Appendix A – Setting up an Email Feed for Open Ticket

The Open Ticket feature enables you to send events to an event-management tool such as Jira or ServiceNow.

In order for the Open Ticket feature to work properly, you must set up a receiving email feed in the event-management tool to be used. This appendix provides an example that describes how to set up the required email feed in ServiceNow.

To set up an email feed in ServiceNow:

Launch ServiceNow.
In the window that opens, select System Properties > Email Properties. The following window displays:
In the Inbound Email Configuration area, check the Email receiving enabled checkbox.
In the left pane, select System Security > Users and Groups > Users. The following window displays:
Click the button to create a new user. The following window displays:
In the Email field, enter the email address of the FortiEDR messaging system. This email address is specified in the Email Address field of the FortiEDR Open Ticket settings, which can be accessed by selecting Administration > Export Settings in the FortiEDR user interface, as shown below:
In the left pane, select System Policy > Email > Inbound Actions. The following window displays:
Click the blue button to create new inbound email actions. The following window displays:

Fill in the following fields in this window:

Field	Definition
Name	Enter a free-text name for the inbound email feed. For example, Fortinet inbound email.
Target table	Select Incident [incident] in the dropdown list.
Action type	Select Record Action in the dropdown list.
Active	Check this checkbox to select it.
Stop Processing	Check this checkbox to select it.

In this window, select the When to run tab and then in the From field, select the FortiEDR user created in step 6.

Select the Actions tab and then paste the provided JavaScript (see below) into the email body. You can modify this script, as needed.

The JavaScript includes the following code:

//  Note: current.opened_by is already set to the first UserID that matches the From: email address
current.caller_id = gs.getUserID();
current.comments = “received from: “ + email.origemail + “\n\n” + email.body_text;
current.short_description = email.subject;
current.category = “request”;
current.incident_state = 1;
current.notify = 2;
current.contact_type = “email”;
 
//set highest priority for emails from ensilo
if (email.origemail == "DoNotReply@ensilo.com") {
    current.impact=1;

    current.urgency=1;
}
 
if (email.body.assign != undefined)
    current.assigned_to = email.body.assign;
 
if (email.importance != undefined) {
    if (email.importance.toLowerCase() == "high")
        current.priority = 1;
}
 
if (email.body.priority != undefined)
    current.priority = email.body.priority;
//parsing fields from message body example
var severityStart = email.body_text.indexOf('Severity:') + 9;
var classificationStart = email.body_text.indexOf('Classification:') + 15;
var destinitionStart = email.body_text.indexOf('Destinations:');
 
var severity = email.body_text.slice(severityStart, classificationStart -15 );
var classification = email.body_text.slice(classificationStart, destinitionStart);
 current.insert();

When pasting in the JavaScript, make sure that:
- The emails address highlighted in yellow (see above) is the same as that specified in Email Address field of the FortiEDR Open Ticket settings (see step 6).
- You set the current.impact and current.urgency fields highlighted in light blue to specify the impact and urgency values for ServiceNow.
  Various types of information can be extracted from the email sent by FortiEDR. For example, the text highlighted in pink in the JavaScript (see above) is an example of how to extract the classification value of this event from the email.

Click the Submit button in the ServiceNow window. This completes the email feed setup.

When FortiEDR sends an email to ServiceNow, a JSON file is attached to it. This JSON file contains the raw data for the event. Once received, you should save this raw data to the ticket.

The following shows a sample JSON file:

//parsing fields from attachment example
if (sys_email.hasAttachments()){
    var att = new GlideRecord("sys_attachment");
    att.addEncodedQuery("table_name=sys_email^table_sys_id=" + sys_email.getValue("sys_id"));
    att.query();
    while (att.next()){   
        if (att.file_name == "event.json" ) {
            var sa = new GlideSysAttachment();

            var binData = sa.getBytes(att);
            var strData = Packages.java.lang.String(binData);
            var parser = new JSONParser();
            var parsed = parser.parse(strData);
            current.comments =("EventId from JSON: " + parsed.EventId);
            }
    }
}

The following shows how an event appears when received in ServiceNow, after being sent from FortiEDR:

Appendix A – Setting up an Email Feed for Open Ticket

The Open Ticket feature enables you to send events to an event-management tool such as Jira or ServiceNow.

