Set up your ServiceNow AI Platform instance for the Microsoft Exchange Online integration

  • Release version: Washingtondc
  • Updated March 5, 2024
  • 6 minutes to read

    • The following section lists the setup tasks that you are required to complete in your ServiceNow AI Platform® instance prior to installing the Microsoft Exchange Online application. Review the checklist and verify that you have completed these tasks before you download and install Microsoft Exchange Online application for the integration to ensure a smooth installation and configuration.

    Before you begin

    Setup task Description
    Verify that you have assigned the required ServiceNow AI Platform® and Security Incident Response (SIR) roles. The following ServiceNow roles are required:
    • The system administrator (admin) installs applications and assigns the security incident administrator (sn_si.admin) role.
    • The security incident administrator (sn_si.admin) configures the application for the integration. If required, the security incident administrator role also assigns the security incident analyst (sn_si.analyst) the email read and write roles (sn_sec_cmn.cap_email_write and sn_sec_cmn.cap_email_read). The (sn_sec_cmn.cap_email_read) and (com.snc.security_incident) roles are installed with the Security Incident Response product. They are assigned to the security incident administrator by default and can be reassigned as required.
    • The security incident analyst (sn_si.analyst) performs email searches and deletes emails. This role also verifies that emails have been deleted and works with security incidents.
      • The write role permits the sn_si.analyst to edit, create, and perform email searches and to delete messages. There is no separate role that is required to delete messages.
      • The read role permits the sn_si.analyst to view results on related lists on security incidents.
        Note:
        The sn_si.analyst must have the (sn_sec_cmn.cap_email_read) and (sn_sec_cmn.cap_email_write) roles to view email search results and create and perform email search queries.

    If not assigned, the following the steps describe how to assign the (sn_sec_cmn.cap_email_read) and (sn_sec_cmn.cap_email_write) roles to the security incident analyst.

    For more information about assigning roles in Security Incident Response, see Roles installed with SIR.
    Verify that the ServiceNow core applications that are required to support the integration are installed and activated before you install the application for the integration.

    The Security Incident Response Dependency plugin (com.snc.si_dep) is required, and it automatically installs all the dependencies that are required to support the Security Incident Response product. Install and activate this plugin before you install and activate the other Security Operations applications required by the integration.

    Verify that the following Security Operations applications are installed and activated from the ServiceNow Store. If not installed, install and activate one application at a time in the following order to ensure a smooth installation.

    1. Security Incident Response
    2. Security Integration Framework
    3. Security Support Common
    4. Security Support Orchestration

    For more information on setting up your ServiceNow AI Platform instance for the integration, see Get entitlement for a Security Operations product or application and Activate a ServiceNow Store application.
    If your organization plans to use ServiceNow AI Platform emails notifications, verify that the email send/receive capability is enabled. Follow these steps to verify that email send and receive capability is enabled in your ServiceNow AI Platform® instance. This capability notifies users via email when searches and delete requests have been initiated and successfully completed.
    1. Navigate to Email properties > Administration > Email Properties.
    2. In Outbound Email Configuration, verify that Email sending enabled and Email receiving enabled are selected.

    This email send/receive capability is required so that your security incident analyst receives email notifications sent by the ServiceNow AI Platform®. If the delete approval feature is enabled, requests to delete emails are also sent to approvers via email. Other than enabling this email property, there is no other setup required to send and receive emails in the ServiceNow AI Platform®.

    Outbound Email Configuration enabled.

    Role required: admin

    About this task

    As a ServiceNow AI Platform security incident administrator (sn_si.admin), the email read and write (sn_sec_cmn.cap_email_read) and (sn_sec_cmn.cap_email_write) roles are automatically assigned to you when you download the Security Incident Response (SIR) product. As security incident administrator, you assign these roles to the security incident analyst (sn_si.analyst) or another role. If you have not assigned these roles to the security incident analyst, or to another role, follow these steps to assign them.

    Procedure

    1. Navigate to Organization > Users.
    2. Click the Users module.
      1. On the Users list that is displayed, click New.
      2. On the new user form that is displayed, fill out the form.
        Field Description
        UserID User ID for the ServiceNow AI Platform security incident analyst role, for example, jferguson.
        Email Company email address. The notifications for email search results and email delete confirmations are sent to this email address. For this example, jferguson@servicenow.com is used, but any company email address can be used to receive these email notifications as required by your organization.
        First name First name
        Last name Last name
        Title Security incident analyst, or Security Analyst, or Security Operations Center (SOC) Analyst, for example.
        Figure 1. New user form
        Creating a new user.
      3. Click Submit.
        The new user is displayed on the Users list.
    3. In the Users list in the User ID column, click the name of the user you want to assign the sn_sec_cmn.cap_email_read and sn_sec_cmn.cap_email_read roles to.
    4. On the open record in the Related Links section, click Edit.
      Figure 2. Edit user form
      Modifying user details.
    5. On the Edit Members form that is displayed, enter sn_sec_cmn.cap_email_read in the collection field.
      Note:
      The column below the field auto-populates. If the user has not been assigned the sn_si.analyst role, enter sn_si.analyst in the Collection field as well. In the following figure, the sn_si.analyst role already has been assigned to Joe Ferguson.
    6. In the Collection column, select then move sn_sec_cmn.cap_email_read and sn_sec_cmn.cap_email_read and sn_si.analyst (if not already assigned) to the Roles List.
      Figure 3. Assign user role
      sn_sec_cmn.cap_email read and write roles assigned in the Roles List column to a user.
    7. Click Save.
      The sn_sec_cmn.cap_email_read and sn_sec_cmn.cap_email_read roles are assigned to the security analyst (jferguson).
    8. Add users and assign roles as required for your organization.
    9. Optional: If you want to enable the approval capability for email delete requests, follow these steps to create an approval group.
      1. Navigate to User Administration > Groups.
      2. In the Groups list that is displayed, click New.
      3. On the form, fill the fields.
        Table 1.
        Field Description
        Name Name of the group that processes an approval when an email delete request is submitted, for example, Exchange Online Approvers.
        Group email Enter an email address if you want a Group email distribution list or the email address of the point of contact, such as the group manager.

        Leave this field blank if you want email notifications sent to the individual email addresses for each user in the group.
        Manager (Optional) Name of group manager. Click the search icon to view the list.
        Parent (Optional) If this group has a parent, the other group this group is a member of.
        Type (Optional) Define categories of groups.
        Vendors (Optional) Assign the vendor_manager role to users who are involved with the vendor management process of your organization.
        Description (Optional) Additional information about the group.
        Figure 4. Create Group form
        Creating a group.

        For more information about creating groups and assigning roles, see Create a user group.

      4. Click Submit.
        In the Name column, the new group is displayed on the Groups list.

        You can add more users to this group. A user inherits roles from all groups to which the user belongs. You can also assign roles directly to a user. For more information, see Managing roles. Each user can approve email delete requests submitted by the security analyst. Only one user is required to approve or reject the request.

        If your organization wants an extra level of control over deleting emails with this integration, enable the optional approval capability. Select the Enable check box on the Additional Settings tab during the configuration step to enable approvals. In the preceding example, each user of the Exchange Online Approvers group is available to process delete requests via email notification.