Security Incident Phishing Email PHIS0010001

Khanna Ji · ‎12-04-2020

I have configured email ingestion and I can see it created some record called Security Incident Phishing Email PHIS0010001

I wanted to create direct Security Incident. Is there anything changed recently which caused this record creation? Also system is asking me to install below plugin to auto create SIR for PHIS records. This seems to be a paid plugin.

Security Operations Spoke

andy_ojha · ‎12-04-2020

Hey there,

Yes - the User Reported Phishing capability has been overhauled (you didn't mention which version of SIR you are coming from or comparing against).

In User Reported Phishing 2.0 - Flow Designer is more heavily used to handle the inbound email action and creation of Security Incidents - and will now require the Security Operations Spoke Store App you mentioned.

There are a lot more features that you will benefit from, especially around the aggregation of the PHISH records you pointed out - and ability for you to control what level of aggregation you want, and how you want it to work (1 suspicious to 1 SIR, for multiple suspicious emails to 1 SIR, etc)

You should check out documentation as you dive in:

https://docs.servicenow.com/bundle/paris-security-management/page/product/security-incident-response/concept/urp-about.html#urp-about-

View solution in original post

Allen Andreas · ‎12-04-2020

Hi,

The old method was to go from phishing email to SIR.

The new method is to go from phishing email to a PHIS record which could then determine a SIR record or not.

See documentation here: https://docs.servicenow.com/bundle/paris-security-management/page/product/security-incident-response...

To use the enhanced User Reported Phishing feature, the following plugins and components are required:

Security Support Common (sn_sec_cmn😞 Includes:
- Inbound action
- New EmailUserReportedPhishing script
- Ingestion Rules table
Security Incident Response (sn_si): Includes:
- Security incident table (sn_si_incident)
- Security phishing emails table (sn_si_phishing_email)
- Security phishing email headers table (sn_si_phishing_email_header)
- EML upload record producer
Security Operations Spoke
- Flows and subflows for aggregating emails and transforming phishing emails to security incidents.

Security Operations Spoke comes with your purchase of Security Incident Response

Please see this thread here where an employee from ServiceNow confirms that: https://community.servicenow.com/community?id=community_question&sys_id=ec6e9ddbdb72485cfeb1a851ca96...

Please mark reply as Helpful/Correct, if applicable. Thanks!

Please consider marking my reply as Helpful and/or Accept Solution, if applicable. Thanks!

Khanna Ji · ‎12-04-2020

Hey Allen,

I know your response would be to contact the sales team but checking if you can share your experience.

Are all these plugins fall under SecOps (SIR) subscription or they need to be bought separately? I see some are marked as Paid in the plugin list but sometimes they are included in the subscription.

Allen Andreas · ‎12-05-2020

Hi,

All the plugins listed above are part of a SecOps subscription that even the lowest tier should/would include. Be advised though that this doesn't apply for everything with SecOps. Such as the SecOps Professional Package only includes SIR OR....Vulnerability Response. Not both. I know we're not talking about Vulnerability response, but just giving an example.

And yes...definitely speak to your ServiceNow Account Executive for official information, haha. Some of this changes depending on the SKU when you ordered SecOps and what ServiceNow version your contract was initiated on.

Please mark reply as Helpful/Correct, if applicable. Thanks!

Please consider marking my reply as Helpful and/or Accept Solution, if applicable. Thanks!