End-of-Life (EoL)

Machine Learning Models Overview

Use ml to train models to analyze and predict future behavior.
Machine learning models enable Cortex XSOAR to analyze and predict behavior through incident types and fields. The model uses past incidents that have already been classified to classify incoming events automatically.
Machine learning models are used mainly for phishing incidents. You can train it to automatically recognize, for example, phishing emails, emails that are legitimate, and those that contain spam.
Machine learning models enable you to do the following:
  • Use as part of a scoring/severity set.
  • To close incidents automatically more accurately than manually defining a threshold.
  • Handle only incidents that the classifier marks as malicious.
You train models by inputting data through incident types and fields. Cortex XSOAR returns all the incidents containing the specified field. You can then map these field values into different verdicts. The verdicts determine what the model predicts, so you should make the verdict definitions meaningful.
By default, Cortex XSOAR trains models from input data contained in an Email body, Email HTML, and Email subject. You can change the name of the fields containing the subject and body. Cortex XSOAR then trains a model and returns the accuracy of the model against each category.
To create a machine learning model, see Create a Machine Learning Model.
The machine learning model for phishing can be used as following:
  • Part of the
    Phishing Investigation - Generic v2
    playbook, when adding the
    command, or when creating a playbook.
    When Cortex XSOAR runs the playbook it takes the machine learning model that you have defined.
  • Run the
    command in the War Room or in the Machine Learning page, by typing:
    !DbotPredictPhishingWords modelName="name" emailBody="body"emailbodyhtml=”email body html” emailsubject=”email subject”
    . See Phishing Command Examples Using a Machine Learning Model.
    You can use Use the Phishing Classifier in Production and run a phishing classifier demo, without the need to create a machine learning model.

Recommended For You