End-of-Life (EoL)

Create a Machine Learning Model

Follow these steps to create an ml model.
A machine learning model enables Cortex XSOAR to predict the classification of phishing incidents. For example whether the incident should be classified as legitimate, malicious, or spam. You can use these models in conjunction with your default investigation playbooks or run commands separately in the War Room. It is usually used for training a model to predict the classification of a phishing incident. The main goal of the machine learning model is leveraging past phishing incidents to assist with the investigation of future incidents.
  1. Select
    Settings
    Advanced
    ML Models
    New Model
    .
  2. In the
    Model name
    field, type the name of the model that you want to create.
  3. (
    Optional
    ). In the
    Description
    field, type a meaningful description for the machine learning model.
  4. In the
    Incident type
    field, from the drop down list, select the type of incident where you want you want to the machine to be trained, such as Phishing.
  5. In the
    Incident field
    , from the drop down list, select the incident field where you want the model to learn to predict. The model trains using these fields as a label. For example,
    Email Classification
    .
  6. Select the date range where you want to run the machine learning. The more incidents, the better results. It is recommended to use a longer period.
  7. In the
    Maximum number of incidents to test
    , type the number you want to test that is used to train the model. Reduce the number only if the number of incidents is too large and causes performance problems. Use a higher number if you have more samples in your environment
    Default is 3000. The results appear in the
    Field Mapping
    field.
  8. In the
    Verdict
    fields, define the name of the verdict for which to map your data.
    Verdicts are group of labels, for which each verdict includes 1 label or more. You must map all existing labels into 2 or 3 different verdicts. The model is trained using these verdicts. All labels that are mapped into the same verdict are treated as if they have the same label. You can choose any label for your verdict field, but the training model calculates the model based on the verdict, so it should be a meaningful name.
  9. In the
    Field Mapping
    field, drag and drop the
    Field Mapping
    data into
    Verdict
    fields.
    You need a minimum of 50 results returned. For an example. see Machine Learning Model Example.
  10. If you want to change the fields where email body and email subject are stored in the incident, in the
    Argument Mapping
    select the equivalent fields for Email body, Email HTML and Email subject.
    By default, the machine learning model trains the Email body, Email HTML and Email subject.
  11. Click
    Start Training
    .
    In the
    ML Models
    window, the machine learning model starts analyzing the data. When finished, if successful, the percentage scores appear, which reflect how precise the results are according to class. If using the phishing incident type, you can now use model in the machine learning or War Room window or in the playbook. For more information, see Machine Learning Models Overview.

Recommended For You