Security incident inbound email action has a confusing condition

Ravish Shetty
Tera Guru

hi all,

we have the email inbound action part of the security incident response application and it has this out of box condition which I am not sure of

is it expecting recipients to have 'sn_si' in the email address? if that is the case, do we provision a mailbox with that text in the email address and use that mailbox to create security incident tickets? I can always modify the condition but don't want to customize this action.

find_real_file.png

1 ACCEPTED SOLUTION

andy_ojha
ServiceNow Employee
ServiceNow Employee

Hey Ravish - Yes, that is an older (prior to Kingston) baseline SIR inbound action that is still kicking around.  I believe the condition is mocked up to provide an example / leading point for configuring this (or cloning and adjusting this).

You may want to check out some of the newer (introduced in Kingston+) SIR Email Processing capabilities introduced into the SIR app, since that specific inbound action was around.  These are meant to be configured and tuned for your use-cases, such that you do not need to touch `Inbound Email Actions`.   

In the app nav menu, check out Security Operations > Email Processing ...

You will see several modules here. 

You can configure inbound emails for scenarios such:

- Security tools to send emails to SN and create SIR records

- Users to report phishing / suspicious emails by sending them to SN as an attachment (this feature is pretty neat, it parses artifacts from the msg attachment to create Observables that can be used for Threat Lookups and other slicing and dicing)

- Ad-hoc users to send emails to SN to create SIR records

Using these capabilities offers duplication / aggregation capabilities, parsing capabilities - in bit more 'configuration friendly way', than the platform Inbound Action.  Also, users with the <sn_si.admin> role, can modify these configs; whereas Inbound Actions at the platform level are not necessarily accessible to users only having the <sn_si.admin> role.

The [Email Parsing] Module, essentially allows you to create your own configurations to control what to do when an email is received (based on criteria such as subj, recipients, body text, etc) - and you can use this to parse data / set values on the target SIR records that are created.

If you are curious, you can check out the Inbound Email Action called "Record SecOps Email Events".  This acts a front, to the Email Processing capabilities, and leverages the configurations you make within the Email Processing configs (i.e. SIR Email Parsing Rules).  There are two Inbound Email Actions called "User Reported Phishing", that acts as a front, to the User Reported Phishing configurations you make (sender, subject, body, etc) (one covers new msgs and one covers fwd msgs).

Using the [Email Parsing] or [User Reported Phishing] here allows you configure what you need, without having to touch the `Inbound email actions`, and with only having the <sn_si.admin> role.

The one caveat to not needing to touch these Inbound Email Actions, may occur when custom Inbound Actions were introduced onto the SN Platform with very broad conditions and a low Order number that it is ran with; sometimes the Order number may need to be adjusted on these "SecOps" Inbound Email Actions (this may involve working with someone who has the platform <admin> role)...

Reference:

https://docs.servicenow.com/bundle/madrid-security-management/page/product/security-operations-commo...

https://docs.servicenow.com/bundle/madrid-security-management/page/product/security-incident-respons...

View solution in original post

7 REPLIES 7

Mohit Kaushik
Mega Sage
Mega Sage

Hi Ravish,

By the above screenshot of conditions it looks like it requires the recipients to have that sn_si in their email address, then only it will create or update the incident. I am not sure whether that is a required condition for this. But you can do it other way round by creating a custom action and action and make this one as false. In that way you will be having the main action as well and if you want to use it again just make the active true for the same.

Hope that helps you. Please mark it helpful if it really helped you.

 

Thanks,

Mohit Kaushik

Thanks,
Mohit Kaushik
ServiceNow MVP (2023-2025)

SanjivMeher
Kilo Patron
Kilo Patron

I dont think, thats an OOB inbound actions. Someone must have modified it.

But for Security Operations, we usually use an Email parser.


Please mark this response as correct or helpful if it assisted you with your question.

based on the updated by and updated date it looks like it was part of the OOTB setup

find_real_file.png

Ok..I see that too

find_real_file.png

I think you need to change that with your company's id.

For ex, we check if recipient is csirt@mycompany.com. So you can replace sn_si with csirt or any email id thats used by your company.


Please mark this response as correct or helpful if it assisted you with your question.