- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-13-2019 06:51 AM
Hello all,
So I know event management is the preferred means of dealing with INC in ServiceNow and that when one is using the default ServiceNow incident creation abilities, one can use the Duplication Rules. In our situation, we have so many things using inbound actions and rules, in this case ServiceNow is skipping over the default of Create Sec Ops Events about four or five down in priority and a whole new inbound rule was made to create SIR. The problem over time has been, for one this seemed overly complex and for two, it's been resulting in duplicate SIR every day for things that Duplication Rules could handle. I think the other challenge was the email parsing couldn't be used because of this.
Am I missing something here? If I want to get the proper functionality from SNOW SecOps and do things by the book, would you use event management and custom inbound rules or use the mechanisms that ServiceNow created specifically for this module? Best practices, thoughts all?
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-18-2019 06:04 PM
Hey there,
I understand and can surely appreciate the scenario you are tackling.
I would vote for putting effort and time towards investigating ways to leverage the baseline 'Record SecOps Email' inbound action -> where you might explore avenues such as using SMTP Tags, or working with your SN Platform Team to investigate opportunities to carve this inbound action out using some sort of condition targeting <sender>, <recipients>, <subject> or something from the message body / header. It's a bit difficult to analyze this remotely without seeing what other inbound actions are winning / why; if you need help with that part, perhaps you can work with your internal SN Platform Team and / or SN HI Support.
In addition to the useful features you mentioned (dedup rules, parsing of observables) -> this capability also provides a neat way to preview the email message in HTML using the "New UI", and is a vehicle for using the mail blocking integrations with Exchange (which you may or may not potentially check out down the road).
Further, as time goes on - there will likely be enhancements made to the User Reported Phishing capability that you may miss out on.
I would put the effort towards getting the 'Record SecOps Email' inbound action to trigger and realizing the baseline benefits of this versus trying to re-create this in a custom fashion and always having to maintain that / keep up over time.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-18-2019 01:46 PM
Bringing this back up to everyone's attention. Looking for more input.
Thanks.
EF
