Machine Learning

Details
Content
Dependencies
Version History

Help to manage machine learning models in Cortex XSOAR

Machine Learning

Help to manage machine learning models in Cortex.

Automations

Name	Description
ExportMLModel	Exports an existing ML model to a file.
DBotPredictOutOfTheBox	Deprecated. Use DBotPredictOutOfTheBoxV2 instead.
DBotPredictOutOfTheBoxV2	Predict phishing incidents using the out-of-the-box pre-trained model.
ExtendQueryBasedOnPhishingLabels	A helper script for the DBot Create Phishing Classifier V2 playbook. This script extends the query based on the phishingLabels argument.
ImportMLModel	Imports a file that contains an ML model.
EvaluateMLModllAtProduction	Evaluates an ML model in production.
DBotPredictIncidentsBatch	Apply a trained ML model on multiple incidents at once, to compare incidents how the incidents were labeled by analysts, to the predictions of the model. This script is aimed to help evaluate a trained model using past incidents.
HashIncidentsFields	Hash fields from the incident list. Search for incidents by arguments with an option to hash some of its fields.

Playbooks

Name	Description
DBot Create Phishing Classifier V2 From File	Create a phishing classifier using machine learning. The classifier is based on incidents files extracted from email content.
DBot Create Phishing Classifier V2	Create a phishing classifier using machine learning techniques, based on email content.
DBot Create Phishing Classifier V2 Job	Train the phishing machine learning model. This playbook should be used as job, to run repeatedly, for example every week.

Required Content Packs (2)

Pack Name	Pack By
Base	By: Cortex XSOAR
Common Scripts	By: Cortex XSOAR

Optional Content Packs (0)

Pack Name	Pack By

All level dependencies (3)

Pack Name	Pack By
Base	By: Cortex XSOAR
Common Scripts	By: Cortex XSOAR
Cortex REST API	By: Cortex XSOAR

1.4.22 - 3924934 (June 22, 2025)

Scripts

EvaluateMLModllAtProduction

Updated the Docker image to: demisto/pandas:1.0.0.3540678.

Related pull requests:
- 40325

Download

1.4.21 - 3720941 (June 10, 2025)

Scripts

DBotPredictOutOfTheBoxV2

Updated the Docker image to: demisto/ml:1.0.0.3261948.

DBotPredictIncidentsBatch

Breaking changes: Before using this version, sure to update the Base pack to the latest version.

Updated the Docker image to: demisto/pandas:1.0.0.3540678.

Related pull requests:
- 38644

Download

1.4.20 - R3414854 (May 15, 2025)

Scripts

ExportMLModel

Metadata and documentation improvements.

DBotPredictOutOfTheBoxV2

Metadata and documentation improvements.

ImportMLModel

Metadata and documentation improvements.

EvaluateMLModllAtProduction

Metadata and documentation improvements.

ExtendQueryBasedOnPhishingLabels

Metadata and documentation improvements.

HashIncidentsFields

Metadata and documentation improvements.

DBotPredictIncidentsBatch

Metadata and documentation improvements.

Related pull requests:
- 39132

Download

1.4.19 - R1989294 (January 14, 2025)

Scripts

HashIncidentsFields

Code functionality improvements.
Updated the Docker image to: demisto/python3:3.11.10.116949.

Related pull requests:
- 38061

Download

1.4.18 - 1938781 (January 7, 2025)

Scripts

DBotPredictOutOfTheBoxV2

Updated the Docker image to: demisto/ml:1.0.0.1870375.

Related pull requests:
- 37950

Download

1.4.17 - 1738579 (December 2, 2024)

Scripts

DBotPredictIncidentsBatch

Updated the Docker image to: demisto/pandas:1.0.0.117209.

EvaluateMLModllAtProduction

Updated the Docker image to: demisto/pandas:1.0.0.117209.

Related pull requests:
- 37425
- 37421
- 37419
- 37422
- 37418
- 37420

Download

1.4.16 - 1718057 (November 28, 2024)

Scripts

ExportMLModel

Updated the Docker image to: demisto/python3:3.11.10.115186.

