Final verdict generation for User Reported Phishing

  • Release version: Xanadu
  • Updated August 1, 2024
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Final Verdict Generation for User Reported Phishing

    The Final Verdict Generation for User Reported Phishing feature allows Security Incident Response teams to finalize the verdict on reported phishing incidents. Utilizing predictive intelligence and threat enrichment integrations, this process is streamlined through a decision table within a flow.

    Show full answer Show less

    Key Features

    • Prerequisites: Ensure all required plugins are installed to access the final verdict generation.
    • Decision Inputs: Various conditions are evaluated to determine the final verdict, including:
      • Predicted as suspicious.
      • At least one observable is malicious.
      • Observable enrichments are suspect.
      • Sender domain is spoofed.
      • Sender name is spoofed.
    • Decisions: Final verdict options include:
      • Confirmed Phish
      • Likely Phish
      • Likely Benign
      Users can view the evaluated conditions by clicking on the Label link.
    • Customization: Decision tables can be customized or newly created, and can be integrated into security incident response playbooks.
    • Subflow Availability: The Generate Final Verdict for Phishing Security Incidents subflow automates the final verdict generation and applies a security tag based on the decision.

    Key Outcomes

    By implementing this feature, organizations can efficiently determine the status of phishing incidents, enhancing their ability to respond to security threats. The outputs of the flow are categorized as Confirmed Phish, Likely Phish, or Likely Benign, providing clear guidance for further action.

    Security Incident Response teams can now drive the finalized verdict for a user reported phishing record based on results from predictive intelligence and threat enrichment integrations.

    This final verdict generation is enabled through a decision table construct and leveraged within a flow.

    Prerequisites

    Ensure that all the plugins listed in Required components and plugins have been installed.

    Navigate to Predictive Intelligence for Phishing > Final Verdict > Final Verdict for Phishing Security Incident.

    The Decision Inputs tab shows the different conditions that were evaluated to arrive at the final verdict.


    User Reported Phishing: ML Config: Decision Inputs
    The following conditions are available with the base system:
    • Predicted as suspicious: When predictive intelligence has classified the user reported phishing email as suspicious.
    • At least one observable is malicious: When an observable involved in the security incident (For example, URL, Domain, IP, Hash) has been classified as malicious by threat intelligence sources.
    • Observable enrichment are suspect: When enrichment on observables (For example, recency of phishing domain registration, country of phishing domain registration) are deemed to be suspect.
    • Sender domain is spoofed: When the phisher’s email domain is suspected of spoofing a trusted domain.
    • Sender name is spoofed: When the phisher’s email address is suspect of spoofing an trusted employee of an organization.

    The Decisions tab shows the final verdict options that can be arrived at for a given security incident.


    User Reported Phishing: ML Config: Decisions
    The following decisions are available with the base system:
    • Confirmed Phish: When the conditions have led to the final verdict as being a confirmed phishing email.
    • Likely Phish: When the conditions have led to the final verdict as a potential phishing attempt.
    • Likely Benign: When the conditions have led to the final verdict as a benign submission.

    You can see the conditions that were evaluated for each of the final verdict options. Click on the Label link to see the conditions.


    User Reported Phishing: ML Config: Decision

    You can customize the decision table provided with the base system or create your own decision table. This decision table can be leveraged in security incident response playbooks. The Generate Final Verdict for Phishing Security Incidents subflow is available with the base system. This subflow automatically generates the final verdict for a phishing security incident and applies a security tag based on that decision. You can include this subflow as part of the Automated Phishing playbook.

    The inputs for this subflow are:
    • incident_id: The sys ID of the phishing security incident.
    • c_level_names: Comma separated list of names (For example, names of executives in the organization) likely being spoofed in the phishing attack.
    • trusted_domains: Comma separated list of trusted email domains.
    • enrichment_keywords: Comma separated list of keywords that indicate the maliciousness of the observable from enrichment results.
    • sender_email (optional): The email address of the sender of the phishing email.

    The output of this flow can be Confirmed Phish, Likely Phish, or Likely Benign.


    User Reported Phishing: ML Config: Phishing subflow