How To Determine if ServiceNow Discovery is Attempting SSH Sessions On Your Network



ServiceNow can use SSH as part of the discovery process. From time to time customer's network security teams notice failed SSH login attempts as part of their daily network monitoring job. In some cases too many failed SSH login attempts can create network outages. The network team might reach out to the ServiceNow Admin with the belief that ServiceNow is attempting too many logins. The network team may provide a list of IPs that are attempting SSH logins. The ServiceNow Admin would then create a ServiceNow incident/case in which they believe the ServiceNow MID Servers configured for Discovery are creating this issue and request a root/possible cause analysis (RCA/RCA). The following is a procedure to check if your MID Servers are the culprit of SSH login attempts.



Go to the list of your MID Servers

Click the cog wheel (gear icon in blue) and move IP Address from the "Available" left pane to the "Selected" right pane and click OK.


Right click IP Address and select "Group by IP address"

At this point you should see a list like this with all your MID Server's IP addresses.


You can use these IP addresses to cross reference the network security team's list of IPs attempting too many SSH logins.