ServiceNow Audit Logs
ServiceNow provides comprehensive audit logging via the sys_audit table, capturing all field-level changes to records across your instance. These logs show what changed, who changed it, the old and new values, and when the change occurred. They help administrators track configuration drift, monitor compliance, investigate incidents, and audit user activity across the entire ServiceNow platform.
Ingest Methods
Setup the ingestion of this source using one of the following guides.
API Polling
ServiceNow supports API polling to collect audit log records via the Table API.
Setup
- Go to Sources in RunReveal
- Click the ServiceNow source tile
- Give it a name and click Connect Source
- Fill in the required fields with your ServiceNow instance name and credentials
ServiceNow Configuration
To set up the integration:
Prerequisites:
- A ServiceNow service account with the admin role, or a custom ACL granting read access to the sys_audit table
- Your ServiceNow instance name (the subdomain of your
.service-now.comURL)
Creating a Service Account:
- Sign in to your ServiceNow instance as an administrator
- Navigate to User Administration > Users
- Click New to create a new user
- Set a username and password for the service account
- Assign the admin role (or create a custom role with read access to sys_audit)
- Copy the instance name, username, and password into the RunReveal source configuration form
Audit Table Access: The sys_audit table contains field-level change records for all audited tables in your ServiceNow instance. Ensure your service account has appropriate read access. For least-privilege access, create a custom ACL that grants read-only access to the sys_audit table instead of using the full admin role.
ServiceNow Event Types
The ServiceNow integration collects field-level audit records from the sys_audit table. Every time a field value changes on an audited record, a new audit entry is created.
What Gets Audited
ServiceNow audits field-level changes across all tables where auditing is enabled, including:
IT Service Management
- Incidents - Priority changes, state transitions, assignments, resolution notes
- Changes - Change request approvals, implementation updates, risk assessments
- Problems - Root cause analysis updates, workaround modifications
- Service Requests - Approval workflows, fulfillment status changes
Configuration Management
- Configuration Items - Asset changes, relationship updates, attribute modifications
- CMDB Records - Hardware/software inventory changes, lifecycle status updates
User and Access Management
- User Records - Role assignments, group memberships, profile updates
- Groups - Membership changes, manager assignments
- Roles - Permission grants and revocations
Platform Administration
- System Properties - Configuration setting changes
- Business Rules - Script and condition modifications
- ACLs - Access control list changes
- Scheduled Jobs - Schedule and script modifications
Audit Record Structure
Each audit record includes:
- Table Name - Which ServiceNow table the change occurred on
- Field Name - The specific field that was modified
- Old Value / New Value - Previous and updated values
- Document Key - The sys_id of the record that was changed
- Created By - The username who made the change
- Timestamp - When the change occurred
Data Collection
- Collection Method: API polling every 5 minutes via the ServiceNow Table API
- Data Source: sys_audit table (field-level change tracking)
- Event Format: JSON with normalized fields for consistent querying
- Real-time Updates: New audit records appear in RunReveal within 5-10 minutes
Schema
The following columns are exposed for this source. RunReveal applies schema normalization across all sources, ensuring uniform field names and data types for cross-source queries and reusable detection logic.
Table: servicenow_audit_logs (43 columns)
servicenow_audit_logs (43 columns)| Column | Type |
|---|---|
workspaceID | String |
sourceID | String |
sourceType | String |
sourceTTL | UInt32 |
receivedAt | DateTime |
id | String |
eventTime | DateTime |
eventName | String |
eventID | String |
srcIP | String |
srcASCountryCode | String |
srcASNumber | UInt32 |
srcASOrganization | String |
srcCity | String |
srcConnectionType | String |
srcISP | String |
srcLatitude | Float64 |
srcLongitude | Float64 |
srcUserType | String |
dstIP | String |
dstASCountryCode | String |
dstASNumber | UInt32 |
| Column | Type |
|---|---|
dstASOrganization | String |
dstCity | String |
dstConnectionType | String |
dstISP | String |
dstLatitude | Float64 |
dstLongitude | Float64 |
dstUserType | String |
actor | Map(String, String) |
tags | Map(String, String) |
resources | Array(String) |
serviceName | String |
enrichments | Array(Tuple(data Map(String, String), name String, provider String, type String, value String)) |
readOnly | Bool |
rawLog | String |
tableName | String |
fieldName | String |
oldValue | String |
newValue | String |
documentKey | String |
sysCreatedBy | String |
sysID | String |
Helpful Links
- ServiceNow Table API Reference - REST API reference for querying ServiceNow tables
- ServiceNow Auditing Documentation - How to configure and manage auditing in ServiceNow