Final verdict generation for User Reported Phishing

Release version: Zurich

Updated March 12, 2026

2 minutes to read

Summarize

Summarized using AI

Summary of Final verdict generation for User Reported Phishing

ServiceNow’s Security Incident Response now enables teams to automatically generate a final verdict for user reported phishing incidents. This capability uses predictive intelligence and threat enrichment data, processed through a configurable decision table and integrated within an automated flow. It simplifies and standardizes how phishing reports are validated and classified, enhancing incident response effectiveness.

Show full answer Show less

Key Features

Decision Table Framework: Evaluates multiple conditions such as predictive intelligence classification, malicious observables (URL, domain, IP, hash), enrichment suspicions, and spoofing of sender domain or name to determine the final verdict.
Predefined Conditions: Includes base system conditions like “Predicted as suspicious,” “At least one observable is malicious,” “Observable enrichment are suspect,” “Sender domain is spoofed,” and “Sender name is spoofed” to guide verdict decisions.
Final Verdict Options: Provides three outcome categories—Confirmed Phish, Likely Phish, and Likely Benign—reflecting the confidence level in the phishing assessment.
Customization: Allows modification of the default decision table or creation of new ones to fit organizational needs and threat models.
Automated Subflow: The “Generate Final Verdict for Phishing Security Incidents” subflow integrates this verdict generation into workflows and playbooks, automatically tagging incidents based on the decision.
Subflow Inputs: Requires incident identifier, lists of likely spoofed executives, trusted domains, enrichment keywords indicating maliciousness, and optionally the sender’s email to tailor analysis.

Practical Benefits for ServiceNow Customers

Streamlines phishing incident validation by leveraging automated intelligence and enrichment data, reducing manual effort and response times.
Enables consistent and repeatable verdicts through configurable decision logic, ensuring reliable threat classification across the organization.
Integrates seamlessly with existing security workflows using the provided subflow, allowing customers to embed verdict generation within their automated Security Incident Response playbooks.
Supports customization to adapt to evolving phishing tactics and organizational policies, enhancing detection accuracy.

To utilize this capability, ensure all required plugins are installed and configure the decision tables as needed. Incorporate the subflow into your phishing response playbooks to automate verdict assignment and tagging, improving incident management efficiency.

Security Incident Response teams can now drive the finalized verdict for a user reported phishing record based on results from predictive intelligence and threat enrichment integrations.

This final verdict generation is enabled through a decision table construct and leveraged within a flow.

Prerequisites

Ensure that all the plugins listed in Required components and plugins have been installed.

Navigate to Predictive Intelligence for Phishing > Final Verdict > Final Verdict for Phishing Security Incident.

The Decision Inputs tab shows the different conditions that were evaluated to arrive at the final verdict.

The following conditions are available with the base system:

Predicted as suspicious: When predictive intelligence has classified the user reported phishing email as suspicious.
At least one observable is malicious: When an observable involved in the security incident (For example, URL, Domain, IP, Hash) has been classified as malicious by threat intelligence sources.
Observable enrichment are suspect: When enrichment on observables (For example, recency of phishing domain registration, country of phishing domain registration) are deemed to be suspect.
Sender domain is spoofed: When the phisher’s email domain is suspected of spoofing a trusted domain.
Sender name is spoofed: When the phisher’s email address is suspect of spoofing an trusted employee of an organization.

The Decisions tab shows the final verdict options that can be arrived at for a given security incident.

The following decisions are available with the base system:

Confirmed Phish: When the conditions have led to the final verdict as being a confirmed phishing email.
Likely Phish: When the conditions have led to the final verdict as a potential phishing attempt.
Likely Benign: When the conditions have led to the final verdict as a benign submission.

You can see the conditions that were evaluated for each of the final verdict options. Select the Label link to see the conditions.

You can customize the decision table provided with the base system or create your own decision table. This decision table can be leveraged in security incident response playbooks. The Generate Final Verdict for Phishing Security Incidents subflow is available with the base system. This subflow automatically generates the final verdict for a phishing security incident and applies a security tag based on that decision. You can include this subflow as part of the Automated Phishing playbook.

The inputs for this subflow are:

incident_id: The sys ID of the phishing security incident.
c_level_names: Comma separated list of names (For example, names of executives in the organization) likely being spoofed in the phishing attack.
trusted_domains: Comma separated list of trusted email domains.
enrichment_keywords: Comma separated list of keywords that indicate the maliciousness of the observable from enrichment results.
sender_email (optional): The email address of the sender of the phishing email.

The output of this flow can be Confirmed Phish, Likely Phish, or Likely Benign.