ServiceNow OAuth Refresh Token
Service Name: ServiceNow
Service Description: ServiceNow is a cloud-based platform that provides IT service management (ITSM), IT operations management, and IT business management solutions. It helps organizations manage digital workflows for enterprise operations.
Service Address: https://www.servicenow.com/
Validation Type: API Auth
IP Allow list: IP restrictions can be configured at the instance level through Access Control Rules in ServiceNow.
Secret Access Scope: OAuth refresh tokens grant long-term access to ServiceNow APIs and can be used to generate new access tokens without requiring user re- authentication.
Secret Revokement URL: https://docs.servicenow.com/bundle/vancouver-platform-security/page/administer/security/task/t_RevokeOAuthTokens.html
Secret Example: 3Mte8JNlx5IFvtf7CAgXVnVlGmBQyTNQvVFrKDNP2Uxn7BfwPAOSGT6f3Uxn7BfwPA
Suspicious Activity Investigation Instructions:
- Review ServiceNow system logs for unusual API access patterns or unauthorized operations
- Check the OAuth token usage history in the ServiceNow instance
- Monitor for unexpected application integrations or data exports
- Examine the IP addresses and locations from which the token has been used
- Review any changes to critical records or configurations that might have been made using the token
Mitigation Instructions:
- Log in to your ServiceNow instance as an administrator
- Navigate to System OAuth > Administration > Manage OAuth Tokens
- Locate the compromised refresh token in the list
- Select the token and click "Revoke" to immediately invalidate it
- Create a new OAuth client application with fresh credentials if needed
- Review and update the OAuth scopes to implement the principle of least privilege
- Consider implementing shorter token lifetimes for sensitive applications
- Enable additional security controls such as IP restrictions for OAuth clients
- Update any applications or integrations to use the new OAuth credentials