Evaluates the phishing model created by text classification ML automation.

Script Data#

Script Typepython
Tagsml, phishing
Demisto Version4.1.0+


Argument NameDescription
incidentsQueryThe query of the phishing incidents.
maxNumberOfIncidentsThe maximum number of incidents.
emailTextKeyTHe incident key used to extract the email's text.
emailSubjectKeyThe incident key used to extract the email's subject.
tagKeyThe incident key used to extract the tag.
phishingLabelsThe comma-separated values of the email tag values and mapping. The script will consider only the tags specified in this field. Labels can be mapped to another value by using this format, LABEL:MAPPED_LABEL. For example, given 5 values in an email tag, "malicious", "credentials harvesting", "inner communitcation", "external legit email", "unclassified". While training, we want to ignore the "unclassified" tag, and refer to "credentials harvesting" as "malicious" as well. Also, we want to merge "inner communitcation" and "external legit email" to one tag called "non-malicious". The input would be, "malicious, credentials harvesting:malicious, inner communitcation:non-malicious, external legit email:non-malicious".
isContextNeededWhether one of the fields is in the context data.
hashDataWhether the phishing model is based on hashed data.
modelListNameThe Demisto list name that stores the machine learning model.


DBotPredictPhishingEvaluation.PrecisionThe precision score. Can be, 0-1.number
DBotPredictPhishingEvaluation.RecallThe recall score. Can be, 0-1.number
DBotPredictPhishingEvaluation.F1The F1 score. Can be, 0-1.number
DBotPredictPhishingEvaluation.SizeThe test data size.number