Skip to content

ServiceNow API Token

Service Name: ServiceNow

Service Description: ServiceNow is a cloud-based platform that helps organizations manage digital workflows for enterprise operations. It provides various applications for IT service management, IT operations management, and IT business management.

Service Address: https://www.servicenow.com/

Validation Type: API Auth

IP Allow list: Does not exist

Secret Access Scope: Grants programmatic access to ServiceNow instances and their data through REST APIs.

Secret Revokement URL: https://docs.servicenow.com/bundle/tokyo-platform-administration/page/administer/security/task/t_RevokeOAuthTokens.html

Secret Example: now_a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6q7r8s9t0u1v2w3x4y5z6a7b8c9d0e1f2g3h4i5j6k7l8m9n0o1p2q3r4s5t6u7v8w9x0y1z2

Suspicious Activity Investigation Instructions:

  • Review ServiceNow instance logs for unusual API calls or data access patterns
  • Check for unauthorized user accounts or role changes in the ServiceNow admin console
  • Monitor for unusual data exports or mass record modifications
  • Examine IP addresses accessing the ServiceNow instance through API calls
  • Review OAuth token usage statistics for abnormal patterns

Mitigation Instructions:

  • Log in to your ServiceNow instance as an administrator
  • Navigate to System OAuth > Application Registry
  • Locate the application associated with the compromised token
  • Select "Revoke Access" to invalidate the token
  • Generate a new token with appropriate permissions if needed
  • Consider implementing IP restrictions for API access
  • Review and adjust the token's scope to follow the principle of least privilege