Skip to main content

AWS Sagemaker

Use the API endpoint to get email text classification (subject and body), by leveraging a model trained on a vast amount of emails that were flagged by security experts as being malicious. The Phishing Email Classifier works best on English-language emails that contain at least 30 words in the email body. Other languages will be supported in the future.

Configure the AWS SageMaker Integration on Demisto

  1. Navigate to Settings > Integrations > Servers & Services .
  2. Search for AWS SageMaker.
  3. Click Add instance to create and configure a new integration instance.
    • Name : a textual name for the integration instance.
    • AWS access key
    • AWS secret key
    • AWS Region code
    • Endpoint Name
    • Use system proxy settings
  4. Click Test to validate the URLs, token, and connection.


You can execute these commands from the Demisto CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

  1. Predict the maliciousness of an email: predict-phishing

1. Predict the maliciousness of an email

Base Command


Argument Description
inputText The text to analyze and predict if it is malicious. Lists of text is supported.

The output is the predicted label of the analyzed inputText: "malicious" or "other", with a corresponding probability (0-1).

Example Command
!predict-phishing inputText="Dear Info, Please confirm account password...", "Major Update: General Availability feedback..."
Example Output

[{'label': [u'__label__malicious'], 'probability': '1.00'}, {'label': [u'__label__other'], 'probability': '1.00'}]