Is "Secure Attachment" in Security incident Response safe to upload malicious files?

Raghav Kakkar · ‎01-29-2025

Hi all,

I want to know how the "Secure Attachments" are managed on ServiceNow. Say we have a phishing email that got escalated to a security incident or the analyst wants to submit a malicious file to sandbox, is it safe to upload it in "Secure Attachments"?

Is it possible that the malicious file may impact the whole platform or compromise ServiceNow's Security? Or are the secure attachments isolated from the whole platform?

Thanks!

gthapa · 2 weeks ago

I have a same follow up question for the SecOps implementation. If there is any feedback or response, please keep us posted.

bsmolski · 2 weeks ago

Hi @Raghav Kakkar,

I'll answer this is two parts: 1) how phishing emails are dealt with; and 2) how infected files are dealt with.

Part 1) Phishing Emails:
Phishing emails are either submitted via a catalog item or sent to ServiceNow using the "Phish Alarm" outlook plugin. These link into the User Reported Phishing (URP) framework which stores the phishing emails in the [sys_emails] table and uses ingestion rules to kick off a flow to raise an appropriate Security Incident and deal with duplicates. For more details, see: https://www.servicenow.com/docs/bundle/zurich-security-management/page/product/security-incident-res...

Part 2) Infected Files:
Any file uploaded into ServiceNow is run through a virus scanner, which is enabled by default: https://www.servicenow.com/docs/bundle/zurich-platform-security/page/administer/security/concept/exp...

However! SIR supports integrations with tools that provide observable data to your Security Incidents without the need to upload compromised attachments. For example, see: https://www.servicenow.com/docs/bundle/zurich-security-management/page/product/secops-integration-th...

Please consider making my posts as "Helpful" or hitting the Thumb Icon and marking as "Correct". Thanks!