Security incident inbound email action has a confusing condition

Go to solution
Ravish Shetty
Tera Guru

‎08-23-2019 12:42 PM

hi all,

we have the email inbound action part of the security incident response application and it has this out of box condition which I am not sure of

is it expecting recipients to have 'sn_si' in the email address? if that is the case, do we provision a mailbox with that text in the email address and use that mailbox to create security incident tickets? I can always modify the condition but don't want to customize this action.

find_real_file.png

Preview file
66 KB
0 Helpfuls
  • 3,166 Views
1 ACCEPTED SOLUTION

Go to solution
andy_ojha
ServiceNow Employee
ServiceNow Employee

‎08-24-2019 10:43 AM

Hey Ravish - Yes, that is an older (prior to Kingston) baseline SIR inbound action that is still kicking around.  I believe the condition is mocked up to provide an example / leading point for configuring this (or cloning and adjusting this).

You may want to check out some of the newer (introduced in Kingston+) SIR Email Processing capabilities introduced into the SIR app, since that specific inbound action was around.  These are meant to be configured and tuned for your use-cases, such that you do not need to touch `Inbound Email Actions`.   

In the app nav menu, check out Security Operations > Email Processing ...

You will see several modules here. 

You can configure inbound emails for scenarios such:

- Security tools to send emails to SN and create SIR records

- Users to report phishing / suspicious emails by sending them to SN as an attachment (this feature is pretty neat, it parses artifacts from the msg attachment to create Observables that can be used for Threat Lookups and other slicing and dicing)

- Ad-hoc users to send emails to SN to create SIR records

Using these capabilities offers duplication / aggregation capabilities, parsing capabilities - in bit more 'configuration friendly way', than the platform Inbound Action.  Also, users with the <sn_si.admin> role, can modify these configs; whereas Inbound Actions at the platform level are not necessarily accessible to users only having the <sn_si.admin> role.

The [Email Parsing] Module, essentially allows you to create your own configurations to control what to do when an email is received (based on criteria such as subj, recipients, body text, etc) - and you can use this to parse data / set values on the target SIR records that are created.

If you are curious, you can check out the Inbound Email Action called "Record SecOps Email Events".  This acts a front, to the Email Processing capabilities, and leverages the configurations you make within the Email Processing configs (i.e. SIR Email Parsing Rules).  There are two Inbound Email Actions called "User Reported Phishing", that acts as a front, to the User Reported Phishing configurations you make (sender, subject, body, etc) (one covers new msgs and one covers fwd msgs).

Using the [Email Parsing] or [User Reported Phishing] here allows you configure what you need, without having to touch the `Inbound email actions`, and with only having the <sn_si.admin> role.

The one caveat to not needing to touch these Inbound Email Actions, may occur when custom Inbound Actions were introduced onto the SN Platform with very broad conditions and a low Order number that it is ran with; sometimes the Order number may need to be adjusted on these "SecOps" Inbound Email Actions (this may involve working with someone who has the platform <admin> role)...

Reference:

https://docs.servicenow.com/bundle/madrid-security-management/page/product/security-operations-commo...

https://docs.servicenow.com/bundle/madrid-security-management/page/product/security-incident-respons...

View solution in original post

7 REPLIES 7

Go to solution
andy_ojha
ServiceNow Employee
ServiceNow Employee

‎08-24-2019 10:43 AM

Hey Ravish - Yes, that is an older (prior to Kingston) baseline SIR inbound action that is still kicking around.  I believe the condition is mocked up to provide an example / leading point for configuring this (or cloning and adjusting this).

You may want to check out some of the newer (introduced in Kingston+) SIR Email Processing capabilities introduced into the SIR app, since that specific inbound action was around.  These are meant to be configured and tuned for your use-cases, such that you do not need to touch `Inbound Email Actions`.   

In the app nav menu, check out Security Operations > Email Processing ...

You will see several modules here. 

You can configure inbound emails for scenarios such:

- Security tools to send emails to SN and create SIR records

- Users to report phishing / suspicious emails by sending them to SN as an attachment (this feature is pretty neat, it parses artifacts from the msg attachment to create Observables that can be used for Threat Lookups and other slicing and dicing)

- Ad-hoc users to send emails to SN to create SIR records

Using these capabilities offers duplication / aggregation capabilities, parsing capabilities - in bit more 'configuration friendly way', than the platform Inbound Action.  Also, users with the <sn_si.admin> role, can modify these configs; whereas Inbound Actions at the platform level are not necessarily accessible to users only having the <sn_si.admin> role.

The [Email Parsing] Module, essentially allows you to create your own configurations to control what to do when an email is received (based on criteria such as subj, recipients, body text, etc) - and you can use this to parse data / set values on the target SIR records that are created.

If you are curious, you can check out the Inbound Email Action called "Record SecOps Email Events".  This acts a front, to the Email Processing capabilities, and leverages the configurations you make within the Email Processing configs (i.e. SIR Email Parsing Rules).  There are two Inbound Email Actions called "User Reported Phishing", that acts as a front, to the User Reported Phishing configurations you make (sender, subject, body, etc) (one covers new msgs and one covers fwd msgs).

Using the [Email Parsing] or [User Reported Phishing] here allows you configure what you need, without having to touch the `Inbound email actions`, and with only having the <sn_si.admin> role.

The one caveat to not needing to touch these Inbound Email Actions, may occur when custom Inbound Actions were introduced onto the SN Platform with very broad conditions and a low Order number that it is ran with; sometimes the Order number may need to be adjusted on these "SecOps" Inbound Email Actions (this may involve working with someone who has the platform <admin> role)...

Reference:

https://docs.servicenow.com/bundle/madrid-security-management/page/product/security-operations-commo...

https://docs.servicenow.com/bundle/madrid-security-management/page/product/security-incident-respons...

Go to solution
Ravish Shetty
Tera Guru
In response to andy_ojha

‎08-26-2019 02:37 PM

hi Andy, I activated the plugin in Madrid so I am not sure why I see a Kingston inbound action.

0 Helpfuls

Go to solution
andy_ojha
ServiceNow Employee
ServiceNow Employee
In response to Ravish Shetty

‎08-26-2019 02:46 PM

Hey Ravish - You will see this `Email Inbound Action` on a fresh Madrid install SIR.

There are some components introduced in earlier versions of the product, that are also included in the current release (such as this inbound email action).

I would try to use the new SecOps email handling capabilities (i.e. Email Parser) rather than this inbound action, for the use-cases you might be looking at.

 

0 Helpfuls