SecOps email parsing setup - email properties - not receiving email

Stig Brandt2 · ‎08-30-2018

Hi

I'm trying to setup an email parser in security operations using McAfee ESM as an example. According to doc, it seems that Security Ops email properties handles 4 email adress' and you can add more by separating by commas.

The questions is which email do I put here to be able to receive security incident from external sources?

- does it have to be on the companies email server with a forwarded rule?

- can it be send to instance@service-now.com and then ServiceNow looks at the email parser and direct it to the correct queue?

Would have been nice with a process flow diagram in the documentation.

Thank in advance

jonathanwalker · ‎08-30-2018

Hi,

All the steps required should be below...

Make sure inbound email is enabled under system mailboxes --> email properties
In the email parsing rule you define the to & from email addresses
1. IE: When an email comes from this email to this email, invoke the parsing rule.
You must use an email address internal to the instance
1. It can be the standard instancename.service-now.com
2. Or you can define another email address within the instance specifically for SecOps under system mailboxes à email accounts.

View solution in original post

bpolo · ‎09-18-2018

Just a question, when I put the standard instance email address in the email property for security incidents, the security incidents get created fine, but if I send through an email where I just want a regular incident created, it still wants to create a security incident, and the email lands up in the unmatched email queue for security incidents. So I am not sure how we would use the same email address that is for the regular incidents. Please advise.

kiranbahl27 · ‎11-27-2018

What about attachment my emails come thru fine from Splunk but the attachment does not attach to the incident in the log the attachment does show.