Copying attachments from Security Email Event to the related Security Incident

Sebastiaan
ServiceNow Employee
ServiceNow Employee

on ‎07-13-2019 04:44 AM

When using the SecOps Email parser the Email Inbound Alert rule “Record SecOps Email Events” creates Events for inbound emails into the “sn_sec_cmn_email_event” table. After this, the events are matched and parsed using the available parsers defined in the “sn_sec_cmn_email_transform” table.

When an inbound email contains an attachment, they are automatically added to the event within the “sn_sec_cmn_email_event” table. See example:

find_real_file.png

 

The issue is however, that after parsing they do not get copied to the related Security Incident.


In order to achieve this, you can perform below configuration steps:

 

1. Register a new event within the “sysevent_register” table

find_real_file.png

 

2. Open the “EmailIntegration” script include and search for the “checkCreateRecord” function:

find_real_file.png

Search for the following part within this function and add below lines of code:

find_real_file.png

 

//CUSTOM
gs.eventQueue('sn_sec_cmn.email.event','sn_si_incident',newId,emailEvent.getUniqueValue());

 

This will generate a system event containing the events sys_id and sir sys_id within the parm1 and instance event fields

You can check the creation of the event by monitoring the “sysevent” table. See below example:

 

find_real_file.png

find_real_file.png

 

3. Now that events with both sys_id’s are created we can use a Script Action to Copy over the Attachment and delete the duplicate entries of the email event.

For this we go to Script Action -> and create a new entry containing the following lines of code:

find_real_file.png 

//Use GlideSysAttachment.copy to copy attachment from email event to created SIR
GlideSysAttachment.copy('sn_sec_cmn_email_event',event.parm1,'sn_si_incident',event.instance);
//Create system log entry
gs.info("copied attachment from " + event.parm1 +"to SIR " + event.instance);

//Search for event email attachment and delete them to prevent duplicate data
var attach = new GlideRecord('sys_attachment'); 
	attach.addQuery('table_sys_id','=',event.parm1);
	attach.query();
		while (attach.next()) {
		  //Create system log entry
		  gs.info("deleted email event attachements for " + event.parm1);
		  var data = new GlideSysAttachment();
		  data.deleteAttachment(attach.sys_id);	
	}

 

This will result in copy and delete action of all attachments part of the original email.  

 

4.Lets check the result 😉

 

When Emails with attachments are received, they are added to the corresponding SIR and removed from the original event entries.


Sample Email:

find_real_file.pngLog trail:

find_real_file.png

Target SIR with attachments:

find_real_file.png

Attachments removed from original email event:

find_real_file.png

 

Preview file
180 KB
Preview file
131 KB
Preview file
98 KB
Preview file
60 KB
Preview file
44 KB
Preview file
64 KB
Preview file
64 KB
Preview file
55 KB
Preview file
116 KB
Preview file
16 KB
Preview file
61 KB
Preview file
68 KB
Preview file
34 KB
  • 2,082 Views
Comments
Amy Lind1
Giga Guru
‎09-13-2023 02:14 PM

Great solution.  Worked like a champ!  Thanks so much for sharing.

0 Helpfuls
Version history
Last update:
‎07-13-2019 04:44 AM
Updated by:
ServiceNow Employee