TL;DR
Supported data types | 3rd party detection | Hunters detection | IOC search | Search | Table name | Log format | Collection method |
|---|---|---|---|---|---|---|---|
ServiceNow System Events | ✅ | ✅ | servicenow-system-events | JSON | API | ||
ServiceNow System Logs | ✅ | servicenow-system-logs | JSON | API | |||
ServiceNow System User Session | ✅ | servicenow-system-user-session | JSON | API | |||
ServiceNow System Audit | ✅ | servicenow-system-audit | JSON | API | |||
ServiceNow System Outbound HTTP Logs | ✅ | ✅ | ✅ | servicenow-system-outbound-http-logs | JSON | API | |
ServiceNow Incident Logs | ✅ | ✅ | servicenow-incident-logs | JSON | API |
Overview
ServiceNow Now Platform is a cloud-based enterprise platform that unifies IT service management (ITSM), IT operations management (ITOM), security operations (SecOps), and business workflow automation into a single system of record and action. At its core, it provides a highly extensible data model (tables such as CMDB, syslog, and sys_trigger) and a workflow engine that enables organizations to digitize, automate, and orchestrate processes across IT and business functions. Within this platform, ITOM Discovery plays a critical role by automatically identifying infrastructure assets—such as servers, virtual machines, network devices, databases, and applications—across on-premises and cloud environments. It uses a MID Server architecture, where lightweight agents installed within the customer network execute discovery probes (e.g., WMI, SSH, SNMP) and send results back to the ServiceNow instance. These results are then processed by sensors and patterns, which interpret raw data and transform it into structured configuration items (CIs) in the Configuration Management Database (CMDB). The CMDB serves as a central repository that maps relationships between infrastructure components, enabling dependency mapping, impact analysis, and service modeling. ServiceNow Discovery operates on a scheduled and event-driven basis, using internal job schedulers and worker threads to manage asynchronous tasks efficiently at scale. Beyond discovery, the platform integrates tightly with monitoring tools, cloud APIs, and orchestration frameworks to provide near real-time visibility into infrastructure health and changes. Security-wise, ServiceNow enforces role-based access control (RBAC), scoped applications, and audit logging, making it suitable for enterprise governance and compliance requirements. The platform also supports extensive customization through scripting (JavaScript-based Glide APIs), REST APIs, and integrations with third-party systems, enabling organizations to tailor workflows and extend functionality. In modern environments, ServiceNow Discovery is often used as the foundation for service mapping, where business services are dynamically mapped to underlying infrastructure, helping teams understand how outages or changes impact end-user services. Overall, the ServiceNow Now Platform acts as a centralized operational hub that combines data ingestion, automation, and visualization, allowing enterprises to move from reactive IT management to proactive and predictive operations.
Send data to Hunters
Hunters supports ingesting SeviceNow Logs via an intermediary API Method
To connect SeviceNow Logs:
Connect using API
Click here to follow the method for collecting logs via the API.
Supported data types
ServiceNow System Logs
Overview:
These logs represent ServiceNow ITOM Discovery system log (syslog) events that capture the lifecycle of asynchronous Discovery sensor processing jobs executed by the platform’s internal scheduler. Specifically, this entry shows the completion (“End processing ASYNC”) of a Discovery MultiPage Sensors Pattern Launcher job, targeting a Windows server and processing page 22 of 26, indicating that the Discovery operation is segmented into multiple batches for scalability and efficiency. The logs provide detailed execution context, including the scheduler worker thread, the originating component (DiscoverySensorJob), the associated scheduled job record (sys_trigger), and a transaction identifier (_txid) for correlation across related events. Additionally, metadata such as the executing user (system), MID Server involvement (mid_server_user), and script reference (sys_script_include) helps trace execution flow and troubleshoot issues. From an operational and security perspective, these logs offer visibility into automated infrastructure discovery activities, job execution status (start/end), processing progress, and system behavior under scheduled workloads. They are particularly useful for identifying delays, failures, or anomalies in Discovery processes, validating that assets are being scanned and updated correctly in the CMDB, and correlating Discovery activity with network or endpoint events in broader monitoring and SIEM workflows.
Table name: servicenow_system_logs
Expected format
Logs are expected in JSON-format.
