How to create a record in Security Incident phishing email(sn_si_phishing_email)?

Go to solution
suryaprakash123
Tera Expert

‎03-11-2023 02:19 AM

Dear Team,

 

I am trying to create a security incident when phishing email arrives. I went through few docs, that says- Security incident was created automatically, when a record was created in 'Security Incident phishing email' table based on these flows(Transform Phishing Email to Security Incident V1, Transform Phishing Email to Security Incident V1.1). kindly help me to create a record on 'sn_si_phishing_email' table?

 

Referred docs: 

https://www.servicenow.com/community/secops-forum/security-incident-phishing-email-phis0010001/m-p/1...

 

  • 1,553 Views
1 ACCEPTED SOLUTION

Go to solution
Kireetivvs
ServiceNow Employee
ServiceNow Employee
In response to suryaprakash123

‎03-11-2023 11:16 PM

Hi @suryaprakash123 ,

'sn_si_phishing_email' records are created from Email(sys_email) records based on the 'Ingestion Rules'(sn_sec_cmn_email_action) defined. They can be found under the module, All --> Security Operations --> Email Processing --> Ingestion Rules - User Reported Phising. 

More details can be found here -> https://docs.servicenow.com/bundle/utah-security-management/page/product/security-incident-response/...

View solution in original post

5 REPLIES 5

Go to solution
Syedmd08
Kilo Guru

‎03-11-2023 08:57 AM

 Here are the steps:

  1. Log in to your ServiceNow instance.
  2. Go to the 'sn_si_phishing_email' table by typing 'sn_si_phishing_email' in the search bar and selecting the table from the results.
  3. Click the 'New' button at the top of the screen to create a new record.
  4. Fill in the required fields in the form. The required fields are marked with a red asterisk.
  5. Once you have filled in the required fields, click the 'Submit' button to save the record.

Note that the fields you need to fill in may vary depending on your specific instance and the requirements of your organization. You can consult the ServiceNow documentation or reach out to your system administrator if you need help identifying which fields you need to fill in for your use case.

If you want to automate the creation of a security incident when a phishing email arrives, you can use the flows you mentioned in your question, or you can create your own flow using ServiceNow's Flow Designer. You can also use email parsing to automatically create a record on the 'sn_si_phishing_email' table when a phishing email is received.

 

 

Please mark my reply as Helpful and/or Accept Solution, if applicable. Thanks!

0 Helpfuls

Go to solution
suryaprakash123
Tera Expert
In response to Syedmd08

‎03-11-2023 10:45 PM

Hi @Syedmd08,

 

Thanks for your reply.

 

I could not see any 'New' button on 'sn_si_phishing_email' table, that could be the reason I posted my query here. I have checked ACL too and given 'sn_si.admin', 'sn_si.analyst ' but I could not able to create new record, PFA.

 

I think, record was created automatically but I could not get the logic, how record is creating? If you have any thoughts, kindly suggest.

 

Thank you.

 

suryaprakash123_0-1678603062277.png

 

 

0 Helpfuls

Go to solution
Kireetivvs
ServiceNow Employee
ServiceNow Employee
In response to suryaprakash123

‎03-11-2023 11:16 PM

Hi @suryaprakash123 ,

'sn_si_phishing_email' records are created from Email(sys_email) records based on the 'Ingestion Rules'(sn_sec_cmn_email_action) defined. They can be found under the module, All --> Security Operations --> Email Processing --> Ingestion Rules - User Reported Phising. 

More details can be found here -> https://docs.servicenow.com/bundle/utah-security-management/page/product/security-incident-response/...

Go to solution
suryaprakash123
Tera Expert
In response to Kireetivvs

‎03-12-2023 01:39 AM

Hi @Kireetivvs 

 

Thank you for your information.

I had created a demo Ingestion Rule, condition was met and security incident was created at the end.

 

Thank you.

 

 

 

0 Helpfuls