A post was made and I
was working through some security stuff of my one. I felt inspired to
make a post about it. Below is a list of logs we need to review
regularly for ServiceNow

Can anyone provide us with Names, Tables, and Sources for the logs

  • Authentication successes and failures
  • Authorization (access control) failures
    • This would be very verbose and you wouldn't want this.
    • Do you mean code failures? They would show up as errors in the
      logs... but not explicitly listed for an acl, just an code
  • Application startups and shutdowns
    • So. Application startups depends on what you mean
      "applications". If you mean NODES than thats on
      sys_cluster_state in the payload look for servlet.started
      xml node.
    • If you mean something else I don't think that's how this works.
  • Configuration changes
    • this is available on sys_update_xml
  • Changes to code files or memory
    • This is the same as configuration changes. Servicenow has no
      files you can modify like a traditional server, at least not
      that we can access.
  • Application errors and system events e.g.┬ásyntax and runtime errors,
    connectivity problems, performance issues, third party service error
    messages, file system errors
  • Input validation failures e.g.┬áprotocol violations, unacceptable
    encodings, invalid parameter names and values
    • I'd guess this would be in the syslog_list, but I'm not sure
      exactly the types of things you're expecting.
  • Output validation failures e.g.┬ádatabase record set mismatch,
    invalid data encoding
    • I'd guess this would be in the syslog_list, but I'm not sure
      exactly the types of things you're expecting.
  • Session management failures e.g.┬ácookie session identification value
  • Acceptance of EULA/terms of use
    • Not ootb, but if you applied
      then you'd look on the "Terms Acceptance table". However I can't
      find the update set to download.
  • Personal data usage notification/consent
    • Not sure what you mena by this. Do you mean like HIPAA, PII and
      the like? If so there's nothing to say this ssn, or address is
      added as a comment in the system. You'd have to add that via a
  • Attack detection e.g.┬áexcessive authentication failures, file upload
    virus detection
    • See Auth
    • There is no virus checking to my knowledge of uploaded files,
      however you can control the upload types and sizes from these
      • System Properties >
        glide.ui.strict_customer_uploaded_content_types restricts
        what can be loaded vs downloaded to stop xss
      • System Properties >
        glide.security.file.mime_type.validation restricts the
        file's mime type on upload
      • System Properties >
        glide.ui.strict_customer_uploaded_static_content restricts
        the files somehow
      • System Properties > glide.attachment.extensions restricts
        the files extensions allowed to be uploaded
      • System Properties > glide.image_provider.security_enabled
        restricts access to uploads to authenticated users
      • System Properties >
        glide.ui.attachment.download_mime_types restricts
        downloadable mime types
  • Any other logs that would help identify suspicious, unacceptable,
    unexpected behavior, or other possibly malicious activities.