{"sequence": "", "sys_id": "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa", "source_application_family": "", "level": "1", "source_package": "", "sys_created_on": "2020-01-01 00:00:00", "source": "HTTP Classify", "message": "No results returned from probe.", "sys_class_name": "discovery_log", "sys_created_by": "generic_service_user", "context_map": "{\"_system_id\":\"app.example.service-now.com:generic_instance\",\"caller\":\"com.example.SchedulerWorkerThread\",\"_logged_in_user\":\"generic.user\",\"job_name\":\"ASYNC: Discovery - Sensors HTTPClassyProbe (192.0.2.10) bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb\",\"record_sys_id\":\"cccccccccccccccccccccccccccccccc\",\"_user\":\"generic.user\",\"_is_impersonating\":\"false\",\"table_name\":\"sys_trigger\",\"_txid\":\"dddddddddddd\",\"_session_id\":\"glide.scheduler.worker.0\"}"}ServiceNow System Events
Overview:
These logs represent ServiceNow ITOM Discovery system log (syslog) events that capture the lifecycle of asynchronous Discovery sensor processing jobs executed by the platform’s internal scheduler. Specifically, this entry shows the completion (“End processing ASYNC”) of a Discovery MultiPage Sensors Pattern Launcher job, targeting a Windows server and processing page 22 of 26, indicating that the Discovery operation is segmented into multiple batches for scalability and efficiency. The logs provide detailed execution context, including the scheduler worker thread, the originating component (DiscoverySensorJob), the associated scheduled job record (sys_trigger), and a transaction identifier (_txid) for correlation across related events. Additionally, metadata such as the executing user (system), MID Server involvement (mid_server_user), and script reference (sys_script_include) helps trace execution flow and troubleshoot issues. From an operational and security perspective, these logs offer visibility into automated infrastructure discovery activities, job execution status (start/end), processing progress, and system behavior under scheduled workloads. They are particularly useful for identifying delays, failures, or anomalies in Discovery processes, validating that assets are being scanned and updated correctly in the CMDB, and correlating Discovery activity with network or endpoint events in broader monitoring and SIEM workflows.
Table name: servicenow_system_events
Expected format
Logs are expected in JSON format.
{"derived_priority":"100","instance":"","process_on":"2020-01-15 10:30:00","user_name":"","sys_mod_count":"1","sys_updated_on":"2020-01-15 10:30:05","uri":"","processed":"2020-01-15 10:30:05","rollback_context_id":"","sys_id":"a1b2c3d4e5f6789012345678901234ab","partition":"78","sys_updated_by":"system","user_id":"","sys_created_on":"2020-01-15 10:30:00","processing_duration":"1","name":"glide.heartbeat","descriptive_name":"","state":"processed","parm1":"","parm2":"","queue":"","sys_created_by":"system","table":"","claimed_by":"app000000.anonymized-host.service-now.com:worker000"}ServiceNow System User Session
Overview:
These logs represent a ServiceNow session or authentication-related record, likely tied to session management within the platform. The entry captures the lifecycle of a session-like object associated with an entity (name) and includes security-relevant attributes such as a CSRF (Cross-Site Request Forgery) token, timestamps, and invalidation status. The presence of csrf_token indicates that the platform issued a token to protect against unauthorized request forgery during a user interaction, while fields like last_accessed, sys_created_on, and sys_updated_on provide a timeline of session activity. The invalidated field shows that the session or token was explicitly terminated shortly after creation, which could reflect normal session expiration, logout behavior, or security enforcement. Metadata such as sys_created_by, sys_updated_by, and sys_mod_count help track how the record was handled internally by the system. From a security and operational perspective, these logs provide insight into session lifecycle management, token issuance and revocation, and access control enforcement within the platform. They are useful for identifying abnormal session patterns, such as rapid creation and invalidation, potential misuse of session tokens, or automated access attempts, while also serving as an audit trail for authentication and web session security
Table name: servicenow_system_user_session
Expected format
Logs are expected in JSON format.
