Skip to main content


This Script is part of the Base Pack.#

Train a machine learning text classifier.

Script Data#

Script Typepython3
Cortex XSOAR Version5.0.0

Used In#

This script is used in the following playbooks and scripts.

  • DBot Create Phishing Classifier V2
  • DBot Create Phishing Classifier V2 From File


Argument NameDescription
inputThe input file entry ID or JSON string.
modelNameThe model name to store in the system.
storeModelWhether to store the model in the system.
overrideExistingModelWhether to override the existing model if a model with the same name exists. Default is "false".
targetAccuracyThe target accuracy, between 0 and 1. Default is 0.8.
maxBelowThresholdMaximum nubmer of samples below the threshold (for the target accuracy).
tagFieldThe field name with the label. Supports a comma-separated list, the first non-empty value will be taken.
textFieldThe field name with the text to train.
phishingLabelsA comma-separated list of email tags values and mapping. The script considers only the tags specified in this field. You can map label to another value by using this format: LABEL:MAPPED_LABEL. For example, for 4 values in email tag: malicious, credentials harvesting, inner communitcation, external legit email, unclassified. While training, we want to ignore "unclassified" tag, and refer to "credentials harvesting" as "malicious" too. Also, we want to merge "inner communitcation" and "external legit email" to one tag called "non-malicious". The input will be: malicious, credentials harvesting:malicious, inner communitcation:non-malicious, external legit email:non-malicious
trainSetRatioThe ratio of the training set to the entire data set, which is used for model evaluation.
inputTypeThe input type.
keywordMinScoreMinimum score for a word to be considered as a keyword between 0 and 1.
metricThe metric to use for evaluating the model.
findKeywordsWhether to extract keywords for the model. Can be "true" or "false". Default is "true".
returnPredictionsOnTestSetWhether to return a file that contains the model's predictions on the test set. Can be "true" or "false". Default is "false".
originalTextFieldsA comma-separated list of incident fields names with the unprocessed text.
You can also use "|" if you want to choose the first non-empty value from a list of fields.
preProcessTypeText pre-processing type. The default is "json".
trainingAlgorithmThe training algorithm to use for training the model. Default is "auto". If "auto" is selected, the training algorithm will be chosen automatically based on the number of incidents per each label. Use "from_scratch" to train a new model from scratch, based on your incidents only. In general, "from_scratch" will perform better where the number of incidents is high (500 incidents or more per each verdict). "fine-tune" trains a model based on the out-of-the-box model. "fine-tune" will perform better when the number of incidents is relatively low. It's possible to train multiple models using different algorithms options, and compare their results.


DBotPhishingClassifier.ModelNameThe model name.String
DBotPhishingClassifier.EvaluationScoresThe model evaluation scores (precision, coverage, etc.) for the found threshold.Unknown
DBotPhishingClassifier.ConfusionMatrixThe model evaluation confusion matrix for the found threshold.Unknown
DBotPhishingClassifierNoThresh.EvaluationScoresThe model evaluation scores (precision, coverage, etc.) for threshold = 0.Unknown
DBotPhishingClassifierNoThresh.ConfusionMatrixThe model evaluation confusion matrix for threshold = 0.Unknown