How to Investigate User Account Activity Issue For the latest information about Monitoring user activity, see Monitoring user activity. At any time there is a need to review specific user behavior, below are the recommended steps on how to review the transaction logs and event logs: Locate the IP address of successful/failed login for a particular ServiceNow user for their instanceModify the time frame of the searchLimiting the scope of the search by user nameSuccessful/Failed login attempts Procedure Locate User Activity Process Steps Log in to the instance as an adminIdentify Transaction Logs Transaction logs by default are kept for over 49 days unless the instance admin has adjusted the table rotations for [syslog_transaction] table. Navigate to System Logs > Transactions https://<instance_name>.service-now.com/syslog_transaction_list.doAdjust filter to narrow down logs for investigative purposes Required timeframe: The filter is "Created"Username: The filter set as "Created by" with the option of "starts with" either/or "contains" Narrow the log date range From this list view we can then adjust the filter as below: Created on – Adjust do any date or timeframe the customer needsCreated by – Adjust to the affected username Identify the IP address of the user login: Click on the cogwheel in the upper left corner of the table to open the Personalized list column. To view the IP address of the logged-in user you can add the IP address column to the list view via the Personalize List columns module. Identify Successful/Failed Login Attempts Note that this is only for local accounts. Log in to the instance as an adminNavigate to System Logs > Eventshttps://<instance_name>.service-now.com/sysevent_list.do?sysparm_query=sys_created_onONToday%40javascript:gs.daysAgoStart(0)%40javascript:gs.daysAgoEnd(0)%5EGOTOnameSTARTSWITHSNC.Auth.DBAdjust filter as follows:From this list view we can then adjust the filter as below: Created on – Adjust do any date or timeframe the customer needsCreated by – Adjust to the affected username Additional Recommended Actions for Evaluating Activity of Concern Once the above steps have been completed, it is recommended that the customer also performs the following actions to determine if any suspicious activity has taken place that either was not captured in the logs identified or occurred outside of the current log retention period set: Determine the roles assigned to the target user by reviewing the sys_user_has_role table and filtering to entries for the user in question.Review the sys_audit table for any unexpected changes made within their instance – please see this docs page for more details: https://www.servicenow.com/docs/csh?topicname=c_UnderstandingTheSysAuditTable.html&version=latest Review their sys_user table for any newly created users that are not recognized, especially those with privileged roles.Review Service Accounts and ensure they are configured according to best practices linked at this KB: https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB1933421 Review if there are any newly scheduled jobs that are not recognized by the platform owner team. Please see this docs page for details on how to review Scheduled Jobs: https://www.servicenow.com/docs/csh?topicname=view-scheduled-jobs.html&version=latest Review the Customer Updates table for any unexpected activity. Details on how to navigate this table can be found in the linked documentation: https://www.servicenow.com/docs/csh?topicname=r_CustomerUpdatesTable.html&version=latest Review the Security Center Metrics dashboard (/now/security-center/my_security_metrics), especially the below metrics: Privileged Users: Local logins of privileged users not protected by MFA in Security CenterPrivileged Users: New usersPrivileged Users: Successful loginsUsers: Successful loginsUsers: Inactive users who are not locked outUsers: New usersPrivileged Identities: Admin users added Privileged Identities: Admin logins Authentication: Users using MFA BypassAuthentication High privileged non-MFA usersExport: Total Exports