Create security incidents from User Reported Phishing emails
Use this feature to create security incidents from user reported phishing emails.
The enhanced User Reported Phishing functionality includes aggregation capabilities, email header extraction, and configuration.
- You can report phishing emails in multiple ways:
- Emails can be forwarded as attachments.
- If the PhishAlarm plugin (previously known as Wombat)
is configured with the Microsoft Outlook
client, you can:
- Select the Report Phish button.
- Forward phishing emails from a mobile device using the Report Phish option.
- You can upload a phishing email (in .eml format).
- User reported phishing includes aggregation business logic that
identifies duplicate phishing emails reported by users in an organization. Users can use
this capability to:
- Aggregate duplicate or similar user reported phishing incidents (company initiated phishing campaigns).
- Avoid triaging duplicate user reported phishing incidents and reduce the manual effort involved in consolidating incidents.
- Enable security analysts to work on a single user reported phishing incident.
- Provides phishing email headers within the user reported phishing incident.
- Security analysts can scan for key email header information within the incident.
- Manual effort in gathering header information from other sources is no longer required.
- The original phishing email submitted is stored as a Phishing Email Record in a new table.
- Security analysts can view details of the original phishing email like phishing email content, headers, origin.
- Security administrators can configure and make certain enhancements that include:
- Configurations to extract email headers from the email body (Report Phish submissions).
- Filters to capture selected headers.
- Configurations to handle parent-child incident association when duplicate phishing email records are identified.
- Flow Designer configurations to modify aggregation business logic based on the requirements.
Set up ingestion rules for user reported phishing
As a user with the sn_si.admin role, you can define email matching rules to filter user reported phishing emails based on specific criteria. For example, you can define a rule where all emails sent either
directly or through the Report Phish button to security@acme.com are categorized as user reported phishing emails. For more information, see Set up ingestion rules for User Reported Phishing.
Define user reported phishing properties
Define the header information that needs to be captured from user reported phishing emails. For more information, see Define User Reported Phishing properties.
Phishing email records created from user reported phishing emails
User reported phishing emails are converted to security incidents based on the email matching rules that have been defined. For more information, see Phishing email records created from user reported phishing emails.
Transform phishing email to security incident
The Transform Phishing Email to Security Incident flow converts or transforms phishing email records to security incidents. For more information, see Transform user-reported phishing emails to security incidents.
Security incident records created from phishing email records
View the security incident record details including the Related Lists, Worknotes, and other important information. For more information, see Security incident records created from phishing email records.
Required components and plugins
The User Reported Phishing feature available is an enhanced version of the existing user reported phishing functionality available. See Create rules to validate user-reported phishing attacks.
Important Installation Instructions
- The existing User Reported Phishing email inbound actions (Type = Forward and Type = New) have been disabled.
- A new Create Phishing Email inbound action is now available.
- The Transform user-reported phishing emails to security incidents is a new flow that contains the security incident creation and aggregation business logic for the new design. You must activate this flow for the new design to take effect.
- The existing User Reported Phishing rules have been preserved during the upgrade.
- Reporting the phishing email in multiple ways: See Create security incidents from User Reported Phishing emails for the details. The phishing email is then moved to the sn_si_phishing_email table.
- Creating phishing email records: If the email-matching rules are met (See Set up ingestion rules for User Reported Phishing), the Create Phishing Email inbound action creates a phishing email record. The parsed email headers are stored in the sn_si_phishing_email_header table and associated with the phishing email as a related list.
- Aggregating similar phishing records into a single security incident: The Transform user-reported phishing emails to security incidents flow creates security incidents from the phishing email records and aggregates similar records into a single incident. The aggregation conditions can be modified as required in this flow.
- The User Reported Phishing inbound actions available prior to the Security Incident Response 9.0 release are now disabled. Security incidents are no longer created through the disabled inbound actions.
- The Security Operations spoke application must be installed for the new design to take effect. This includes the Transform user-reported phishing emails to security incidents flow which is available in an inactive state by default. Activate this flow to create security incidents from the phishing email records.
- Security Support Common (sn_sec_cmn): Includes:
- Inbound action
- New EmailUserReportedPhishing script
- Ingestion Rules table
- Security Incident Response (sn_si): Includes:
- Security incident table (sn_si_incident)
- Security phishing emails table (sn_si_phishing_email)
- Security phishing email headers table (sn_si_phishing_email_header)
- EML upload record producer
- Security Operations Spoke
Flows and subflows for aggregating emails and transforming phishing emails to security incidents.
The following figure shows the new phishing emails table with references to the matched URP rule and target security incident record (sn_si_incident).
Set up ingestion rules for User Reported Phishing
As a user with the sn_si.admin role, you can define email matching
rules to filter user reported phishing emails based on specific criteria. For example, you
can define a rule where all emails sent either directly or through the Report Phish button
to security@acme.com are categorized as user reported phishing emails.
始める前に
Role required: sn_si.admin
手順
-
Select Submit to save the rule.
