Monitor security events

  • Release version: Yokohama
  • Updated January 30, 2025
  • 4 minutes to read

    • Analyze the event metrics in your instance so that you can identify and prevent potential security events.

    Important:

    Instance Security Center (ISC) has reached the end of sales as of September 2024, and is no longer supported or available for new activation.

    ServiceNow Security Center (SSC) is the recommended solution going forward. For more information, see Instance Security Center to ServiceNow Security Center migration.
    In the event ribbon, which is on the Instance Security homepage, you can analyze these metrics and accompanying detail to identify potential security events in the instance.
    • For each event metric, a real-time single score count appears, indicating how many times that the event occurred during the day in this instance. These single score reports are updated automatically as the corresponding events take place.
    • Each event metric also contains compliance trend and graph information over a range of dates. This information updates on a daily basis when you run the performance analytics job. To learn more, see the Analyzing event trend detail section.

    Event types

    You can monitor at least six of the following types of events. For more than six events, use the left or right arrows below the event ribbon to scroll through them. To learn how to configure the event ribbon, see Configure the security event ribbon.

    Notification preference Description
    Admin Logins Number of login attempts in this instance, during the calendar day, by users who have an assigned admin role.
    Admin Users Added Number of users with an admin role that were added in this instance during the calendar day. For example, your instance may have a security issue if the count is 10, but 4 users are known to have an assigned admin role.
    External Incoming Email To learn more, see Email metrics.
    External Logins Number of users with an assigned snc_external role who logged into this instance during the calendar day. These logins typically occur for maintenance, support, consulting, or audit purposes. Monitoring this metric enables you to verify that the external login attempts are legitimate and not potential security issues.

    To learn more about assigning external user roles, see Explicit Roles.
    Failed Logins Number of attempted logins that failed in this instance during the calendar day.

    This metric may indicate that attempts are being made to log in and compromise your instance security.
    Impersonations Number of impersonation logins in this instance during the calendar day. To learn about impersonating users, see Impersonate a user.
    Quarantined Files

    Number of files that were quarantined when you ran Antivirus Scanning in this instance during the calendar day. To learn more about quarantined files and Antivirus Scanning, see Antivirus metrics and Antivirus Scanning.
    Security Elevations Number of times that a security administrator has elevated security for standard users by changing their assigned user role to a high privilege security role during the calendar day. These high privilege security roles include oauth_admin, admin, security_admin, and impersonator.
    • This metric indicates that someone might have tried to elevate the security of an unauthorized user. Do not use this metric by itself to detect a specific security compromise. Instead, treat this metric as an indication that you should check another metric to see if a security compromise has occurred.
    • To learn more about elevating user security, see Elevate to a privileged role and Elevated privilege roles.
    SNC Logins Number of Customer Service and Support personnel who logged into this instance using the hi-hopping technique during the calendar day. These logins typically occur for maintenance, support, consulting, or audit purposes.

    For information on how to control ServiceNow corporate employee access, see ServiceNow access control.
    Spam To learn more, see Email metrics.
    Trusted Incoming Email To learn more, see Email metrics.
    Untrusted Incoming Email To learn more, see Email metrics.
    Virus Types Number of different types of antivirus events that occurred in this instance during the calendar day. To learn more about antivirus event types, see Antivirus metrics.

    Analyzing event trend detail

    To view trend details for an event metric, click the event count to access the Analytics Hub page. The details that appear for the instance depend on the type of metric.

    For example, to view a listing of each failed attempt on the Security Dashboard Event Logs page:
    • Select the Failed Logins metric.
    • In the Analytics Hub page, click Show Records.
    • Click one of the failed login attempts.
    • The detail includes the name of the user who attempted to log in, their IP address, and the table name that they tried to access.

    You can set up event threshold triggers in the Core UI Analytics Hub or Platform Analytics KPI Details to provide alerts when a certain event occurs within a range of scores for an indicator. You can also set targets that enable you to visualize the difference between the desired score and the actual score of an event.

    For example, you can set a threshold of 10 for the Failed Logins metric. When ten or more failed login attempts occur during the day, an alert is sent to specific security personnel. You can also set a similar target that provides a visual highlight in the Analytics Hub when 10 failed logins occur during a day.

    Trend data and graphs that appear in Event ribbon tile and the Analytics Hub are updated after the performance analytics job executes at 02:00 local time. To learn more, see How Daily Compliance score, trend, and graph data is refreshed.