Overview

As the security incident analyst, you execute the integration from the security analyst interface, and the workflow returns email message details that match search criteria. Email searches are based on criteria that include subject lines as well as sender and recipient email addresses. After the email search is complete, you can delete suspicious emails from the Microsoft Exchange Online service, and, an optional approval process can be configured to request approval prior to deleting emails.

This email search and delete integration can be used with a broader phishing response incident workflow or runbook. After a corporate user or employee receives a suspicious email and reports it to the company's phishing response team or inbox, the reported email is forwarded to the Now Platform and categorized as a security incident. After you have verified that an email is a phishing attack, as the analyst responsible for investigating phishing incidents, you can initiate an email search to determine if other corporate users have received this phishing email. The search allows you to locate related emails from the same phishing campaign and identify other potential victims who may have received the email, read it, and also potentially clicked a malicious URL or opened an attachment.

Key features

The integration includes the following key features:

• Configure search criteria for phishing threats in Security Incident Response based on combinations of the sender, recipient, and subject fields on email messages.
• For large and lengthy email searches, the security incident analyst is notified via email when the search has successfully completed, along with the number of matched messages.
• Status for individual messages informs you if recipients have read or deleted suspicious emails.
• If configured, optional approval processes ensure that suspicious emails are not deleted without prior approval.
• A complete audit trail for delete requests that includes the number of deleted emails is logged in the work notes of security incidents.
• If tagging is configured, security tags record when email search and delete workflows are initiated and successfully completed on security incidents.

Supported Microsoft Exchange Online versions

This integration supports Microsoft Exchange Online services, which are part of the Microsoft Office 365 suite. The integration does not support hosted Microsoft Exchange environments. Microsoft runs Microsoft Exchange Online services on the Exchange 2016 version.

Supported Now Platform versions

This integration supports the Kingston, London, Madrid, and NY releases for the Now Platform.

For the Madrid release and later family releases, the com.snc.si_dep plugin is required. This plugin automatically installs all the dependencies that are required to support the Security Incident Response product. Install and activate this plugin before installing and activating the other Security Operations applications.

Integration architecture and systems connection

For more information about the architecture of the integration, including key terms and external systems connection details, see Integration architecture and external systems connection for the Microsoft Exchange Online integration.

Checklist

The following topics are numbered. Follow the topics that are listed below in the order that they are presented for a smooth installation and configuration of the application.

For a printable checklist of these steps, see Checklist for the Microsoft Exchange Online integration. You can use this list to monitor your progress as you work through the end-to-end tasks of the integration set up, configuration, and verification of results.