Skip to main content

DBot Create Phishing Classifier


Use "DBot Create Phishing Classifier V2" playbook instead.

DEPRECATED. Use "DBot Create Phishing Classifier V2" playbook instead. Creates a phishing classifier using machine learning technique, based on the email content.


This playbook uses the following sub-playbooks, integrations, and scripts.


This playbook does not use any sub-playbooks.


This playbook does not use any integrations.


  • DBotPredictPhishingEvaluation
  • DBotTrainTextClassifier
  • DBotPreparePhishingData
  • Base64ListToFile


This playbook does not use any commands.

Playbook Inputs#

NameDescriptionDefault ValueRequired
modelListStoreNameThe name of the Cortex XSOAR list to store the model.phishing_modelOptional
emailTextKeyThe incident key to extract email body text.detailsOptional
emailSubjectKeyThe incident key to extract email subject.emailsubjectOptional
emailTagKeyThe incident key expression to extract email tag.closeReasonOptional
phishingLabelsThe CSV list of email tags values and mapping. The script going to consider only the tags specified in this field. You can map label to another value by using this format: LABEL:MAPPED_LABEL. For example: let's say we have 4 values in email tag: malicious, credentials harvesting, inner communitcation, external legit email, unclassified. While training, we want to ignore "unclassified" tag, and refer to "credentials harvesting" as "malicious" too. Also, we want to merge "inner communitcation" and "external legit email" to one tag called "non-malicious". The input will be: malicious, credentials harvesting:malicious, inner communitcation:non-malicious, external legit email:non-malicious.*Optional
incidentsTrainingQueryThe incidents query to fetch the training data for the model.type:Phishing and created:>="180 days ago" and created:<"7 days ago"Optional
incidentsEvaluationQueryThe incidents query to fetch the test data for the model.type:Phishing and created:>="7 days ago"Optional
maxIncidentsToFetchOnTrainingThe maximum number of incidents to fetch while training the model.2000Optional
isContextNeededWether the context data needed to get email text\subject\tag value?noOptional
historicalDataFileListNameThe name of Cortex XSOAR list contains historical data samples for the algorithm.-Optional
hashDataThe preform hash function to the words (to anonymize the data). Choose "yes" or "no".noOptional

Playbook Outputs#

DBotPredictPhishingEvaluation.F1The F1 score (0-1).number
DBotPredictPhishingEvaluation.PrecisionThe precision score (0-1).number
DBotTextClassifier.ListNameThe model list name in Cortex XSOAR.unknown

Playbook Image#