Final verdict generation for User Reported Phishing

  • Release version: Australia
  • Updated March 12, 2026
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Final verdict generation for User Reported Phishing

    This feature allows Security Incident Response teams to automatically generate a final verdict on user reported phishing incidents by leveraging predictive intelligence and threat enrichment integrations. The verdict is determined through a configurable decision table and applied via a flow, streamlining the process of phishing incident evaluation and response.

    Show full answer Show less

    Key Features

    • Decision Table-Based Verdicts: Utilizes conditions such as predictive intelligence classification, observable maliciousness, enrichment status, and spoofing indicators to determine the final phishing verdict.
    • Configurable Conditions: Base system conditions include:
      • Predicted as suspicious by predictive intelligence
      • Presence of at least one malicious observable (e.g., URL, domain, IP, hash)
      • Suspect observable enrichment data
      • Spoofed sender domain
      • Spoofed sender name
    • Final Verdict Options: Confirmed Phish, Likely Phish, or Likely Benign, each linked to evaluated conditions for transparency.
    • Customization: Customers can customize or create their own decision tables to align with their organizational policies and threat landscapes.
    • Automated Subflow Integration: The Generate Final Verdict for Phishing Security Incidents subflow automatically assigns the verdict and applies corresponding security tags. This subflow can be incorporated into security incident response playbooks, such as the Automated Phishing playbook.

    Using the Feature

    • Prerequisites: Ensure all required plugins and components are installed.
    • Navigation: Access the feature via Predictive Intelligence for Phishing > Final Verdict > Final Verdict for Phishing Security Incident.
    • Subflow Inputs:
      • incidentid: Sys ID of the phishing incident
      • clevelnames: Comma-separated list of executive names likely spoofed
      • trusteddomains: Comma-separated list of trusted email domains
      • enrichmentkeywords: Keywords indicating malicious observables
      • senderemail (optional): Sender's email address
    • Output: The system returns one of the three final verdicts—Confirmed Phish, Likely Phish, or Likely Benign.

    Benefits for ServiceNow Customers

    • Automates and standardizes the phishing incident verdict process, reducing manual analysis effort.
    • Improves accuracy by integrating predictive intelligence and threat enrichment data.
    • Enables customization to meet specific organizational security policies and threat models.
    • Integrates seamlessly with existing security incident response playbooks, enhancing workflow automation.

    Security Incident Response teams can now drive the finalized verdict for a user reported phishing record based on results from predictive intelligence and threat enrichment integrations.

    This final verdict generation is enabled through a decision table construct and leveraged within a flow.

    Prerequisites

    Ensure that all the plugins listed in Required components and plugins have been installed.

    Navigate to Predictive Intelligence for Phishing > Final Verdict > Final Verdict for Phishing Security Incident.

    The Decision Inputs tab shows the different conditions that were evaluated to arrive at the final verdict.

    The following conditions are available with the base system:

    • Predicted as suspicious: When predictive intelligence has classified the user reported phishing email as suspicious.
    • At least one observable is malicious: When an observable involved in the security incident (For example, URL, Domain, IP, Hash) has been classified as malicious by threat intelligence sources.
    • Observable enrichment are suspect: When enrichment on observables (For example, recency of phishing domain registration, country of phishing domain registration) are deemed to be suspect.
    • Sender domain is spoofed: When the phisher’s email domain is suspected of spoofing a trusted domain.
    • Sender name is spoofed: When the phisher’s email address is suspect of spoofing an trusted employee of an organization.

    The Decisions tab shows the final verdict options that can be arrived at for a given security incident.

    The following decisions are available with the base system:
    • Confirmed Phish: When the conditions have led to the final verdict as being a confirmed phishing email.
    • Likely Phish: When the conditions have led to the final verdict as a potential phishing attempt.
    • Likely Benign: When the conditions have led to the final verdict as a benign submission.

    You can see the conditions that were evaluated for each of the final verdict options. Select the Label link to see the conditions.

    You can customize the decision table provided with the base system or create your own decision table. This decision table can be leveraged in security incident response playbooks. The Generate Final Verdict for Phishing Security Incidents subflow is available with the base system. This subflow automatically generates the final verdict for a phishing security incident and applies a security tag based on that decision. You can include this subflow as part of the Automated Phishing playbook.

    The inputs for this subflow are:
    • incident_id: The sys ID of the phishing security incident.
    • c_level_names: Comma separated list of names (For example, names of executives in the organization) likely being spoofed in the phishing attack.
    • trusted_domains: Comma separated list of trusted email domains.
    • enrichment_keywords: Comma separated list of keywords that indicate the maliciousness of the observable from enrichment results.
    • sender_email (optional): The email address of the sender of the phishing email.

    The output of this flow can be Confirmed Phish, Likely Phish, or Likely Benign.