A machine learning model enables Cortex XSOAR
to predict the classification of phishing incidents. For example
whether the incident should be classified as legitimate, malicious,
or spam. You can use these models in conjunction with your default
investigation playbooks or run commands separately in the War Room.
It is usually used for training a model to predict the classification of
a phishing incident. The main goal of the machine learning model
is leveraging past phishing incidents to assist with the investigation
of future incidents.
the name of the model that you want to create.
). In the
type a meaningful description for the machine learning model.
the drop down list, select the type of incident where you want you
want to the machine to be trained, such as Phishing.
, from the
drop down list, select the incident field where you want the model
to learn to predict. The model trains using these fields as a label.
Select the date range where you want to run the machine learning.
The more incidents, the better results. It is recommended to use
a longer period.
Maximum number of incidents to test
type the number you want to test that is used to train the model.
Reduce the number only if the number of incidents is too large and causes
performance problems. Use a higher number if you have more samples in
Default is 3000. The results appear in the
the name of the verdict for which to map your data.
Verdicts are group of labels, for which each verdict includes
1 label or more. You must map all existing labels into 2 or 3 different
verdicts. The model is trained using these verdicts. All labels
that are mapped into the same verdict are treated as if they have
the same label. You can choose any label for your verdict field, but
the training model calculates the model based on the verdict, so
it should be a meaningful name.
If you want to change the fields where email body and
email subject are stored in the incident, in the
select the equivalent fields for Email body,
Email HTML and Email subject.
By default, the machine learning model trains the Email
body, Email HTML and Email subject.
window, the machine
learning model starts analyzing the data. When finished, if successful,
the percentage scores appear, which reflect how precise the results
are according to class. If using the phishing incident type, you
can now use model in the machine learning or War Room window or
in the playbook. For more information, see Machine Learning Models Overview.