0
10.6.3
Yokohama, Xanadu, Washington DC, Vancouver
Integrating ServiceNow® Security Incident Response with the Microsoft Exchange Online service, part of the Microsoft Office 365 suite of products, provides a security operations center (SOC) analyst with an email search and delete capability. With this integration, your SOC analyst can search your corporate email environment for security-related threats and remove phishing emails.
The integration includes the following key features:
- Configure search criteria for phishing threats in Security Incident Response based on combinations of the sender, recipient, and subject fields on email messages.
- For large and lengthy email searches, the security incident analyst is notified via email when a search is successfully completed, along with the number of matched messages.
- Status for individual messages informs you if recipients have read or deleted suspicious emails.
- If configured, optional approval processes ensure that suspicious emails are not deleted without prior approval.
- A complete audit trail for delete requests that includes the number of deleted emails is logged in the work notes of security incidents.
- If tagging is configured, security tags record when email search and delete workflows are initiated and successfully completed on security incidents.
Changed:
Migrated workflows to flow designer
System Requirements
The following plugin must be installed and activated:
- com.snc.si_dep: This plugin installs all the dependencies that are required to support the Security Incident Response application. Install and activate this plugin before installing the other Security Operations applications.
The following Security Operations applications must be installed from the ServiceNow Store and activated:
- Security Integration Framework
- Security Support Common
- Security Support Orchestration
- Security Incident Response
System Requirements
The following plugins must be installed and activated:
- com.snc.security_incident
- com.snc.secops.orchestration
Permissions and roles
- System administrator (admin) installs the application and activates plugins for the integration.
- Security incident administrator (sn_si.admin) configures the application for the integration.
- Security incident analyst (sn_si.analyst) works with security incidents, requests email searches, and remediates suspicious emails.