log export, and zero trust access to help secure and protect your data.

Table 2. Tools and metrics
Tool	Metric	Description
Anonymization Anonymize data by data class with different anonymization techniques to preserve data patterns but remove sensitive data. Useful for sanitizing instances for development or removing specific user data because of rights to be forgotten. Default real-time protection policies are available from this card and are applied in addition to any existing policies. For more information, see .	Existing data	All classified data per workflow that is anonymized or not.
	Real time data	Number of successful real-time calls to anonymize sensitive data as it enters the platform, by channel.
	Anonymization run times	How long scheduled user- or data-based jobs ran in hours for existing data.
Cloud Encryption with Key Management Securely protect sensitive data in encrypted storage for your data using block encryption, along with enhanced key management.	Active cloud key	Total rotations of the active cloud key. Note: To view this data, you need the Key Management Framework admin role (sn_kmf.admin or sn_kmf.cryptographic_manager).
	Key rotation	Time elapsed between each rotation of active keys on your instance. Bar height measures how long a key was used before rotation. Note: To view this data, you need the Key Management Framework admin role (sn_kmf.admin or sn_kmf.cryptographic_manager).
Field Encryption Securely protect sensitive data while providing access for authorized users. Useful for increasing protections from bad actors.	Encrypted fields classification status	Classification status of all data protected with Field Encryption.
	Classes protected with Field Encryption	The proportion of classified data protected withField Encryption.
	Active encryption keys	Number of active Field Encryption keys in your instance. Ideally, the number of active keys matches the number of classifications. Note: To view this data, you need the Key Management Framework admin role (sn_kmf.admin or sn_kmf.cryptographic_manager) and the security_admin role.
Zero Trust Access (ZTA) Continuous authentication while accessing classified sensitive data in real time.	Continuous Authentication classification status	Number of classifications that are protected due to the Continuous Authentication policies.
	Classes protected with Continuous authentication	Number of classes protected with continuous authentication, categorized by class.

Monitor your data

The AI Insights section within ServiceNow Vault helps you keep track of activities that may indicate potential threats or data leaks.These activities are generated from channels such as Now Assist and Virtual Agent, as well as database tables configured with real-time discovery. This insight can help you prioritize your data protection strategies more effectively. Select View tool metrics to see the underlying metrics.

Table 3. AI Insights charts
Metric	Chart Component	Description
User entering sensitive data	In tables with real-time discovery	The number of users whose sensitive data entries were detected in database tables configured with real-time discovery.
User entering sensitive data	In channels	The number of users whose sensitive data entries were detected within channels such as Now Assist or Virtual Agent.
Channels with sensitive data	Channel bars (x-axis)	Stacked bars representing each channel where sensitive data was detected, broken down by data patterns. The data pattern legend displays the color code for each pattern. They may include driver license numbers, financial information, and personal identifiers.
Channels with sensitive data	Occurrences of sensitive data (y-axis)	The count of sensitive data instances detected per channel.
Tables with sensitive data found through real-time discovery	Table bars (x-axis)	Stacked bars representing each database table where sensitive data was detected, broken down by data patterns.
	Occurrences of sensitive data	The count of sensitive data instances detected per table.

All ServiceNow Vault tools

Encryption

Key Management and Field Encryption is a suite of highly configurable encryption modules

Code Signing

Help improve security by validating sensitive application configuration data and scripts before they are used.

Data Privacy

Use the Data Privacy plugin to remove personally identifiable information (PII) from user data when it is migrated from a production instance to a non-production instance.

Data Discovery

The Data Discovery plugin enables you to find personally identifiable information (PII) from user data. The data can then be classified for further security measures.

Log Export Service

Improve security, performance, and user experience by importing ServiceNow log data into enterprise log analytics using the log export service.

Zero Trust Access

ServiceNow Session Access enables organizations to dynamically reduce user privilege in a web session