• Jace's Blog
  • Posts
  • Essential ServiceNow Logs for Security: Authentication, Errors, and System Events

Essential ServiceNow Logs for Security: Authentication, Errors, and System Events

Author

Jace Benson
February 16, 2018

post was made, and I was working through some security tasks of my one. I felt inspired to make a post about it. Below is a list of logs we need to review for ServiceNow

Can anyone provide us with Names, Tables, and Sources for the logs listed?

  • Authentication successes and failures

  • Authorization (access control) failures

    • This would be verbose and you wouldn't want this.

    • Do you mean code failures? They would show up as errors in the logs... but not explicitly listed for an acl, an code error.

  • Application startups and shutdowns

    • So. Application startups depends on what you mean "applications". If you mean NODES than thats on sys_cluster_state in the payload look for servlet.started xml node.

    • If you mean something else I don't think that's how this works.

  • Configuration changes

    • this is available on sys_update_xml

  • Changes to code files or memory

    • This is the same as configuration changes. Servicenow has no files you can change like a traditional server, at least not that we can access.

  • Application errors and system events e.g. syntax and runtime errors, connectivity problems, performance issues, third party service error messages, file system errors

  • Input validation failures e.g. protocol violations, unacceptable encodings, invalid parameter names and values

    • I'd guess this would be in the syslog_list, but I'm not sure the types of items you're expecting.

  • Output validation failures e.g. database record set mismatch, invalid data encoding

    • I'd guess this would be in the syslog_list, but I'm not sure the types of items you're expecting.

  • Session management failures e.g. cookie session identification value modification

  • Acceptance of EULA/terms of use

    • Not ootb, but if you applied servicenowguru's then you'd look on the "Terms Acceptance table". I can't find the update set to download.

  • Personal data usage notification/consent

    • Not sure what you mena by this. Do you mean like HIPAA, PII and the like? If so there's nothing to say this ssn, or address is added as a comment in the system. You'd have to add that via a customization.

  • Attack detection e.g. excessive authentication failures, file upload virus detection

    • See Auth Failures

      • com.glide.snap.enable_scan is a property that controls if antivirus is on or not, by default attachments are scanned for viruses

      • glide.ui.strict_customer_uploaded_content_types restricts what can be loaded vs downloaded to stop xss

      • glide.security.file.mime_type.validation restricts the file's mime type on upload

      • glide.ui.strict_customer_uploaded_static_content restricts the files somehow

      • glide.attachment.extensions restricts the files extensions allowed to be uploaded

      • glide.image_provider.security_enabled restricts access to uploads to authenticated users

      • glide.ui.attachment.download_mime_types restricts downloadable mime types

  • Any other logs that would help identify suspicious, unacceptable, unexpected behavior, or other possibly malicious activities.

Reply

or to participate.