ServiceNow API Token
Service Name: ServiceNow
Service Description: ServiceNow is a cloud-based platform that helps organizations manage digital workflows for enterprise operations. It provides various applications for IT service management, IT operations management, and IT business management.
Service Address: https://www.servicenow.com/
Validation Type: API Auth
IP Allow list: Does not exist
Secret Access Scope: Grants programmatic access to ServiceNow instances and their data through REST APIs.
Secret Revokement URL: https://docs.servicenow.com/bundle/tokyo-platform-administration/page/administer/security/task/t_RevokeOAuthTokens.html
Secret Example: now_a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6q7r8s9t0u1v2w3x4y5z6a7b8c9d0e1f2g3h4i5j6k7l8m9n0o1p2q3r4s5t6u7v8w9x0y1z2
Suspicious Activity Investigation Instructions:
- Review ServiceNow instance logs for unusual API calls or data access patterns
- Check for unauthorized user accounts or role changes in the ServiceNow admin console
- Monitor for unusual data exports or mass record modifications
- Examine IP addresses accessing the ServiceNow instance through API calls
- Review OAuth token usage statistics for abnormal patterns
Mitigation Instructions:
- Log in to your ServiceNow instance as an administrator
- Navigate to System OAuth > Application Registry
- Locate the application associated with the compromised token
- Select "Revoke Access" to invalidate the token
- Generate a new token with appropriate permissions if needed
- Consider implementing IP restrictions for API access
- Review and adjust the token's scope to follow the principle of least privilege