Security Operations email parsing
-
- UpdatedJan 30, 2025
- 3 minutes to read
- Yokohama
- Security Operations
Security Operations email parsing
Generate new Security Operations records from external detection systems using Email Parsing. This feature provides a method for integrating information from external tools such as malware detection, vulnerability detection, firewalls, threat intelligence, and more.
Any system that can send an email, can create Security Operations records, for example, security incidents, requests, vulnerable items, vulnerabilities, security incident observables, attack methods, and more.
All Security Operations plugins (Security Incident Response, Threat Intelligence, and Vulnerability Response) have a property (email_to) that defines the email address where external integrations should send emails to, to be parsed by the email parsers. See for more information.
Email sent to any of the Security Operations email addresses is stored in an email events table. These emails are processed to determine whether they match any email parser.
Emails that have a match are flagged and the transform and duplication rules create or
update a Security Operations record.
The email is linked to that record and flagged as matched
.
Emails that do not match are listed in Unmatched Emails as a Security Operations record. They can be reviewed to help build email parsers to handle these emails. A Reprocess action allows you to run the unmatched email through the parsers again. The original email log is linked to that record.
By default, email events are deleted after 30 days.
External detection systems (malware detectors, vulnerability, and so on) can send emails that report on multiple items at one time. The email parser supports separators within the email.
For example, a malware detector could send you an email report about all systems within your network infected by one particular malware with information about the malware first, followed by a list of the systems affected.

Field Transforms pull in data from each section. If something in the header or footer of the email applies to all records, such as Malware Hash, Malware Name, and Type in this example, the field transform for them should set Search for value to a value that searches within the email body either At the start of a line in the email body or Anywhere in the email body.
Field Transforms must be set to search At the start of a line within the record section or Sec for data that is defined within each section, such as System, IP address, or Status. The record section options are only available when there is a record separator defined within the email transform.
When parsing an email with a separator defined, records are only created for sections with at least one piece of section-specific data.
In this example, three records are created, even though there are four sections defined. The first section is a header, and it lacks anything specific to only one system. If any of the fields within the first section were filled in (System, IP, or Status), then a record would be created for that section, as well.
Related Content
- Create email parsers in Security Operations
Email Parsing creates Security Operations records from your email for security, vulnerability, and observables to expedite threat response and remediation.
- Security Operations enrichment data mapping
Enrichment Data Mapping transforms data from XML, JSON, or Properties files to ServiceNow records. Security Operations workflows use enrichment data maps and provide output data to security incidents.
- Security Operations field mapping
Security Operations tables can be mapped to and from other tables, linking a security incident to a customer service case or a problem to other parts of the Security Operations system.