Email Inbound Action Example

Whenever you need to process an incoming email and craft a reply message or create a record from it, you use Inbound Actions.

The "Order" value of the Inbound Action is like the weight, and the lowest values are processed first.   When conditions are met, the action will run, and if you want the first applicable action to stop processing any further actions, just check the "Stop Processing" box or end the script with: event.state="stop_processing";

Inbound Actions have certain fields ready to use to make things easier for you such as:

email.body_text

email.body_html

email.from & email.from_sys_id [to get the sysid of the ServiceNow user with that email address]

email.recipients

email.body.from & email.body.from_sys_id [to get the sysid of the ServiceNow user with the email address in the from field inside the body, when parsing a reply or forwarded message]

One more observation I've made (On Istanbul and earlier at least) is that setting record fields to certain email fields using the "Field actions" builder doesn't always work as intended if you are trying to create and close a record all in one go because it seems to allow business rules to run before or after the script which will give you unintended results so if you don't want business rules to run just do all field setting in the script itself.

For this snippet, we'll use the business case that there is an email filter server that is going to be configured to send an email into our ServiceNow instance.   The email it sends contains a clickable link of an email address of a user who has clicked a malicious link in an email and the result was that the link was blocked successfully and we just need to open a Cyber Security categorized incident and close it for record-keeping purposes only.

We want the Target Table to be Incident

Action Type is a Record Action

When to run is on Type: New

Active and Stop Processing boxes are true

And to restrict it only run on emails From the email filter you can use the From field to point to a user in ServiceNow if it has a user created or in the condition you can put: email.from.toLowerCase() == 'whatever_server_email@yourcompanydomain.com'

And the secret sauce of the whole logic is going to be finding an email address/username from a link inside of the email, so it's easiest to look for the HTML flag href=mailto inside of the message (lines 10 & 11)

current.short_description = email.subject;
current.description = email.body_text;
current.category = 'cyber_security';
current.assignment_group.setDisplayValue('Systems');
current.assigned_to = 'whateverServiceAccountYouAutoCloseWith'; //sysid or use setDisplayValue
current.contact_type = 'automatic'; //a type we added for these kinds of auto-generated tickets
current.state = '-1'; //our Resolved state
current.close_code = 'Solved (Permanently)';
current.close_notes = 'Mimecast detected and blocked the URL';
var usrname = email.body_html.slice(email.body_html.indexOf('href="mailto:')+13);//slice with one param cuts everything off before it
usrname = usrname.slice(0,usrname.indexOf('@yourcompanydomain.com'));//slice off the domain and everything after so we can match on username
var usrid = new GlideRecord('sys_user');
usrid.query('user_name',usrname);
if (usrid.next())
         current.caller_id = usrid.sys_id;
current.insert(); //creates the new record