Skip to main content


This Script is part of the Base Pack.#

Predict text label using a pre-trained machine learning phishing model, and get the most important words used in the classification decision.

Script Data#

Script Typepython3
Tagsml, phishing
Cortex XSOAR Version5.0.0

Used In#

This script is used in the following playbooks and scripts.

  • Phishing Investigation - Generic v2


Argument NameDescription
modelNameThe model name (or list name) in Demisto.
hashSeedSeed for the hash function, at the pre-process stage.
emailSubjectSubject of the email.
emailBodyBody of the email.
emailBodyHTMLHTML body of the email. Only use this field if the emailBody argument is empty.
topWordsLimitMaximum number of positive/negative words to return for the model decision. Default is 20.
wordThresholdThreshold to determine word importance (range 0-1). Default is 0.05.
modelStoreTypeHow the model is stored in Demisto. Can be "list" or "mlModel". Default is "list".
minTextLengthMinimum number of characters for the prediction.
labelProbabilityThresholdThe label probability threshold. Default is 0.8.
confidenceThresholdThe confidence threshold. The model will provide predictions only if their confidence is above this threshold.
returnErrorWhether to return an error when there is no prediction. Default is "true".
setIncidentFieldsWhether to set Demisto out-of-the-box DBot fields.
languageThe language of the input text. Default is "Any". Can be "Any", "English", "German", "French", "Spanish", "Portuguese", "Italian", "Dutch", or "Other". If "Any" or "Other" is selected, the script preprocess the entire input, no matter what its acutual language is. If a specific language is selected, the script filters out any other language from the output text.
tokenizationMethodTokenization method for text. Only required when the language argument is set to "Other". Can be "tokenizer", "byWords", or "byLetters".


DBotPredictPhishingWords.LabelThe predicted label.String
DBotPredictPhishingWords.ProbabilityThe predicted probability (range 0-1).Number
DBotPredictPhishingWords.PositiveWordsA list of words in the input text that supports the model decision.Unknown
DBotPredictPhishingWords.NegativeWordsA list of words in the input text that do not support the model decision. These words better support a different classification class.Unknown
DBotPredictPhishingWords.TextTokensHighlightedThe input text (after pre-processing) with the positive words that support the model decision.String