- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-29-2019 08:51 AM
Hello all,
I know there is a means to use the "User Reported Phishing" options in the new release, however - most of our user reported phishing does not go to an analyst internally for review in a mailbox. This feature states that it parses an eml file type for header info, subject, etc and creates an incident. I need to use this with a enterprise-ready service known as PhishMe aka Cofense. When people submit these, they are delivered to their Triage managed product and analyzed there. As their API is a little lacking at the moment (Cofense Intel API is fine, just not the Triage) so we have all these massive emails which are now being sent into this solution and then still have to be manually entered on firewalls, etc.
This is really challenging and I know there are some email parsing options possibly from looking at the following - https://community.servicenow.com/community?id=community_question&sys_id=6d4631a5db44f7880be6a345ca9619d6
While I don't manage the SNOW SecOps instance or SNOW at all, I do use it and really need this to parse all data listed in the email, under a section marked Indicators of Compromise. This may have IP, hash or Domain/URL listed.
Is there a means to parse all of these fields from this one alert source and use them in the same way as above?
Is there a means to also use this data as observables to enrich against Recorded Future without having to manually add observables that are already in the incident?
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-30-2019 08:09 AM
Phish Me Triage user here. We looked into integrating the two about a year ago and we weren't impressed with Cofense's plan for integration. The store.servicenow.com integration is just for their Threat Feed lookup. The closest thing they suggested to integrating with ServiceNow for response was their One Time notification, which means sending the email off to ServiceNow to parse. Not exactly an integration in my book. My anglers weren't impressed and found it lacking. We were hoping there future integration plans would include something we could use for response. Their delay is actually moving us to look at the ServiceNow solution instead. We were looking for a method of pushing from Cofense to ServiceNow if response is needed.
ServiceNow is missing some key requirements that Cofense offers. Once they add these features we will need to seriously re-evaluation our Cofense solution.
If you find a better method, please post back here.
Please indicate below if you found this post helpful.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-06-2022 12:56 PM
Did you ever find out how to get User-Reported Phishing to create an actual Security Incident that could see the relevant information? Right now I have them coming in and going to a black hole that nobody ever looks at and sometimes we need to let the user know that it was a legit email and they need to respond to it to conduct business