The following are some sample rules:
- To Rule: Filter emails that have been sent directly or forwarded to security@example.com email id.
- User ID Rule: Filter emails that have been sent from a specific email id.
- To Rule: Filter emails that have been sent directly or forwarded to security@example.com email id.
Define User Reported Phishing properties
Define the header information that must be captured from user reported phishing emails.
始める前に
Role required: sn_si.admin
このタスクについて
- Configuration to extract email headers from the email body. (Report Phish submissions.)
- Filter to select headers.
- Enable or disable parent-child association.
手順
-
Navigate to .
Phishing email records created from user reported phishing emails
User reported phishing emails are converted to security incidents based on the email matching rules that have been defined.
- An email record is created in the sys_email table.
- The Create Phishing Email inbound action runs on the email record and uses the Email Matching Rules (see Set up ingestion rules for User Reported Phishing) to determine if it is a phishing email.注:The email is first verified with all the email matching rules where the Rule Type is set to Deny. If the email matches to the condition for any of the deny rule, an audit record is created in the
sn_si_phishing_email_deny_audittable. A security incident isn’t created for such email. - When the
email is identified as a
phishing email, and it matches to an email matching rule where the Rule Type is set to
Allow, a phishing email record is created in the
sn_si_phishing_emailtable. - Finally, the Transform user-reported phishing emails to security incidents flow is applied to convert the phishing email record to a security incident.
To view the email details, navigate to . A list of phishing email records are displayed. Select the date link in the Created column to view the email record.
| Field Name | Description |
|---|---|
| Number | The number assigned to the user-reported phishing email. |
| Subject | The subject of the email. The subject rule is useful in simulated phishing campaigns or tests. In this case, organizations send deceptive emails to their own staff to test their response to phishing and
similar email attacks. In simulated phishing email tests, if the Microsoft Outlook email client with the PhishAlarm plugin (previously known as Wombat) is being used, the user can select the Report Phish button to report the phishing email. The email is sent to the Security Operations team with Simulated Phishing appended to the Subject of the email. This is used to identify the email as a simulated phishing email. |
| From | The email address from where this phishing email originated. This information is available if the phishing email is forwarded as
an .EML file attachment or if the original headers are embedded in the email. If the user forwarded the phishing email directly, the From address may not be available. |
| Reported by | The email id of the user who reported this phishing email. Select the Information icon to view additional details. |
| Message id | The id assigned to the message. |
| Matched URP rule | The User Reported Phishing rule that is to be applied on this email. Select the Information icon to view additional details. |
As you can see, in this example, the Condition field shows that the ToRule is applied on this email and a security incident is created. See Set up ingestion rules for User Reported Phishing for more information on defining email matching rules. |
|
| State | When a new phishing email record is created in the sn_si_phishing_email table, the State field is set to New. When this email record is converted to a security incident
(see Transform user-reported phishing emails to security incidents), the State field is updated to Processed. |
| Header origin | This field indicates how the email headers originated or how the user reported the phishing email:
|
| Security Incident | This field is blank when the user-reported-phishing email is first reported. When the Transform user-reported phishing emails to security incidents flow has been executed, this email is converted to a security incident record and the number of this record is displayed
here. 注: Security incident is only created for the emails, which matches to an email matching rule where the Rule
Type is set to Allow. |
| Raw headers | This field shows the complete header information extracted from the email as defined in the Define User Reported Phishing properties page. The headers are parsed into key value pairs and displayed in the Phishing Email Headers list. |
| Body | Body of the user-reported phishing email. |
Transform user-reported phishing emails to security incidents
The Transform Phishing Email to Security Incident flow converts or transforms phishing email records to security incidents.
始める前に
- Role required: sn_si.admin
- Flow Designer spoke must be installed.
このタスクについて
- Aggregate security incidents.
- Update security incidents with relevant notes.
- Add header data.
- Create child incidents as required.
手順
-
Navigate to to view the flows available with the Security Operations
spoke.
-
This flow is provided with the base system and is in Read Only mode and
can’t be used.
Select the more icon
, make a copy of the flow and open it for your use. You can now
change your flow, such as modifying
trigger conditions or actions, or adding and removing actions. After making the necessary changes, you must activate (See
Activate a Security Incident Response flow) the flow so that it can be executed.This figure shows the trigger and the steps executed with the flow. The-right hand panel shows the data flow. Select on an icon to expand the step and view the details.
-
Select the Trigger
icon.
In the first step, you define or set the trigger for the flow. Specify the conditions for the trigger and task to be performed when the conditions are met. This flow is initiated when a New record is uploaded to the
sn_si_phishing_emailtable. -
In step 1, the flow verifies if the Create child incidents for aggregated email submissions? flag is enabled or disabled
on the Transform user-reported phishing emails to security incidents page.
-
In step 2, the oldest parent security incident is identified.
Notice the icon in step 2. This indicates that the Phishing Email Aggregation Subflow will be executed as part of this step.
