Use the Credential Sniffing playbook

  • Release version: Zurich
  • Updated July 31, 2025
  • 1 minute to read

    • Use this playbook to investigate an incident involving credential sniffing activities performed through the sys_installation_exit table in a ServiceNow instance. The following steps give you a walkthrough of the actions, tasks, and subflows that are available in the Credential Sniffing playbook.

    Before you begin

    Role required:
    • sn_si.admin
    • flow_designer

    Procedure

    1. When the playbook is triggered and starts executing, in Action 1, review the following alert details.
      • Instance
      • Session ID
      • Transaction ID
      • _raw: Provides the whole script.
        Example script: 
        Var pass= request.getParameter(“user_password”);
Gs.log(pass);
    2. In Action 2, based on the data collected so far, check whether an end user ticket is required for this alert or not.
    3. In Action 3, if the alert does not require an end user ticket, then in Action 4, document the findings so far.
      The flow ends.
      Figure 1. Credential Sniffing Playbook
      Response tasks to investigate if this alert is a possible case of credential sniffing
    4. In Action 5, if the alert requires an end user ticket, then perform the following steps:
      1. In Action 6, inform the end user that the alert requires an end user ticket.
      2. In Action 7, investigate further based on the user's response and the user's sessions during the last couple of days.
      3. In Action 8, discuss with peers about the remediation steps for the instance like locking out the user and detecting which user’s passwords might have been read.
      4. In Action 9, raise an incident or ticket to reset the compromised user credentials.
      5. In Action 10, lift the containment and bring the systems back to operational standards
        The flow ends.
    5. In Action 11, complete the post-incident review before closing the task.