How to Investigate User Account Activity - Support and Troubleshooting

How to Investigate User Account Activity Issue .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } span { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } h2 { font-size: 24pt; font-family: Lato; color: var(--now-color--text-primary, black); } h3 { font-size: 18pt; font-family: Lato; color: var(--now-color--text-primary, black); } h4 { font-size: 14pt; font-family: Lato; color: var(--now-color--text-primary, black); } a { font-size: 12pt; font-family: Lato; color: var(--now-color--link-primary, #00718F); } a:hover { font-size: 12pt; color: var(--now-color--link-primary, #024F69); } a:target { font-size: 12pt; color: var(--now-color--link-primary, #032D42); } a:visited { font-size: 12pt; color: var(--now-color--link-primary, #00718f); } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } For the latest information about Monitoring user activity, see Monitoring user activity .

At any time there is a need to review specific user behavior, below are the recommended steps on how to review the transaction logs and event logs:

Locate the IP address of successful/failed login for a particular ServiceNow user for their instance Modify the time frame of the search Limiting the scope of the search by user name Successful/Failed login attempts Procedure Locate User Activity Process Steps Log in to the instance as an admin Identify Transaction Logs Transaction logs by default are kept for over 49 days unless the instance admin has adjusted the table rotations for [syslog_transaction] table. Navigate to System Logs > Transactions https:// .service-now.com/syslog_transaction_list.do Adjust filter to narrow down logs for investigative purposes Required timeframe: The filter is "Created" Username: The filter set as "Created by" with the option of "starts with" either/or "contains"

Narrow the log date range

From this list view we can then adjust the filter as below: Created on – Adjust do any date or timeframe the customer needs Created by – Adjust to the affected username

Identify the IP address of the user login: Click on the cogwheel in the upper left corner of the table to open the Personalized list column.

To view the IP address of the logged-in user you can add the IP address column to the list view via the Personalize List columns module.

Identify Successful/Failed Login Attempts Note that this is only for local accounts.

Log in to the instance as an admin Navigate to System Logs > Events

https:// .service-now.com/sysevent_list.do?sysparm_query=sys_created_onONToday%40javascript:gs.daysAgoStart(0)%40javascript:gs.daysAgoEnd(0)%5EGOTOnameSTARTSWITHSNC.Auth.DB

Adjust filter as follows:

From this list view we can then adjust the filter as below: Created on – Adjust do any date or timeframe the customer needs Created by – Adjust to the affected username

Additional Recommended Actions for Evaluating Activity of Concern Once the above steps have been completed, it is recommended that the customer also performs the following actions to determine if any suspicious activity has taken place that either was not captured in the logs identified or occurred outside of the current log retention period set:

Determine the roles assigned to the target user by reviewing the sys_user_has_role table and filtering to entries for the user in question. Review the sys_audit table for any unexpected changes made within their instance – please see this docs page for more details: https://www.servicenow.com/docs/csh?topicname=c_UnderstandingTheSysAuditTable.html&version=latest Review their sys_user table for any newly created users that are not recognized, especially those with privileged roles. Review Service Accounts and ensure they are configured according to best practices linked at this KB: https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB1933421 Review if there are any newly scheduled jobs that are not recognized by the platform owner team. Please see this docs page for details on how to review Scheduled Jobs: https://www.servicenow.com/docs/csh?topicname=view-scheduled-jobs.html&version=latest Review the Customer Updates table for any unexpected activity. Details on how to navigate this table can be found in the linked documentation: https://www.servicenow.com/docs/csh?topicname=r_CustomerUpdatesTable.html&version=latest Review the Security Center Metrics dashboard (/now/security-center/my_security_metrics), especially the below metrics: Privileged Users: Local logins of privileged users not protected by MFA in Security Center Privileged Users: New users Privileged Users: Successful logins Users: Successful logins Users: Inactive users who are not locked out Users: New users Privileged Identities: Admin users added Privileged Identities: Admin logins Authentication: Users using MFA Bypass Authentication High privileged non-MFA users Export: Total Exports

Reviewing Node Logs Based on IP Address

To review your node logs for activity associated to a specific set of IP addresses, first ensure that all Node Logs are downloaded from your instance by following the instructions in the below KB: https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB0826291 Once your node logs are downloaded, ensure that they are in a separate folder, then navigate to that folder in a your terminal of choice: Linux/Mac User Instructions: Add the IP addresses reported by ServiceNow to a txt file with the command below, pressing ctrl + D on a blank line when complete: cat > reported_ip_addresses.txt

Once reported_ip_addresses.txt is created, run the below command. It will loop through every log file in the folder and create the result files for each one: -- Command Begins -- for LOG in app*localhost_log*.txt; do PREFIX=$(echo "$LOG" | grep -oE '^app[0-9]+'); echo "[$PREFIX] Step 1/3: searching for IPs..."; grep -F -f reported_ip_addresses.txt "$LOG" > "${PREFIX}_activity_from_ips.txt"; echo "[$PREFIX] Step 2/3: extracting txids..."; grep -oE 'txid=[0-9a-f]+' "${PREFIX}_activity_from_ips.txt" | sed 's/txid=//' | sort -u > "${PREFIX}_associated_txids.txt"; echo "[$PREFIX] Step 3/3: pulling all lines for those txids (this is the slow one on big files)..."; grep -F -f "${PREFIX}_activity_from_txids.txt"; echo "[$PREFIX] Done."; done -- Command Ends -- As it runs, you will see progress messages like: [app######] Step 1/3: searching for IPs... [app######] Step 2/3: extracting txids... [app######] Step 3/3: pulling all lines for those txids (this is the slow one on big files)... [app######] Done.

