Tamper Detection

  • Release version: Zurich
  • Updated July 31, 2025
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Tamper Detection

    Tamper detection enhances the security of your ServiceNow instance by identifying unauthorized changes to quorum control settings. It uses hash-based message authentication codes (HMAC) to verify the integrity of these settings, preventing unauthorized modifications from being used by the platform.

    Show full answer Show less

    How Tamper Detection Works

    • When quorum control settings are created or changed, an HMAC is generated based on the setting value.
    • Each time these settings are used, tamper detection validates them against the stored HMAC.
    • Validation occurs daily through a scheduled job and prior to executing key withdrawals.
    • If validation fails, the affected settings are blocked from use, and key withdrawals are prevented until issues are resolved.

    Identifying and Responding to Tampering

    • Validation failures are logged in the node and security logs, including the sysid of the problematic setting record.
    • A warning message appears on the Quorum Control Policy settings page for any setting that fails validation.
    • Security and Key Management Framework (KMF) administrators receive notifications immediately upon validation failure.
    • Successful validations are not logged, reducing noise in system logs.

    Resolving Tampering Issues

    Validation failures cannot be resolved internally and require contacting ServiceNow Support for assistance. After support intervention, administrators receive confirmation that the issue has been resolved, restoring normal operation and allowing key withdrawals to proceed.

    Use tamper detection to improve security by detecting unauthorized changes to your quorum control settings.

    Tamper detection process

    When enabled, tamper detection validates your quorum control settings by checking for any unauthorized modifications (tampering). Tamper detection uses hash-based message authentication code (HMAC).

    1. When a setting is changed or created, your instance creates an HMAC. The HMAC is based on the value of the setting (dare_property) record.
    2. Whenever your instance uses these settings, tamper detection validates it using the HMAC.
    3. If the setting validates successfully, it can be used by the platform, otherwise it cannot.
    Tamper detection runs daily on your instance

    Tamper detection checks your settings for tampering using a daily scheduled job, and reports validation failures in your node and security logs. Tamper detection sends a notification to Security and KMF admins for validation failures.

    Tamper detection daily scheduled job
    Tamper detection runs before executing a key withdrawal

    Tamper detection also validates your properties when you request a key withdrawal. If your settings do not pass validation, the key withdrawal does not execute. In this case, you must resolve any validation issues before key withdrawal can compete.

    Tamper detection key withdrawal process

    Identifying tampering

    Tamper detection updates your logs when validation fails.

    If tamper detection fails to validate any of your quorum control settings, these failures appear in your node and security logs. The log entry includes the sys_id of the settings (dare_property) record that failed validation.

    2022-06-28 13:45:46 (582) Default-thread-5 B6FAC1F6C3D01110CF37169D7940DD6E txid=231c4d72c310 SEVERE HMAC_VALIDATION_FAILED:The dare_property record with sys_id: 776e3200c3210110900b169d7940dd76 failed HMAC validation

2022-06-28 13:47:35 (264) Default-thread-8 B6FAC1F6C3D01110CF37169D7940DD6E txid=8e8cc972c310 SEVERE HMAC_VALIDATION_FAILED:The dare_property record with sys_id: 758b3200c3210110900b169d7940dd76 failed HMAC validation

    Logging displays information similar to these examples when validation fails. Successful validations don't appear in the logs.

    Tamper detection displays a warning message on your quorum control settings page

    If a quorum control setting has failed validation, you can see a warning when you view the Quorum Control Policy settings page on your instance. The warning includes the sys_id of the settings (dare_property) record that failed validation.

    Example banner warning on quorum control page
    Tamper detection sends notifications to users with the Security Admin and KMF Admin roles

    If tamper detection fails to validate any of your quorum control settings, your security admins and KMF admins receive a notification similar to this example.

    Example message for tamper detection

    Resolving tampering issues with ServiceNow support

    Important:
    Tamper detection validation failures can only be resolved with assistance of ServiceNow support.
    Tamper detection ServiceNow support resolution process

    If tamper detection fails to validate any of your quorum control settings, contact ServiceNow support for assistance in resolving the issue. After a support agent has resolved the validation failure, security and KMF admins receive a notification indicating that the issue has been resolved.

    Example message for tamper detection resolution