Machine Learning Models
Use machine learning (ML) models in Cortex XSOAR to analyze
and predict future behavior. Machine learning for phishing incidents.
Machine learning models enable Cortex
XSOAR to analyze and predict behavior through incident types and
fields. The model uses past incidents that have already been classified
to classify incoming events automatically.
Machine learning models are used mainly for phishing incidents.
You can train it to automatically recognize, for example, phishing
emails, emails that are legitimate, and those that contain spam.
Machine learning models enable you to do the following:
Use as part of a scoring/severity set.
To close incidents automatically more accurately than manually defining
a threshold.
Handle only incidents that the classifier marks as malicious.
You train models by inputting data through incident types and
fields. Cortex XSOAR returns all the incidents containing the specified
field. You can then map these field values into different verdicts.
The verdicts determine what the model predicts, so you should make
the verdict definitions meaningful.
By default, Cortex XSOAR trains models from input data contained
in an Email body, Email HTML, and Email subject. You can change
the name of the fields containing the subject and body. Cortex XSOAR
then trains a model and returns the accuracy of the model against
each category.
The machine learning model for phishing can be used as following:
Part of the
Phishing Investigation - Generic v3
playbook,
when adding the
DbotPredictPhishingWords
command,
or when creating a playbook.
When Cortex XSOAR runs the playbook
it takes the machine learning model that you have defined.
Run the
!DbotPredictPhishingWords
command
in the War Room or in the Machine Learning page, by typing:
!DbotPredictPhishingWords modelName="name" emailBody="body"emailbodyhtml=”email body html” emailsubject=”email subject”
.
See
Phishing Command Examples Using a Machine Learning Model.