Select the action designer icon to see a detailed view of the action. This subflow checks the phishing email and matches it with an existing security incident based on the specified criteria.
These two actions are performed when this subflow is executed. Select on the link of the first action to view additional details.This action checks the emails that match the criteria for the new incoming email based on conditions such as:- Security Incident State isn’t Closed.
- Subject or From value match the email matching rule conditions defined (See Set up ingestion rules for User Reported Phishing).
-
Step 3 is applicable only if the Create child incidents for
aggregated email submissions? flag was set to
No in the Transform user-reported phishing emails to security incidents
page.
In this case, the phishing email is associated with the security incident record and the flow ends.
-
If the Create child incidents for aggregated email submissions?
is set to Yes, the flow
continues to run and a new security incident is created based on the user-reported phishing email.
-
In step 5, users who received the phishing email (employees in the To and CC
list of the phishing email) are added to the Affected Users related list in the
security incident record.
-
In step 6, allow listed observables are filtered from the list of observables
in the security incident.
These allow listed observables won’t be added to the security incident.
-
In step 7, unknown observables from the user-reported phishing email are
identified and added to the Observables related list.
-
In step 8, an email search query is generated which is a combination of the
Subject and the From address of the email.
This information is useful in identifying the employees in the organization who have been phished.
-
In step 9, the user reported phishing email is associated with the security
incident and the security incident record (created in step 4) is updated.
-
In step 10, the parent security incident is identified and a check is made to see if
it’s an open security incident record.
-
In step 12, if no Affected Users were found (in step 5 of the flow), a worknote
is added and the security incident record is updated.
-
In step 13, a worknote is added with the list of allow listed
observables.
次のタスク
Select Executions to view the execution details of the flow.
When the flow has been executed, the phishing email record is converted to a security incident. See Security incident records created from phishing email records.
Security incident records created from phishing email records
Phishing email records stored in the sn_si_phishing_email table are converted to security incidents records.
To view the security incident associated with the phishing email record, click .
Click the link in the Security Incident column associated with the phishing email record. The security incident details are displayed.
Related lists
Scroll down to the Related Links section of the security incident and click Show All related list. View details like child security incidents, affected users, associated phishing emails.
Child security incidents
Associated phishing emails
Associated phishing email headers
Allowed list observables
As the Transform user-reported phishing emails to security incidents flow is being executed, you can monitor the status of the security incident. When certain observables are marked as allowed list observables, they aren’t added to the Observables Related list. By marking the observables to the allow list, you can ensure that only the important details are displayed. For example, if www.google.com is one of the URLs that has been tagged as the allowed list, the following system message is displayed. Allowed list observables ensure that only the important observables are monitored.
Capturing unmatched users
User Reported Phishing in the Security Analyst Workspace
You can view security incidents associated with the phishing email records in the Security Analyst Workspace.
- Identified duplicate child records.
- Allowed list observables.
- Unmatched users who received the phishing email but do not belong to the Affected Users list.
Frequently Asked Questions
This section covers some of the frequently asked questions about the enhanced User Reported Phishing feature.
- I have installed the new Security Incident Response spoke but I cannot view any user
reported phishing incidents.
By default, the User Reported Phishing functionality has been disabled.
To enable this feature, you must make a copy of the read-only Transform user-reported phishing emails to security incidents flow and activate it before use.
- While ingesting phishing emails and converting them into security incidents, what
precautionary measures are used to handle malicious links and attachments in the phishing
emails?
The ServiceNow anti-virus scanner scans such malicious attachments and links. However, to ensure that security analysts can investigate the incidents accurately, the Security Incident Response application captures all the artefacts that are part of a phishing email. But the User Reported Phishing functionality mutes the malicious links in the phishing email so that security analysts don't accidentally click these links. Regarding malicious attachments, security analysts must be cautious about downloading them.
- Do we capture all malicious files that are part of the phishing emails for security
incident enrichment?
Yes, we capture all files from the phishing emails. You can view these details are available as part of security incident observables in the form of a file hash.
- Do we send malicious files and links from phishing emails to a sandbox instance for
investigation?
Currently, we do not support out-of-the-box sandbox integrations for investigating malicious files and links.
- Is there a time window or a trigger that defines the duration in which incoming duplicate
phishing email records are associated with a parent security incident?
Duplicate phishing email records are aggregated only to an active parent security incident. If the parent incident is closed or canceled, then the incoming new duplicate phishing email will be created as a new security incident. However, in this scenario, within the new security incident, you can view the closed or canceled parent security incident in the Similar Security Incident related list.
注:This behavior can be configured using the flow designer. - Does the User Report Phishing feature support the use of only the Microsoft Outlook PhishAlarm plugin (previously known as Wombat) to capture email header details?
The User Reported functionality has been built to parse email headers and complies with RFC822 standards. So, similar to the PhishAlarm plugin (previously known as Wombat), all other Microsoft Outlook plugins that capture email headers based on RFC822 standards are supported.