User metrics

  • Release version: Xanadu
  • Updated April 22, 2025
  • 3 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of User metrics

    The User metrics feature in ServiceNow enables customers to monitor and analyze user behavior to identify anomalies related to specific user activities within their instance. This helps ensure proper user management, security oversight, and compliance by providing detailed insights into user login patterns, role assignments, and security-related events.

    Show full answer Show less

    Key Features

    • Not Logged In Metrics: Tracks users who have not logged into the instance within the last month, six months, or calendar year. Clicking these metrics shows detailed user lists to help identify inactive users for follow-up or cleanup.
    • Users with High Privilege Roles: Displays counts of users assigned critical administrative roles such as admin, aishighsecurityadmin, passwordresetadmin, scriptincludeadmin, securityadmin, and useradmin. You can drill down to see which users hold these roles to verify proper assignment and reduce security risks.
    • Users Trend: Shows trends over time for active, inactive, and locked-out users, allowing you to track user status changes and quickly identify locked-out users for remediation.
    • Events Trend: Provides daily counts for key security-related events including admin logins, external logins (for maintenance or audits), failed login attempts, impersonation activities, security elevation events (role changes to high privilege), and SNC login activities. You can view detailed event logs and user information to investigate suspicious behavior.

    Key Outcomes

    • Quick identification of inactive users to maintain an accurate and secure user base.
    • Visibility into users with high privilege roles to ensure roles are assigned to appropriate personnel and reduce security vulnerabilities.
    • Ability to monitor trends in user activity and security events, enabling proactive detection of anomalous or unauthorized behaviors.
    • Access to detailed user and event-level data for thorough investigation and remediation of security issues such as failed logins, impersonations, and role elevations.

    Analyze user metrics to look for anomalous behaviors that are related to specific types of user activity in your instance.

    Not Logged in Last Month / Last Six Months / Last Year

    Indicates the number of users who have not logged into the instance within the last month, within the last six months, and within the last calendar year. To view user detail for a specific metric:
    • Click the metric to view a listing of users that have not logged in to the instance during the indicated time period.
    • Click a user name to view more details about that user.

    Users with High Privilege Roles

    Indicates the number of users with the following high privilege role types:
    User role Description
    admin Primary administrator role that has access to all system features, functions, and data, regardless of security constraints.
    ais_high_security_admin Elevated privilege role that enables a user to access High Security settings for AI Search. To learn more, see Assign roles to AI Search administrators and users.
    password_reset_admin Administrator role that enables a user to view the status of password reset activities, identify potential security threats, and monitor for compliance with password security policies. To learn more, see Password Reset and Password Change reports and logs.
    script_include_admin Administrator role that also has access to script includes.
    security_admin Elevated privilege role that enables a user to create and change access controls and High Security Settings. To learn more, see Security_admin role
    user_admin Administrator role that can also manage users, roles, user groups, roles, and department assignments.
    Note:
    To learn more about these administrative role types, see Special administrative roles.
    To view user detail for a specific user role metric:
    • Click the user count role metric to view a listing of users with that high privilege role type.
    • Click a user name to view more details about that user. You can then determine if these security-critical roles are assigned to the proper personnel.

    Users Trend

    Shows count trend information over a time period for the following types of users:
    Count type Description
    Active Users Number of users who are marked as Active in the instance.
    Inactive Users Number of users who are marked as Inactive in the instance.
    Locked Out Number of users who are locked out of the instance.
    To view user detail for a specific user count (for example, Locked Out Users):
    • Click the Locked out users metric.
    • In the Analytics Hub page, click Show Records.
    • Click a user name to view more details about that user. You can then determine if there is a reason this person is locked out and remedy the situation.

    Events Trend

    Shows count trend information for specific types of events, over a time period:
    Event type Description
    Admin login Number of users with high privilege administrator user roles who logged in on a specific day.
    External login Number of users with an assigned snc_external role who logged into this instance during the calendar day. These logins typically occur for maintenance, support, consulting, or audit purposes. Monitoring this metric enables you to verify that the external login attempts are legitimate and not potential security issues.
    Failed login Number of failed login attempts on a specific day.
    Impersonation Number of users logged in on a specific day who are impersonating other users.
    Security elevation Number of times that a security administrator has elevated security for standard users by changing their assigned user role to a high privilege security role during the calendar day. These high privilege security roles include oauth_admin, admin, security_admin, and impersonator.
    SNC login Number of Customer Service and Support who logged in to this instance using the hi-hopping technique during a specific day.
    To view user detail for a specific event count (for example, Impersonation):
    • Click the user count metric. The Security Dashboard Event Logs page lists event logs for that type of event.
    • Click a user name to view more details about that event.