@Tony Chatfield1 

Your assumption was right, ISC resulted in the 2 event record appsec.security.export, table = sys_poll and 

attachment.read, table = sys_attachment 

I have modified this event to meet my requirement and also created notification and BR

I am however having isssue with both the notification and BR rule

For the notification I need a email notification to only trigger to only send the email to user wih admin and or security_admin role.

Can you please help with the condition and help with the BR

Hi, for notifications of this type, you would normally add a static group that contained your admin users, or create a specific notification group and add admin users to it as this is easier to manage than hard coded users on notification.

You may need to clarify you question regarding conditions and business reule,

the notification should only trigger when the event is fired, so if you require different trigger conditions, you would normally create a  new sysevent based on code that is triggering the one being used, and update\modify to suit your new requirement.

Can you share your BR as plain text and clarify where/when it is being run?

What is servicenow best practice of doing this because I have multiple admin roles?

for the notification, it is set to send when Event is fired, that is where my question is, I want it to send only users with the admin role as referenced above.  Thought I could hard code and do something like 

answer = false

if (gs.hasRole("admin") ||  (gs.hasRole("security_admin")) {

answer= true

}

I though that would work to beet the conditio of when are user with the admin role exports then it triggers.

For the business rule, I currently have the below script 

(function executeRule(current, previous /*null when async*/) {

gs.eventQueue('appsec.security.exports', current, ",");

})(current, previous)am I missing anyything on h BR