Security Incident Phishing Email PHIS0010001

Khanna Ji · ‎12-04-2020

I have configured email ingestion and I can see it created some record called Security Incident Phishing Email PHIS0010001

I wanted to create direct Security Incident. Is there anything changed recently which caused this record creation? Also system is asking me to install below plugin to auto create SIR for PHIS records. This seems to be a paid plugin.

Security Operations Spoke

andy_ojha · ‎12-04-2020

Hey there,

Yes - the User Reported Phishing capability has been overhauled (you didn't mention which version of SIR you are coming from or comparing against).

In User Reported Phishing 2.0 - Flow Designer is more heavily used to handle the inbound email action and creation of Security Incidents - and will now require the Security Operations Spoke Store App you mentioned.

There are a lot more features that you will benefit from, especially around the aggregation of the PHISH records you pointed out - and ability for you to control what level of aggregation you want, and how you want it to work (1 suspicious to 1 SIR, for multiple suspicious emails to 1 SIR, etc)

You should check out documentation as you dive in:

https://docs.servicenow.com/bundle/paris-security-management/page/product/security-incident-response/concept/urp-about.html#urp-about-

View solution in original post

andy_ojha · ‎12-04-2020

Hey there,

Yes - the User Reported Phishing capability has been overhauled (you didn't mention which version of SIR you are coming from or comparing against).

In User Reported Phishing 2.0 - Flow Designer is more heavily used to handle the inbound email action and creation of Security Incidents - and will now require the Security Operations Spoke Store App you mentioned.

There are a lot more features that you will benefit from, especially around the aggregation of the PHISH records you pointed out - and ability for you to control what level of aggregation you want, and how you want it to work (1 suspicious to 1 SIR, for multiple suspicious emails to 1 SIR, etc)

You should check out documentation as you dive in:

https://docs.servicenow.com/bundle/paris-security-management/page/product/security-incident-response/concept/urp-about.html#urp-about-

Khanna Ji · ‎12-04-2020

Hi Andy,

Good to see you are still active in this space :), happy to see you.

I see two versions for the same flow.

Transform Phishing Email to Security Incident V1 - Still Inactive
Transform Phishing Email to Security Incident V1.1 - Activated by me

I have activated V1.1 but still, I do not see SIR created from Phishing records. Any idea if I am missing something?

Khanna Ji · ‎12-04-2020

It worked when I activated V1 also.

- Transform Phishing Email to Security Incident V1 - Active
- Transform Phishing Email to Security Incident V1.1 - Active

Is it required to activate both flows?

andy_ojha · ‎12-06-2020

Hey there - yes time flies, but happy to still be helping out where possible!

You only need to clone one of the Flow Templates for the "Transform Phishing Email to Security Incident" ... specifically, you want to clone the v1.1 template.

From there, you will need to setup your "Ingestion Rules" for User Reported Phishing - have you by chance already configured this?

And yes - the answer you will typically get for Plugin / Store App Licensing - will be contact your Account Team 😉 There's a lot of variations to which Tier something may be attached to, and older subscriptions in the mix, etc....

Reference:

https://docs.servicenow.com/bundle/paris-security-management/page/product/security-incident-response/concept/urp-about.html#urp-setup-rules