SecOps email parsing setup - email properties - not receiving email

Stig Brandt2 · ‎08-30-2018

Hi

I'm trying to setup an email parser in security operations using McAfee ESM as an example. According to doc, it seems that Security Ops email properties handles 4 email adress' and you can add more by separating by commas.

The questions is which email do I put here to be able to receive security incident from external sources?

- does it have to be on the companies email server with a forwarded rule?

- can it be send to instance@service-now.com and then ServiceNow looks at the email parser and direct it to the correct queue?

Would have been nice with a process flow diagram in the documentation.

Thank in advance

jonathanwalker · ‎08-30-2018

Hi,

All the steps required should be below...

Make sure inbound email is enabled under system mailboxes --> email properties
In the email parsing rule you define the to & from email addresses
1. IE: When an email comes from this email to this email, invoke the parsing rule.
You must use an email address internal to the instance
1. It can be the standard instancename.service-now.com
2. Or you can define another email address within the instance specifically for SecOps under system mailboxes à email accounts.

View solution in original post

andy_ojha · ‎08-30-2018

Also related to the other SecOps Email Parser post - you'll need to enter a Mailbox that is valid - i.e. currently configured in ServiceNow.

What's the use-case / requirement here? Is it to have a Mailbox address for all security tools to send alerts to (to be parsed)? Is there a reason you can't leverage the base <instancename@service-now.com> Mailbox?

By default, the <instancename@service-now.com> will be spun up when your Instance is created. Your organization may have added additional Mailboxes, but you'll need to check how that is configured / managed for each environment your organization has.

If you want to leverage a new Mailbox, rather than the default <instancename@service-now.com> - you'll need to set that up first. After the Mailbox is configured in ServiceNow, then you can set the values here (SecOps Email Parsing Properties) with the new Mailbox address.

Reference this docs page on how to setup new Mailboxes:

https://docs.servicenow.com/bundle/kingston-servicenow-platform/page/administer/reference-pages/task/t_ConfAltEmailConfServers.html

As a side note, within each email parser config, you can configure rules that look for criteria in the subject line, email sending address, etc - so your configured parser applies to these specific messages.

This way, if you have specific tools or apps sending alert type data to ServiceNow to be parsed, they can send the email message to the default <instancename@service-now.com>, and your parser will be set to parse those messages based on the sending address and / or subject of the message. This would save you from creating a new Mailbox setup, and still maintain your ability classify and parse messages from many different tools as needed.

jonathanwalker · ‎08-30-2018

Hi,

All the steps required should be below...

Make sure inbound email is enabled under system mailboxes --> email properties
In the email parsing rule you define the to & from email addresses
1. IE: When an email comes from this email to this email, invoke the parsing rule.
You must use an email address internal to the instance
1. It can be the standard instancename.service-now.com
2. Or you can define another email address within the instance specifically for SecOps under system mailboxes à email accounts.

bpolo · ‎09-18-2018

Just a question, when I put the standard instance email address in the email property for security incidents, the security incidents get created fine, but if I send through an email where I just want a regular incident created, it still wants to create a security incident, and the email lands up in the unmatched email queue for security incidents. So I am not sure how we would use the same email address that is for the regular incidents. Please advise.

Stig Brandt2 · ‎09-21-2018

Have you changed the incoming table to incident in the email parser, that worked for me?