Monitor security events

  • Release version: Zurich
  • Updated July 31, 2025
  • 4 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Monitor security events

    This feature enables ServiceNow customers to analyze security event metrics within their instances to identify and prevent potential security threats. The Instance Security Center (ISC) has reached end of sales as of September 2024 and is no longer supported for new activations; customers are encouraged to migrate to ServiceNow Security Center (SSC) for continued security monitoring.

    Show full answer Show less

    Security event metrics are displayed in real-time on the event ribbon on the Instance Security homepage, providing daily counts of occurrences and compliance trend data updated through scheduled performance analytics jobs.

    Key Features

    • Event Ribbon: Displays real-time counts of security events with trend graphs and compliance scores, updated daily.
    • Event Types Monitored: Includes Admin Logins, Admin Users Added, External Incoming Email, External Logins, Failed Logins, Impersonations, Quarantined Files, Security Elevations, SNC Logins, Spam, Trusted/Untrusted Incoming Email, and Virus Types. Users can scroll to view more than six events.
    • Detailed Event Analysis: Clicking an event count opens the Analytics Hub for detailed records, such as user names, IP addresses, and targeted tables for failed logins.
    • Threshold and Target Settings: Customers can configure alerts and visual indicators within Analytics Hub when event counts exceed specified thresholds (e.g., alert on 10+ failed logins). This enables proactive response to security incidents.
    • Security Event Ribbon Configuration: Allows customization of displayed events and their order on the ribbon, focusing monitoring on the most relevant security metrics.
    • Notification Preferences: Customers can set how they receive alerts for specific event types, choosing email, Now Mobile push notifications, or third-party messaging platforms like Slack or Microsoft Teams.

    Practical Application for ServiceNow Customers

    ServiceNow customers can use these monitoring capabilities to gain visibility into security-related activities within their instances, detect unusual or unauthorized behavior, and respond quickly through configured alerts. The real-time event counts combined with trend analysis support ongoing compliance and security posture assessments.

    By customizing the event ribbon and notification preferences, customers can tailor their security monitoring to match operational priorities and streamline incident response workflows.

    Additional Considerations

    • With ISC no longer supported for new activations, customers should plan migration to ServiceNow Security Center for future-proof security monitoring.
    • Performance analytics jobs run daily at 02:00 local time to update trend data and scores.
    • Related capabilities include scanning for incorrect security definitions and monitoring instance metrics for broader security governance.

    Analyze the event metrics in your instance so that you can identify and prevent potential security events.

    Important:

    Instance Security Center (ISC) has reached the end of sales as of September 2024, and is no longer supported or available for new activation.

    ServiceNow Security Center (SSC) is the recommended solution going forward. For more information, see Instance Security Center to ServiceNow Security Center migration.
    In the event ribbon, which is on the Instance Security homepage, you can analyze these metrics and accompanying detail to identify potential security events in the instance.
    • For each event metric, a real-time single score count appears, indicating how many times that the event occurred during the day in this instance. These single score reports are updated automatically as the corresponding events take place.
    • Each event metric also contains compliance trend and graph information over a range of dates. This information updates on a daily basis when you run the performance analytics job. To learn more, see the Analyzing event trend detail section.

    Event types

    You can monitor at least six of the following types of events. For more than six events, use the left or right arrows below the event ribbon to scroll through them. To learn how to configure the event ribbon, see Configure the security event ribbon.

    Notification preference Description
    Admin Logins Number of login attempts in this instance, during the calendar day, by users who have an assigned admin role.
    Admin Users Added Number of users with an admin role that were added in this instance during the calendar day. For example, your instance may have a security issue if the count is 10, but 4 users are known to have an assigned admin role.
    External Incoming Email To learn more, see Email metrics.
    External Logins Number of users with an assigned snc_external role who logged into this instance during the calendar day. These logins typically occur for maintenance, support, consulting, or audit purposes. Monitoring this metric enables you to verify that the external login attempts are legitimate and not potential security issues.

    To learn more about assigning external user roles, see Explicit Roles.
    Failed Logins Number of attempted logins that failed in this instance during the calendar day.

    This metric may indicate that attempts are being made to log in and compromise your instance security.
    Impersonations Number of impersonation logins in this instance during the calendar day. To learn about impersonating users, see Impersonate a user.
    Quarantined Files

    Number of files that were quarantined when you ran Antivirus Scanning in this instance during the calendar day. To learn more about quarantined files and Antivirus Scanning, see Antivirus metrics and Antivirus Scanning.
    Security Elevations Number of times that a security administrator has elevated security for standard users by changing their assigned user role to a high privilege security role during the calendar day. These high privilege security roles include oauth_admin, admin, security_admin, and impersonator.
    • This metric indicates that someone might have tried to elevate the security of an unauthorized user. Do not use this metric by itself to detect a specific security compromise. Instead, treat this metric as an indication that you should check another metric to see if a security compromise has occurred.
    • To learn more about elevating user security, see Elevate to a privileged role and Elevated privilege roles.
    SNC Logins Number of Customer Service and Support personnel who logged into this instance using the hi-hopping technique during the calendar day. These logins typically occur for maintenance, support, consulting, or audit purposes.

    For information on how to control ServiceNow corporate employee access, see ServiceNow access control.
    Spam To learn more, see Email metrics.
    Trusted Incoming Email To learn more, see Email metrics.
    Untrusted Incoming Email To learn more, see Email metrics.
    Virus Types Number of different types of antivirus events that occurred in this instance during the calendar day. To learn more about antivirus event types, see Antivirus metrics.

    Analyzing event trend detail

    To view trend details for an event metric, click the event count to access the Analytics Hub page. The details that appear for the instance depend on the type of metric.

    For example, to view a listing of each failed attempt on the Security Dashboard Event Logs page:
    • Select the Failed Logins metric.
    • In the Analytics Hub page, click Show Records.
    • Click one of the failed login attempts.
    • The detail includes the name of the user who attempted to log in, their IP address, and the table name that they tried to access.

    You can set up event threshold triggers in the Core UI Analytics Hub or Platform Analytics KPI Details to provide alerts when a certain event occurs within a range of scores for an indicator. You can also set targets that enable you to visualize the difference between the desired score and the actual score of an event.

    For example, you can set a threshold of 10 for the Failed Logins metric. When ten or more failed login attempts occur during the day, an alert is sent to specific security personnel. You can also set a similar target that provides a visual highlight in the Analytics Hub when 10 failed logins occur during a day.

    Trend data and graphs that appear in Event ribbon tile and the Analytics Hub are updated after the performance analytics job executes at 02:00 local time. To learn more, see How Daily Compliance score, trend, and graph data is refreshed.