- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-26-2018 02:17 AM
The docs say that we need to define an email address such as acme+phishing@service-now.com as the forwarding address for the possible phishing emails.
https://docs.servicenow.com/bundle/london-security-management/page/product/security-incident-response/task/create-email-matching-rules.html
Can anyone clarify how/where exactly we do this? Is this just a pop3 account set up by admin in System Mailboxes > Administration > Email Accounts or is it one of the email addresses configured in Security Operations > Email Processing > Properties (if so, which one)?
Solved! Go to Solution.
- Labels:
-
Security Incident Response

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-26-2018 08:36 AM
Hi Steve,
You are correct; in this case, the docs is referring to a newly defined email address would be introduced as a new 'pop3' account, setup by an admin in System Mailboxes > Administration > Email Accounts.
This configuration nicely separates the inbound emails ServiceNow receives, so that the logic you define for configurations like 1) SecOps Email Processing and 2) User Reported Phishing, can take advantage of this explicit mailbox.
This approach - i.e. having a dedicated ServiceNow mailbox for SecOps purposes, along with a corporate / enterprise mail account and forwarding rule that your tools and users interact with, is an effective solution and provides a higher level of assurance around email messages received in ServiceNow being handled as expected.
This approach is not necessarily mandatory to successfully use 1) SecOps Email Processing and 2) User Reported Phishing; it is strongly recommended to investigate using this approach and design.
You can still leverage your <instance@service-now.com> email address for 1) SecOps Email Processing and 2) User Reported Phishing, and attempt to build your filtering / logic around context within an email message subject, email message sender, etc - it is just not as effective as using an explicit mailbox that functionally handles SecOps related email messages.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-26-2018 07:34 AM
Can you please confirm if we need to raise a Hi support ticket for creating email account like acme+phishing@service-now.com?