User metrics

  • Release version: Yokohama
  • Updated April 22, 2025
  • 3 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of User metrics

    User metrics in ServiceNow Yokohama release enable you to analyze user activity within your instance, focusing on identifying anomalous behaviors linked to specific user types and activities. These metrics help you monitor user engagement, security roles, login trends, and security-related events to maintain proper access control and ensure compliance.

    Show full answer Show less

    Key Features

    • Not Logged In Metrics: Track users who have not logged in within the last month, six months, or year. Clicking on these metrics shows the list of inactive users, allowing you to review user details and take action if needed.
    • Users with High Privilege Roles: Monitor users assigned to critical administrative roles such as admin, aishighsecurityadmin, passwordresetadmin, scriptincludeadmin, securityadmin, and useradmin. You can review the user list for each role and verify proper role assignments to ensure security compliance.
    • Users Trend: Displays trending counts over time for active users, inactive users, and users locked out of the instance. Detailed user records are accessible for investigation and remediation.
    • Events Trend: Provides daily counts of key events including admin logins, external logins, failed logins, impersonations, security elevation actions, and SNC (Customer Service and Support) logins. This allows you to detect unusual login patterns or potential security threats.

    Practical Use for ServiceNow Customers

    ServiceNow customers can use these user metrics to:

    • Identify users who may no longer require access based on inactivity and take appropriate actions such as deactivation.
    • Ensure that high privilege roles are assigned only to authorized personnel, reducing security risks.
    • Monitor login behaviors and detect unauthorized or suspicious activities, such as failed login attempts or impersonation events.
    • Respond promptly to locked-out users or security elevation events to maintain secure and compliant access controls.

    By leveraging these metrics, you can enhance your instance's security posture and user management effectiveness.

    Analyze user metrics to look for anomalous behaviors that are related to specific types of user activity in your instance.

    Not Logged in Last Month / Last Six Months / Last Year

    Indicates the number of users who have not logged into the instance within the last month, within the last six months, and within the last calendar year. To view user detail for a specific metric:
    • Click the metric to view a listing of users that have not logged in to the instance during the indicated time period.
    • Click a user name to view more details about that user.

    Users with High Privilege Roles

    Indicates the number of users with the following high privilege role types:
    User role Description
    admin Primary administrator role that has access to all system features, functions, and data, regardless of security constraints.
    ais_high_security_admin Elevated privilege role that enables a user to access High Security settings for AI Search. To learn more, see Assign roles to AI Search administrators and users.
    password_reset_admin Administrator role that enables a user to view the status of password reset activities, identify potential security threats, and monitor for compliance with password security policies. To learn more, see Password Reset and Password Change reports and logs.
    script_include_admin Administrator role that also has access to script includes.
    security_admin Elevated privilege role that enables a user to create and change access controls and High Security Settings. To learn more, see Security_admin role
    user_admin Administrator role that can also manage users, roles, user groups, roles, and department assignments.
    Note:
    To learn more about these administrative role types, see Special administrative roles.
    To view user detail for a specific user role metric:
    • Click the user count role metric to view a listing of users with that high privilege role type.
    • Click a user name to view more details about that user. You can then determine if these security-critical roles are assigned to the proper personnel.

    Users Trend

    Shows count trend information over a time period for the following types of users:
    Count type Description
    Active Users Number of users who are marked as Active in the instance.
    Inactive Users Number of users who are marked as Inactive in the instance.
    Locked Out Number of users who are locked out of the instance.
    To view user detail for a specific user count (for example, Locked Out Users):
    • Click the Locked out users metric.
    • In the Analytics Hub page, click Show Records.
    • Click a user name to view more details about that user. You can then determine if there is a reason this person is locked out and remedy the situation.

    Events Trend

    Shows count trend information for specific types of events, over a time period:
    Event type Description
    Admin login Number of users with high privilege administrator user roles who logged in on a specific day.
    External login Number of users with an assigned snc_external role who logged into this instance during the calendar day. These logins typically occur for maintenance, support, consulting, or audit purposes. Monitoring this metric enables you to verify that the external login attempts are legitimate and not potential security issues.
    Failed login Number of failed login attempts on a specific day.
    Impersonation Number of users logged in on a specific day who are impersonating other users.
    Security elevation Number of times that a security administrator has elevated security for standard users by changing their assigned user role to a high privilege security role during the calendar day. These high privilege security roles include oauth_admin, admin, security_admin, and impersonator.
    SNC login Number of Customer Service and Support who logged in to this instance using the hi-hopping technique during a specific day.
    To view user detail for a specific event count (for example, Impersonation):
    • Click the user count metric. The Security Dashboard Event Logs page lists event logs for that type of event.
    • Click a user name to view more details about that event.