DBot Create Phishing Classifier V2 From File

Create a phishing classifier using machine learning. The classifier is based on incidents files extracted from email content.

Machine Learning · 4 tasks · 16 inputs · 4 outputs

Inputs

  • fileID — The ID of the file containing phishing incidents.
  • inputFormat — The input file format. Valid values include json \ pickle \ csv.
  • modelName — The model name to store in the system.
  • emailTextKey — A comma-separated list of incident field names with the email body or html body. You can also use "|" if you want to choose the first non empty value from a list of fields.
  • emailSubjectKey — A comma-separated list of incident field names with the email subject. You can also use "|" if you want to choose the first non-empty value from a list of fields.
  • emailTagKey — The field name with the email tag. Supports a comma-separated list, in which the first non-empty value will be taken.
  • phishingLabels — A comma-separated list of email tag values and mappings. The script considers only the tags specified in this field. You can map a label to another value by using this format: LABEL:MAPPED_LABEL. For example, for 4 values in the email tag: malicious, credentials harvesting, inner communitcation, external legit email, unclassified. While training, we want to ignore the "unclassified" tag, and refer to "credentials harvesting" as "malicious" too. Also, we want to merge "inner communication" and "external legit email" to one tag called "non-malicious". The input will be: malicious, credentials harvesting:malicious, inner communitcation:non-malicious, external legit email:non-malicious
  • incidentsQuery — The incidents query used to fetch the training data for the model.
  • maxIncidentsToFetchOnTraining — The maximum number of incidents to fetch.
  • hashSeed — If non-empty, hash every word with this seed.
  • overrideModel — Whether to override the existing model if a model with the same name already exists. Default is "false".
  • incidentTypes — A comma-separated list of incident types by which to filter.
  • dedupThreshold — Remove emails with similarity greater than this threshold. A valid range is 0-1, where 1 is completely identical.
  • removeShortTextThreshold — Sample text of which the total number of words less than or equal to this number will be ignored.
  • modelTargetAccuracy — The model target accuracy at each label, between 0 and 1.
  • outputFormat — The file output format. Valid values can be json \ pickle.

Outputs

  • DBotPhishingClassifier.EvaluationScores.micro_avg.f1-score — F1 score (0-1)
  • DBotPhishingClassifier.EvaluationScores.micro_avg.precision — Precision score (0-1)
  • DBotPhishingClassifier.EvaluationScores.micro_avg.recall — Recall score (0-1)
  • DBotPhishingClassifier.ModelName — Model name in Demisto

Flowchart

Start Start Pre-process file - DBotPreProcessTextData Pre-process file DBotPreProcessTextData Train Model - DBotTrainTextClassifierV2 Train Model DBotTrainTextClassifierV2 Done Done