To set up an email feed in ServiceNow:

Launch ServiceNow.

In the window that opens, select System Properties > Email Properties. The following window displays:

In the Inbound Email Configuration area, check the Email receiving enabled checkbox.

In the left pane, select System Security > Users and Groups > Users. The following window displays:

Click the

button to create a new user. The following window displays:

In the Email field, enter the email address of the FortiEDR messaging system. This email address is specified in the Email Address field of the FortiEDR Open Ticket settings, which can be accessed by selecting Administration > Export Settings in the FortiEDR user interface, as shown below:

In the left pane, select System Policy > Email > Inbound Actions. The following window displays:

Click the

blue button to create new inbound email actions. The following window displays:

Fill in the following fields in this window:

Field	Definition
Name	Enter a free-text name for the inbound email feed. For example, Fortinet inbound email.
Target table	Select Incident [incident] in the dropdown list.
Action type	Select Record Action in the dropdown list.
Active	Check this checkbox to select it.
Stop Processing	Check this checkbox to select it.

In this window, select the When to run tab and then in the From field, select the FortiEDR user created in step 6.

Select the Actions tab and then paste the provided JavaScript (see below) into the email body. You can modify this script, as needed.

The JavaScript includes the following code:

//  Note: current.opened_by is already set to the first UserID that matches the From: email address
current.caller_id = gs.getUserID();
current.comments = “received from: “ + email.origemail + “\n\n” + email.body_text;
current.short_description = email.subject;
current.category = “request”;
current.incident_state = 1;
current.notify = 2;
current.contact_type = “email”;
 
//set highest priority for emails from ensilo
if (email.origemail == "DoNotReply@ensilo.com") {
    current.impact=1;

    current.urgency=1;
}
 
if (email.body.assign != undefined)
    current.assigned_to = email.body.assign;
 
if (email.importance != undefined) {
    if (email.importance.toLowerCase() == "high")
        current.priority = 1;
}
 
if (email.body.priority != undefined)
    current.priority = email.body.priority;
//parsing fields from message body example
var severityStart = email.body_text.indexOf('Severity:') + 9;
var classificationStart = email.body_text.indexOf('Classification:') + 15;
var destinitionStart = email.body_text.indexOf('Destinations:');
 
var severity = email.body_text.slice(severityStart, classificationStart -15 );
var classification = email.body_text.slice(classificationStart, destinitionStart);
 current.insert();

When pasting in the JavaScript, make sure that:

The emails address highlighted in yellow (see above) is the same as that specified in Email Address field of the FortiEDR Open Ticket settings (see step 6).
You set the current.impact and current.urgency fields highlighted in light blue to specify the impact and urgency values for ServiceNow.
Various types of information can be extracted from the email sent by FortiEDR. For example, the text highlighted in pink in the JavaScript (see above) is an example of how to extract the classification value of this event from the email.

Click the Submit button in the ServiceNow window. This completes the email feed setup.

When FortiEDR sends an email to ServiceNow, a JSON file is attached to it. This JSON file contains the raw data for the event. Once received, you should save this raw data to the ticket.

The following shows a sample JSON file:

//parsing fields from attachment example
if (sys_email.hasAttachments()){
    var att = new GlideRecord("sys_attachment");
    att.addEncodedQuery("table_name=sys_email^table_sys_id=" + sys_email.getValue("sys_id"));
    att.query();
    while (att.next()){   
        if (att.file_name == "event.json" ) {
            var sa = new GlideSysAttachment();

            var binData = sa.getBytes(att);
            var strData = Packages.java.lang.String(binData);
            var parser = new JSONParser();
            var parsed = parser.parse(strData);
            current.comments =("EventId from JSON: " + parsed.EventId);
            }
    }
}

The following shows how an event appears when received in ServiceNow, after being sent from FortiEDR:

Administration Guide

Appendix A – Setting up an Email Feed for Open Ticket

Appendix A – Setting up an Email Feed for Open Ticket

To set up an email feed in ServiceNow:

Appendix A – Setting up an Email Feed for Open Ticket

To set up an email feed in ServiceNow: