Machine Learning Models - Administrator Guide - 6.10 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR Administrator Guide

Cortex XSOAR
Creation date
Last date published
Administrator Guide

Use machine learning (ML) models in Cortex XSOAR to analyze and predict future behavior. Machine learning for phishing incidents.

Machine learning models enable Cortex XSOAR to analyze and predict behavior through incident types and fields. The model uses past incidents that have already been classified to classify incoming events automatically.

Machine learning models are used mainly for phishing incidents. You can train it to automatically recognize, for example, phishing emails, emails that are legitimate, and those that contain Spam.

Machine learning models enable you to do the following:

  • Use as part of a scoring/severity set.

  • To close incidents automatically more accurately than manually defining a threshold.

  • Handle only incidents that the classifier marks as malicious.

You train models by inputting data through incident types and fields. Cortex XSOAR returns all the incidents containing the specified field. You can then map these field values into different verdicts. The verdicts determine what the model predicts, so you should make the verdict definitions meaningful.

By default, Cortex XSOAR trains models from input data contained in an Email body, Email HTML, and Email subject. You can change the name of the fields containing the subject and body. Cortex XSOAR then trains a model and returns the accuracy of the model against each category.

To create a machine learning model, see Create a Machine Learning Model. You can use the Phishing Classifier Demo to see how machine learning works in practice and then create your own model. You need to install the Machine Learning content pack to use the demo and the playbooks which can help to train the model.

The machine learning model for phishing can be used as following:

  • Part of the Phishing - Generic v3 playbook, when adding the DbotPredictPhishingWords command, or when creating a playbook.

    When Cortex XSOAR runs the playbook it takes the machine learning model that you have defined.

  • Run the !DbotPredictPhishingWords command in the War Room or in the Machine Learning page, by typing: !DbotPredictPhishingWords modelName="name" emailBody="body"emailbodyhtml=”email body html” emailsubject=”email subject”. For more information, see Phishing Command Examples Using a Machine Learning Model.

    You can Use the Phishing Classifier in Production and run a phishing classifier demo, without the need to create a machine learning model.