ExtendQueryBasedOnPhishingLabels

A helper script for the DBot Create Phishing Classifier V2 playbook. This script extends the query based on the phishingLabels argument.

python · Machine Learning

Source

from CommonServerPython import *

ALL_LABELS = "*"


def get_phishing_map_labels(comma_values):
    if comma_values == ALL_LABELS:
        return comma_values
    values = [x.strip() for x in comma_values.split(",")]
    labels_dict = {}
    for v in values:
        v = v.strip()
        if ":" in v:
            splited = v.rsplit(":", maxsplit=1)
            labels_dict[splited[0].strip()] = splited[1].strip()
        else:
            labels_dict[v] = v
    return dict(labels_dict.items())


def build_query_in_reepect_to_phishing_labels(args):
    mapping = args.get("phishingLabels", ALL_LABELS)
    tag_field = args["tagField"]
    query = args.get("query", "")
    if mapping == ALL_LABELS:
        mapping_query = f"{tag_field}:*"
    else:
        mapping_dict = get_phishing_map_labels(mapping)
        tags_union = " ".join([f'"{label}"' for label in mapping_dict])
        mapping_query = f"{tag_field}:({tags_union})"
    if query == "":
        modified_query = mapping_query
    else:
        modified_query = f"({query}) and ({mapping_query})"
    return modified_query


def main():
    try:
        result = {"extendedQuery": build_query_in_reepect_to_phishing_labels(demisto.args())}

        res = CommandResults(
            outputs_prefix="ExtendQueryBasedOnPhishingLabels",
            outputs_key_field="",
            outputs=result,
        )
        return_results(res)
    except Exception as ex:
        demisto.error(traceback.format_exc())  # print the traceback
        return_error(f"Failed to execute ExtendQueryBasedOnPhishingLabels. Error: {ex!s}")


""" ENTRY POINT """


if __name__ in ("__main__", "__builtin__", "builtins"):
    main()

README

A helper script for the DBot Create Phishing Classifier V2 playbook. This script extends the query based on the phishingLabels argument.

Script Data


Name Description
Script Type python3
Tags ml
Cortex XSOAR Version 5.0.0

Used In


This script is used in the following playbooks and scripts.

  • DBot Create Phishing Classifier V2

Inputs


Argument Name Description
query Additional text by which to query incidents.
tagField The field name with the label. Supports a comma-separated list, the first non-empty value will be taken.
phishingLabels A comma-separated list of email tag values and mapping. The script considers only the tags specified in this field. You can map a label to another value by using this format: LABEL:MAPPED_LABEL. For example, for 4 values in an email tag: malicious, credentials harvesting, inner communication, external legit email, unclassified. While training, we want to ignore the “unclassified” tag, and refer to “credentials harvesting” as “malicious” too. Also, we want to merge “inner communication” and “external legit email” to one tag called “non-malicious”. The input will be: malicious, credentials harvesting:malicious, inner communication:non-malicious, external legit email:non-malicious.

Outputs


Path Description Type
ExtendQueryBasedOnPhishingLabels.extendedQuery The original query extended by a part which takes into account the phishingLabels argument. Unknown