{"last_accessed": "2020-01-01 10:00:00", "data": "", "csrf_token": "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa", "sys_mod_count": "0", "sys_updated_on": "2020-01-01 10:01:00", "sys_tags": "", "sys_id": "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa", "sys_updated_by": "svc_integration_account", "sys_created_on": "2020-01-01 10:00:00", "name": "svc_integration_account", "id": "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA", "invalidated": "2020-01-01 10:01:00", "sys_created_by": "guest"}ServiceNow System Audit
Overview:
These logs represent a ServiceNow configuration/audit change record, most likely from a system audit table (such as sys_audit), capturing a state transition of a platform component within the Hermes cluster configuration. Specifically, the log tracks a change in the offline_reason field for a record in the hermes_cluster_config table, where the system determined that a node transitioned from a degraded/uncertain state to fully offline. The oldvalue indicates that the system was previously observing intermittent failures and required additional confirmation before marking the node offline, while the newvalue confirms the final transition due to repeated SSL authentication failures across multiple service ports. These errors suggest that secure communication between cluster nodes failed, likely due to certificate validation issues, trust misconfiguration, or missing authentication credentials. The log includes metadata such as timestamps (sys_created_on), record identifiers (documentkey, sys_id), and the acting user (system), indicating that this was an automated system-driven update rather than manual intervention. From an operational and security standpoint, these logs provide insight into cluster health monitoring, node availability status changes, and underlying communication failures, making them valuable for diagnosing infrastructure issues, identifying misconfigured TLS/SSL setups, and correlating service outages or degraded performance with authentication or certificate-related problems within distributed ServiceNow components.
Table name: servicenow_system_audit
Expected format
Logs are expected in JSON format.
{"fieldname":"DELETED","reason":"","sys_id":"a1b2c3d4e5f6789012345678901234ab","newvalue":"DELETED","sys_created_on":"2020-01-15 12:00:13","documentkey":"b2c3d4e5f6789012345678901234abc","internal_checkpoint":"","record_checkpoint":"-1","tablename":"sys_status","user":"anonymized_mid_user","oldvalue":"DELETED","sys_created_by":"anonymized_mid_user"}ServiceNow System Outbound HTTP Logs
Overview:
These logs represent a ServiceNow outbound HTTP transaction generated by an automated scheduled script that refreshes MultiSSO Identity Provider metadata. The event shows that the ServiceNow instance sent an HTTPS GET request to Microsoft Online’s federation metadata endpoint to retrieve a federation metadata XML document used for SAML/SSO configuration. The request was executed from a scheduler worker session, indicating this was an automated platform task rather than an interactive browser action. The response status was 200, meaning the remote endpoint successfully returned the requested metadata, with a response size of 14,237 bytes and a response time of 327 milliseconds. Fields such as transaction_id, transaction_name, source_table, and source_record help correlate this network call back to the scheduled automation that initiated it. The system_id identifies the ServiceNow application node that performed the request, while method, protocol, scheme, hostname, path, and url describe the outbound connection details. From an operational and security perspective, these logs provide visibility into external integrations, SSO metadata refresh activity, outbound web requests, response performance, and success or failure of identity-provider synchronization. This type of log is useful for troubleshooting SSO issues, validating metadata refresh behavior, monitoring dependencies on external identity platforms, and detecting unusual outbound requests from scheduled automation.
Table name: servicenow_system_outbound_http_logs
Expected format
Logs are expected in JSON format.
{"scheme": "https", "user_name": "generic_user", "response_body": "", "sys_updated_on": "2020-01-01 12:00:00", "path": "/aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee/federationmetadata/2007-06/federationmetadata.xml", "sys_id": "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa", "hostname": "idp.example.com", "protocol": "HTTP/1.1", "rst": "", "sys_updated_by": "generic_user", "source_record": {"link": "https://example.service-now.com/api/now/table/sysauto_script/bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb", "value": "bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb"}, "sys_created_on": "2020-01-01 12:00:00", "transaction_name": "Refresh MultiSSO IDP Metadata - system", "sys_created_by": "generic_user", "request_query": "", "transaction_id": "cccccccccccccccccccccccccccccccc", "method": "GET", "mid_server": "", "response_status": "200", "system_id": "app.example.service-now.com:tenant001", "log_level": "Basic", "sys_mod_count": "0", "session_id": "glide.scheduler.worker.1", "sys_tags": "", "url": "https://idp.example.com/aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee/federationmetadata/2007-06/federationmetadata.xml", "response_length": "14237", "sequence": "10001", "response_headers": "", "request_body": "", "request_length": "0", "rrt": "", "request_headers": "", "response_time": "327", "app_scope": "global", "source_table": "sysauto_script"}ServiceNow Incident Logs
Overview:
These logs represent ServiceNow ITOM Discovery system log (syslog) events that capture the lifecycle of asynchronous Discovery sensor processing jobs executed by the platform’s internal scheduler. Specifically, this entry shows the completion (“End processing ASYNC”) of a Discovery MultiPage Sensors Pattern Launcher job, targeting a Windows server and processing page 22 of 26, indicating that the Discovery operation is segmented into multiple batches for scalability and efficiency. The logs provide detailed execution context, including the scheduler worker thread, the originating component (DiscoverySensorJob), the associated scheduled job record (sys_trigger), and a transaction identifier (_txid) for correlation across related events. Additionally, metadata such as the executing user (system), MID Server involvement (mid_server_user), and script reference (sys_script_include) helps trace execution flow and troubleshoot issues. From an operational and security perspective, these logs offer visibility into automated infrastructure discovery activities, job execution status (start/end), processing progress, and system behavior under scheduled workloads. They are particularly useful for identifying delays, failures, or anomalies in Discovery processes, validating that assets are being scanned and updated correctly in the CMDB, and correlating Discovery activity with network or endpoint events in broader monitoring and SIEM workflows.
