DBot Create Phishing Classifier

Creates a phishing classifier using machine learning technique, based on the email content.

Dependencies

This playbook uses the following sub-playbooks, integrations, and scripts.

Sub-playbooks

This playbook does not use any sub-playbooks.

Integrations

This playbook does not use any integrations.

Scripts

  • DBotPredictPhishingEvaluation
  • DBotTrainTextClassifier
  • DBotPreparePhishingData
  • Base64ListToFile

Commands

This playbook does not use any commands.

Playbook Inputs


NameDescriptionDefault ValueRequired
modelListStoreNameThe name of the Demisto list to store the model.phishing_modelOptional
emailTextKeyThe incident key to extract email body text.detailsOptional
emailSubjectKeyThe incident key to extract email subject.emailsubjectOptional
emailTagKeyThe incident key expression to extract email tag.closeReasonOptional
phishingLabelsThe CSV list of email tags values and mapping. The script going to consider only the tags specified in this field. You can map label to another value by using this format: LABEL:MAPPED_LABEL. For example: let's say we have 4 values in email tag: malicious, credentials harvesting, inner communitcation, external legit email, unclassified. While training, we want to ignore "unclassified" tag, and refer to "credentials harvesting" as "malicious" too. Also, we want to merge "inner communitcation" and "external legit email" to one tag called "non-malicious". The input will be: malicious, credentials harvesting:malicious, inner communitcation:non-malicious, external legit email:non-malicious.*Optional
incidentsTrainingQueryThe incidents query to fetch the training data for the model.type:Phishing and created:>="180 days ago" and created:<"7 days ago"Optional
incidentsEvaluationQueryThe incidents query to fetch the test data for the model.type:Phishing and created:>="7 days ago"Optional
maxIncidentsToFetchOnTrainingThe maximum number of incidents to fetch while training the model.2000Optional
isContextNeededWether the context data needed to get email text\subject\tag value?noOptional
historicalDataFileListNameThe name of demisto list contains historical data samples for the algorithm.-Optional
hashDataThe preform hash function to the words (to anonymize the data). Choose "yes" or "no".noOptional

Playbook Outputs


PathDescriptionType
DBotPredictPhishingEvaluation.F1The F1 score (0-1).number
DBotPredictPhishingEvaluation.PrecisionThe precision score (0-1).number
DBotTextClassifier.ListNameThe model list name in Demisto.unknown

Playbook Image


DBotCreatePhishingClassifier