Phishing Classifier Demo - Administrator Guide - 6.6 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR Administrator Guide

Cortex XSOAR
Creation date
Last date published
Administrator Guide

Use the phishing classifier demo to see how a classifier works for machine learning (ml) in Cortex XSOAR.

You can use a pre-trained phishing classifier which enables you to get a prediction for a phishing incident using Cortex XSOAR’s pre-trained model.

The main purpose of the classifier is to demonstrate how the phishing classifier feature works, using the DBotPredictOutOfTheBoxV2 automation, so that you learn how to train a classifier using your own data.

After running the feature, you can see how it works in practice and then create your own machine learning models.


  • It is not recommend using the classifier for production. It is intended for demonstration purposes only.

  • When using the out-of-the-box phishing playbooks, such as Phishing - Generic v3, the playbook uses the DbotPredictPhishingWords automation and not the DBotPredictOutOfTheBoxV2 automation used in this phishing classifier demo.

To run the phishing classifier demo, do the following:

  1. Install the Machine Learning content pack from the Marketplace.

  2. Type the !DBotPredictOutOfTheBoxV2 command, and add the relevant parameters. For example, !DBotPredictOutOfTheBoxV2 emailBody=`<Copy/paste some sample email body text here.>`.


    The output parameters are the same as the output of DBotPredictPhishingWord. The DBotPredictPhishingWord automation allows you to get a prediction for a phishing incident, using a model trained using your own classifier. For more information, see Machine Learning Models.

    You can see that the demisto_out_of_the_box_model_v2 machine learning model has been created, by going to SettingsADVANCEDML Models.

For practical examples, see Phishing Classifier Demo Examples.