Next, see the Script Output section after Windows PowerShell Instructions.

Windows PowerShell Instructions: Run this command. A window/prompt will let you type IPs. Type or paste your IP addresses one per line. When finished, enter a blank line (just press Enter on an empty line) to stop. $ips = @(); while ($true) { $line = Read-Host "Enter IP (blank line to finish)"; if ([string]::IsNullOrWhiteSpace($line)) { break }; $ips += $line.Trim() }; $ips | Set-Content -Path "reported_ip_addresses.txt"; Write-Host "Saved $($ips.Count) IP address(es)." This saves your IPs into reported_ip_addresses.txt , one per line. Paste this entire block and press Enter. It loops through every matching log file in the folder and creates the result files for each one, with progress messages. -- Command Begins -- $ipPatterns = Get-Content "reported_ip_addresses.txt" | Where-Object { $_.Trim() -ne "" } | ForEach-Object { [regex]::Escape($_.Trim()) }

Get-ChildItem -File | Where-Object { $_.Name -match '^app\d+.*localhost_log' } | ForEach-Object { $log = $_.FullName $name = $_.Name $prefix = [regex]::Match($name, '^app\d+').Value if ([string]::IsNullOrEmpty($prefix)) { $prefix = "unknown" }

Write-Host "[$prefix] Step 1/3: searching for IPs..." Select-String -Path $log -Pattern $ipPatterns | ForEach-Object { $_.Line } | Set-Content -Path "${prefix}_activity_from_ips.txt"

Write-Host "[$prefix] Step 2/3: extracting txids..." Select-String -Path "${prefix}_activity_from_ips.txt" -Pattern 'txid=([0-9a-f]+)' -AllMatches | ForEach-Object { $_.Matches } | ForEach-Object { $_.Groups[1].Value } | Sort-Object -Unique | Set-Content -Path "${prefix}_associated_txids.txt"

Write-Host "[$prefix] Step 3/3: pulling all lines for those txids..." $txids = Get-Content "${prefix}_associated_txids.txt" | Where-Object { $_.Trim() -ne "" } | ForEach-Object { "txid=" + [regex]::Escape($_.Trim()) } if ($txids.Count -gt 0) { Select-String -Path $log -Pattern $txids | ForEach-Object { $_.Line } | Set-Content -Path "${prefix}_activity_from_txids.txt" } else { Set-Content -Path "${prefix}_activity_from_txids.txt" -Value "" }

Write-Host "[$prefix] Done." }

-- Command Ends -- As it runs, you will see progress messages like: [app#######] Step 1/3: searching for IPs... [app#######] Step 2/3: extracting txids... [app#######] Step 3/3: pulling all lines for those txids (this is the slow one on big files)... [app#######] Done.

Script Output

For each node, three files are created, each prefixed with the node's app###### identifier: app######_activity_from_ips.txt — every log line that mentions one of your reported IPs app######_associated_txids.txt — the unique transaction IDs (txids) pulled from those lines app######_activity_from_txids.txt — every log line for those transactions, giving the full activity for each one Review these logs to identify what activities were recorded in your node logs for your instance. For questions on how node logs are structured, please feel free to create a Case with ServiceNow Support. Release .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } span { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } h2 { font-size: 24pt; font-family: Lato; color: var(--now-color--text-primary, black); } h3 { font-size: 18pt; font-family: Lato; color: var(--now-color--text-primary, black); } h4 { font-size: 14pt; font-family: Lato; color: var(--now-color--text-primary, black); } a { font-size: 12pt; font-family: Lato; color: var(--now-color--link-primary, #00718F); } a:hover { font-size: 12pt; color: var(--now-color--link-primary, #024F69); } a:target { font-size: 12pt; color: var(--now-color--link-primary, #032D42); } a:visited { font-size: 12pt; color: var(--now-color--link-primary, #00718f); } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } }

Resolution .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } span { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } h2 { font-size: 24pt; font-family: Lato; color: var(--now-color--text-primary, black); } h3 { font-size: 18pt; font-family: Lato; color: var(--now-color--text-primary, black); } h4 { font-size: 14pt; font-family: Lato; color: var(--now-color--text-primary, black); } a { font-size: 12pt; font-family: Lato; color: var(--now-color--link-primary, #00718F); } a:hover { font-size: 12pt; color: var(--now-color--link-primary, #024F69); } a:target { font-size: 12pt; color: var(--now-color--link-primary, #032D42); } a:visited { font-size: 12pt; color: var(--now-color--link-primary, #00718f); } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } }