Thank you for your feedback.
Form temporarily unavailable. Please try again or contact docfeedback@servicenow.com to submit your comments.
Versions
  • Madrid
  • London
  • Kingston
  • Jakarta
  • Istanbul
  • Helsinki
  • Geneva
  • Store
Close

Get started with the Microsoft Exchange On-Premises integration

Log in to subscribe to topics and get notified when content changes.

Get started with the Microsoft Exchange On-Premises integration

The Microsoft Exchange On-Premises integration provides tools for security analysts to contain and remediate phishing and spear phishing email threats in on-premises instances. Before you can use the Microsoft Exchange On-Premises integration, you must activate the plugin and identify the appropriate Exchange and MID servers.

Before you begin

The procedure you use to install the integration depends on the Security Incident Response version you are running:
Role required: sn_si_admin

About this task

Prior to London Patch 6: This procedure can be used to activate the Security Operations Microsoft Exchange Integration plugin and configure the integration. You can also activate the plugin using the traditional method. If you activate the plugin using the traditional method, the Microsoft Exchange On-Premises integration recognizes the installation and the integration card displays the New button. Proceed to step 5.

Procedure

  1. Navigate to Security Operations > Integrations > Integration Configuration.
    The available security integrations appear as a series of cards.
    Microsoft Exchange On-Premises integration
  2. In the Microsoft Exchange On-Premises card, click Install Plugin.
  3. In the Install Microsoft Exchange On-Premises Integration dialog box, review the plugin details and click Activate.
  4. When the activation is complete, click Close & Reload Form.
    The Security Integration screen reloads and the New button for the integration is available.
  5. Click New.
    Microsoft Exchange On-Premises Configuration
  6. Fill in the fields, as needed.
    Field Description
    Name The name of this configuration.
    Delete Recovery Select this option to remove the ability to recover deleted emails in Exchange.
    Exchange Server Specify the Exchange server to be used.
    MID Server Select Any to use any active MID Server, or select a specific MID Server name.
    Note: Configuring this integration activates workflows. To manage the workflows, navigate to the Workflow Editor.
  7. Click Submit.
    The integration configuration card displays.
  8. When viewing the new configuration card, you can click Configure or Delete to change or delete the configuration, respectively.
  9. To return to the original list of integration configuration cards, select No from the Show Configurations drop-down list.

Microsoft Exchange - Perform Email Search and Deletion workflow

When the Microsoft Exchange - Perform Email Search and Deletion workflow is executed, it searches the Exchange server using the search query provided, and returns the details to the on-premises instance.

Before you begin

Role required: sn_si.analyst

About this task

The Microsoft Exchange - Perform Email Search and Deletion workflow is executed when email searches are set up and the Delete from Email Server(s) or Search on Email Server(s) button are pressed.
Microsoft Exchange - Perform Email Search and Deletion

Activities specific to this integration are described here. For more information on other activities, see Common integration workflow activities.

Microsoft Exchange Execution Tracking - Begin activity

The Execution Tracking - Begin workflow activity starts the auditing process for the observables in the Microsoft Exchange - Perform Email Search and Deletion workflow.

The Execution Tracking - Begin activity can be used with any workflow to begin recording the progress of the workflow in an audit.

Results

Possible results for this activity are:

Table 1. Results
Result Description
Success An audit record is created.

Input variables

Input variables determine the initial behavior of the activity.

Variable Description
capabilityId System identifier of the Integration Capability being executed.
isImpl Flag that specifies whether auditing is done for an Integration Capability workflow or an Integration Capability implementation workflow. Possible values are:
  • false - denotes auditing on an abstract Integration Capability workflow such as Sightings Search. (default.)
  • true - denotes auditing on an Integration Capability implementation workflow.
taskId System identifier for any task associated with the workflow.
observableList One or more observable SysIDs to perform the desired action.

Used as a workflow input.

workflowContextId System identifier of the associated workflow context record. Supplied by the system.
workflowName Name of the workflow. Supplied by the system.
parentCapabilityExcutionId System identifier of the audit record that launched the implementation workflow. Only required for Integration Capability implementation workflows.

Output variables

Table 2. Output variables
Variable Description
capabilityExecutionId System identifier of the audit record.

Get Email Details from Exchange Server activity

The Get Email Details from Exchange Server activity performs a search for emails in the designated Exchange server(s) using the search queries defined, and returns details from the subject, recipient, and sender parameters.

Input variables

Input variables determine the initial behavior of the activity.

Variable Description
targetId Mandatory target host identifier field where the Exchange Server is located.
search_query Mandatory search query used to find emails in the Exchange Server across all mailboxes.

Output variables

The output variables contain data that can be used in subsequent activities.

Table 3. Output variables
Variable Description
response Email details retrieved for each email found for the given search query.

Exit Conditions

Possible exit conditions for this activity are:

Table 4. Exit Conditions
Variable Description
No emails found When the email count is zero, no emails were found for the given search query.
Threat emails found When the email count is greater than zero, and email details were returned for the given search query.
Error executing at exchange When an error occurred while executing the powershell script in the Exchange Server.

Search/Delete Threat Email in Exchange activity

The Search/Delete Threat Email in Exchange activity performs a search for emails in the designated Exchange server(s) using the search queries defined, and returns the details.

Input variables

Input variables determine the initial behavior of the activity.

Variable Description
target Mandatory target host identifier field where the Exchange Server is located and the powershell script will be executed.
search_query Mandatory search query used to find emails in the Exchange Server across all mailboxes.
operation Operation to be executed on the Exchange server. Possible values are:
  • search
  • delete
delete_from_recovery Choose to delete emails from the recovery folder on the Exchange server. Possible values are:
  • true
  • false

Output variables

The output variables contain data that can be used in subsequent activities.

Table 5. Output variables
Variable Description
emailCount The total number of emails found during the search/delete operations for the given search query.

Exit Conditions

Possible exit conditions for this activity are:

Table 6. Exit Conditions
Variable Description
No emails found When the email count is zero, no emails were found for the given search query.
Threat emails found When the email count is greater than zero, and email details were returned for the given search query.
Error executing at exchange When an error occurred while executing the powershell script in the Exchange Server.

Microsoft Exchange Capability Execution Tracking - Complete activity

The Capability Execution Tracking - Complete workflow activity updates the audit record when the workflow is complete.

The Capability Execution Tracking - Complete activity can be used with any workflow to record the completion of the workflow.

Results

Possible results for this activity are:

Table 7. Results
Result Description
Success The audit record state is updated to Complete.

Input variables

Input variables determine the initial behavior of the activity.

Variable Description
capabilityExecutionId System identifier for the audit record. This field was the output from any of the Begin auditing activities.
workflowName Name of the workflow. Supplied by the system.
message Completion message.

Output variables

There are no output variables.

Microsoft Exchange Capability Execution Tracking - Failure activity

The Capability Execution Tracking - Failure workflow activity records a failure to the audit record.

The Capability Execution Tracking - Failure activity can be used with any workflow to record a failure condition.

Results

Possible results for this activity are:

Table 8. Results
Result Description
Success The audit record state is set to Error and a message indicating the error is recorded.

Input variables

Input variables determine the initial behavior of the activity.

Variable Description
capabilityExecutionId System identifier for the audit record. This is the output from any of the Begin auditing activities.
errorMessage Message indicating the reason for the failure.
workflowName Name of the workflow. Supplied by the system.

Output variables

There are no output variables.

Feedback