SecOps email inbox for incident creation

Brian Lawes · ‎08-09-2018

Hi folks,

I realise there is a similar question here around this topic but I don't think it fully answers my current problem and my SIRI book is not very clear on the matter...

I am currently implementing Security Incident Response which has a couple of custom integrations. For one of them we are utilising the Security Operations email parser to create the initial incident. I have configured all REST calls that happen post incident creation but I’m struggling with the email configuration side.

I have created a company email account specific for this purpose and added that to the Security Operations email parser inbox properties and enabled incident creation from inbound email. Internal testing from the system inbox is successful.

The email account has been setup to forward to the instance (company@service-now.com) but this is being digested and processed by the main platform inbox rather than forwarding to SecOps for parsing.

Any pointers would be great.

andy_ojha · ‎08-09-2018

Hi Brian,

If you are leveraging the SecOps Email Parser to create New Security Incidents (SIR records) - you should not need to create any new 'inbound email actions', and you should not have to modify any of the existing 'inbound email actions'.

This does require having base system 'inbound email action' called [Record SecOps Email Events] turned on (i.e. Active = true).

In the case of consuming data from a 3rd party tool via emails and using the SecOps Email Parser, try to give this a shot:

Under Security Operations --> Email Parsing:

Ensure the email address entered here pertains to the inbox in ServiceNow that is consuming email messages (i.e. the email address that your 3rd party tool will be sending emails to, which will target the inbox in your ServiceNow instance)

Then, on the 'email parser' that you have configured under Security Operations --> Email Processing --> Email Parsing:

Ensure you fill out the [Email is from] field, and include the sending email address of your expected 3rd party tool
If you are testing here, you could include your personal email address that you will sending emails to ServiceNow from, to perform your testing as well
You can also specify text you expect to see in the email message subject here as well to further filter - which could be used if you have multiple email parser configurations in place

Then, after you test sending messages from the expected sender address, to the ServiceNow inbox - you should see in the email logs, messages coming through to the target table <sn_sec_cmn_email_event>, under System Logs --> Emails.

This will create the expected SIR record from the email message, and apply the parsing parameters that you specified for this scenario.

Stig Brandt2 · ‎08-30-2018

Hi Ajo

Have configured as you are recommending (email_parser), and trying to send a sir ticket to sir_devxxxx@service-now.com, but get an mail error, email address is not recognized by receiver?

Do I also need to configure email accounts for each email I configure in the secops email properties?

Not sure I find this:

This does require having base system 'inbound email action' called [Record SecOps Email Events] turned on (i.e. Active = true).

I don't seem to be able to find above in inbound email actions??

NB: I am able to send to standard instance@service-now.com.

Thanks in advance

andy_ojha · ‎08-30-2018

I can appreciate the clarification here.

The four inbox options that appear on "Email Parsing Inbox" are a bit misleading. You need to enter valid Mail Inboxes that exist here. Entering a Mailbox address here, assumes that Mailbox is configured already on the SN Instance.

By default, your SN Instance will typically have the <instancename@service-now.com> inbox setup by default.

This will work today, if you enter your default SN Instance Mail Inbox into one of the four boxes on the "Email Parsing Inbox" page.

If you have appetite for leveraging multiple Mailboxes, then you need to enable these first on the SN Instance. From there, the Mailbox address can be entered into one of the four inbox options that appear on "Email Parsing Inbox".

Check out this reference on how to introduce additional Mailboxes, on top of the default SN Instance Mailbox.

https://docs.servicenow.com/bundle/kingston-servicenow-platform/page/administer/reference-pages/task/t_ConfAltEmailConfServers.html