Table name: servicenow_incident_logs
Expected format
Logs are expected in JSON format.
{"promoted_by":"","parent":"","caused_by":"","u_create_issue":"false","watch_list":"","upon_reject":"cancel","sys_updated_on":"2020-01-27 18:00:00","origin_table":"","approval_history":"","skills":"","number":"INC0123456","proposed_by":"","lessons_learned":"","u_additional_comments":"","state":"7","sys_created_by":"generic_integration_user","knowledge":"false","order":"","u_total_downtime":"","u_help_desk_ticket":"","cmdb_ci":"","delivery_plan":"","contract":"","impact":"2","u_date":"","active":"false","work_notes_list":"","priority":"3","sys_domain_path":"/","business_duration":"1970-01-01 00:48:06","group_list":"","approval_set":"","major_incident_state":"","universal_request":"","short_description":"Security Automation Incident - Low-severity alert: Email reported by user as not junk / Other","correlation_display":"","delivery_task":"","work_start":"","trigger_rule":"","u_cost":"0","additional_assignee_list":"","u_reason_request_denied":"","notify":"1","service_offering":"","sys_class_name":"incident","closed_by":{"link":"https://example.service-now.com/api/now/table/sys_user/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa","value":"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"},"follow_up":"","parent_incident":"","reopened_by":"","reassignment_count":"0","assigned_to":{"link":"https://example.service-now.com/api/now/table/sys_user/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa","value":"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"},"u_other":"","sla_due":"","comments_and_work_notes":"","u_approval_decision":"","escalation":"0","upon_approval":"proceed","correlation_id":"","timeline":"","made_sla":"true","promoted_on":"","u_incident_coordinator":"","u_prevention_measures":"","child_incidents":"0","hold_reason":"","task_effective_number":"INC0123456","resolved_by":{"link":"https://example.service-now.com/api/now/table/sys_user/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa","value":"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"},"sys_updated_by":"system","opened_by":{"link":"https://example.service-now.com/api/now/table/sys_user/bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb","value":"bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb"},"user_input":"","sys_created_on":"2020-01-20 17:06:55","sys_domain":{"link":"https://example.service-now.com/api/now/table/sys_user_group/global","value":"global"},"proposed_on":"","actions_taken":"","route_reason":"","calendar_stc":"2886","closed_at":"2020-01-27 18:00:00","business_service":{"link":"https://example.service-now.com/api/now/table/cmdb_ci_service/cccccccccccccccccccccccccccccc","value":"cccccccccccccccccccccccccccccccc"},"business_impact":"","u_budget_code":"","rfc":"","time_worked":"","expected_start":"","opened_at":"2020-01-20 17:06:55","u_tags":"","work_end":"","caller_id":{"link":"https://example.service-now.com/api/now/table/sys_user/bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb","value":"bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb"},"reopened_time":"","resolved_at":"2020-01-20 17:55:01","u_incident_commander":"","subcategory":"alerts","work_notes":"","close_code":"Solved (Permanently)","assignment_group":{"link":"https://example.service-now.com/api/now/table/sys_user_group/dddddddddddddddddddddddddddddd","value":"dddddddddddddddddddddddddddddddd"},"business_stc":"2886","u_distribution_list":"","cause":"","description":"System: Other","origin_id":"","calendar_duration":"1970-01-01 00:48:06","close_notes":"User reported as \"Not Junk\". No further action.\r\n","sys_id":"eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee","contact_type":"email","incident_state":"7","urgency":"2","problem_id":"","company":"","activity_due":"","u_start_time":"","severity":"3","overview":"","comments":"","approval":"not requested","due_date":"","sys_mod_count":"2","reopen_count":"0","sys_tags":"","u_end_time":"","u_root_cause":"","u_knowledge_article":"","location":"","category":"Assistance"}