Final verdict generation for User Reported Phishing

  • Release version: Yokohama
  • Updated March 12, 2026
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Final verdict generation for User Reported Phishing

    ServiceNow Security Incident Response teams can finalize verdicts on user-reported phishing incidents by using predictive intelligence and threat enrichment integrations. This process is driven by a configurable decision table leveraged within an automated flow, enabling consistent and data-driven phishing incident classification.

    Show full answer Show less

    Key Features

    • Decision Table Construct: Evaluates multiple conditions to determine the phishing verdict. Conditions include predictive intelligence classification, malicious observables (e.g., URLs, domains, IPs, hashes), suspect enrichment data, and spoofing indicators related to sender domain and name.
    • Final Verdict Options: The system supports three verdict outcomes: Confirmed Phish, Likely Phish, and Likely Benign, based on evaluated conditions. Each verdict’s underlying conditions can be reviewed and customized.
    • Customizable Decision Tables: Customers can modify the base system decision table or create new ones tailored to their organizational needs.
    • Automated Subflow Integration: The “Generate Final Verdict for Phishing Security Incidents” subflow automates verdict generation and applies corresponding security tags. This subflow is designed to be incorporated into security incident response playbooks, such as the Automated Phishing playbook.
    • Subflow Inputs: The subflow requires inputs such as the phishing incident sys ID, lists of likely spoofed executive names, trusted domains, enrichment keywords indicating maliciousness, and optionally, the sender’s email address.

    Practical Benefits for ServiceNow Customers

    • Enables security teams to standardize and automate phishing incident verdicts, reducing manual analysis effort and improving response times.
    • Integrates predictive intelligence and threat enrichment data to provide a comprehensive and accurate phishing assessment.
    • Supports customization to align phishing verdict logic with specific organizational requirements and threat landscapes.
    • Facilitates seamless inclusion in incident response workflows and playbooks to streamline security operations.

    Security Incident Response teams can now drive the finalized verdict for a user reported phishing record based on results from predictive intelligence and threat enrichment integrations.

    This final verdict generation is enabled through a decision table construct and leveraged within a flow.

    Prerequisites

    Ensure that all the plugins listed in Required components and plugins have been installed.

    Navigate to Predictive Intelligence for Phishing > Final Verdict > Final Verdict for Phishing Security Incident.

    The Decision Inputs tab shows the different conditions that were evaluated to arrive at the final verdict.

    The following conditions are available with the base system:

    • Predicted as suspicious: When predictive intelligence has classified the user reported phishing email as suspicious.
    • At least one observable is malicious: When an observable involved in the security incident (For example, URL, Domain, IP, Hash) has been classified as malicious by threat intelligence sources.
    • Observable enrichment are suspect: When enrichment on observables (For example, recency of phishing domain registration, country of phishing domain registration) are deemed to be suspect.
    • Sender domain is spoofed: When the phisher’s email domain is suspected of spoofing a trusted domain.
    • Sender name is spoofed: When the phisher’s email address is suspect of spoofing an trusted employee of an organization.

    The Decisions tab shows the final verdict options that can be arrived at for a given security incident.

    The following decisions are available with the base system:
    • Confirmed Phish: When the conditions have led to the final verdict as being a confirmed phishing email.
    • Likely Phish: When the conditions have led to the final verdict as a potential phishing attempt.
    • Likely Benign: When the conditions have led to the final verdict as a benign submission.

    You can see the conditions that were evaluated for each of the final verdict options. Select the Label link to see the conditions.

    You can customize the decision table provided with the base system or create your own decision table. This decision table can be leveraged in security incident response playbooks. The Generate Final Verdict for Phishing Security Incidents subflow is available with the base system. This subflow automatically generates the final verdict for a phishing security incident and applies a security tag based on that decision. You can include this subflow as part of the Automated Phishing playbook.

    The inputs for this subflow are:
    • incident_id: The sys ID of the phishing security incident.
    • c_level_names: Comma separated list of names (For example, names of executives in the organization) likely being spoofed in the phishing attack.
    • trusted_domains: Comma separated list of trusted email domains.
    • enrichment_keywords: Comma separated list of keywords that indicate the maliciousness of the observable from enrichment results.
    • sender_email (optional): The email address of the sender of the phishing email.

    The output of this flow can be Confirmed Phish, Likely Phish, or Likely Benign.