ImportMLModel

Updated the Docker image to: demisto/python3:3.11.10.115186.

HashIncidentsFields

Updated the Docker image to: demisto/python3:3.11.10.115186.

ExtendQueryBasedOnPhishingLabels

Updated the Docker image to: demisto/python3:3.11.10.115186.

Related pull requests:
- 37407
- 37402
- 37403
- 37405
- 37406
- 37404

Download

1.4.15 - 1666862 (November 18, 2024)

Scripts

DBotPredictOutOfTheBoxV2

Updated the Docker image to: demisto/ml:1.0.0.105874.

Related pull requests:
- 37249

Download

1.4.14 - 1624996 (November 11, 2024)

Scripts

DBotPredictOutOfTheBoxV2

Updated the Docker image to: demisto/ml:1.0.0.112949.

Related pull requests:
- 37162
- 37154

Download

1.4.13 - R1455125 (October 1, 2024)

Scripts

DBotPredictOutOfTheBoxV2

Updated the Docker image to: demisto/ml:1.0.0.105874.

Related pull requests:
- 35645

Download

1.4.12 - 1179382 (July 15, 2024)

Scripts

DBotPredictOutOfTheBoxV2

Updated the Docker image to: demisto/ml:1.0.0.103517.

Related pull requests:
- 35422

Download

1.4.11 - 1169083 (July 11, 2024)

Scripts

EvaluateMLModllAtProduction

Changed the Docker image to: demisto/pandas:1.0.0.102566.

DBotPredictOutOfTheBoxV2

Updated the Docker image to: demisto/ml:1.0.0.101889.

DBotPredictIncidentsBatch

Changed the Docker image to: demisto/pandas:1.0.0.102566.

Related pull requests:
- 35081

Download

1.4.10 - 836299 (February 18, 2024)

Scripts

ExtendQueryBasedOnPhishingLabels

Updated the Docker image to: demisto/python3:3.10.13.86272.

Related pull requests:
- 32446

Download

1.4.9 - 752611 (January 9, 2024)

Scripts

HashIncidentsFields

Updated the Docker image to: demisto/python3:3.10.13.83255.

ImportMLModel

Updated the Docker image to: demisto/python3:3.10.13.83255.

ExportMLModel

Updated the Docker image to: demisto/python3:3.10.13.83255.

Related pull requests:
- 32030

Download

1.4.8 - 6035467 (August 13, 2023)

Scripts

HashIncidentsFields

Updated the Docker image to: demisto/python3:3.10.12.68714.

ImportMLModel

Updated the Docker image to: demisto/python3:3.10.12.68714.

ExportMLModel

Updated the Docker image to: demisto/python3:3.10.12.68714.

Related pull requests:
- 28910

Download

1.4.7 - 5801668 (July 18, 2023)

Scripts

ExtendQueryBasedOnPhishingLabels

Updated the Docker image to: demisto/python3:3.10.12.63474.

Related pull requests:
- 28221

Download

1.4.6 - 5731243 (July 10, 2023)

Scripts

HashIncidentsFields

Updated the Docker image to: demisto/python3:3.10.12.63474.

ImportMLModel

Updated the Docker image to: demisto/python3:3.10.12.63474.

ExportMLModel

Updated the Docker image to: demisto/python3:3.10.12.63474.

Related pull requests:
- 28017

Download

1.4.5 - R5692327 (July 5, 2023)

Scripts

ExportMLModel

Updated the Docker image to: demisto/python3:3.10.10.48392.

HashIncidentsFields

Updated the Docker image to: demisto/python3:3.10.10.48392.

ImportMLModel

Updated the Docker image to: demisto/python3:3.10.10.48392.

Related pull requests:
- 25138

Download

1.4.4 - R4718798 (March 1, 2023)

Scripts

ExtendQueryBasedOnPhishingLabels

Fixed an issue where custom labels resulted in an error.
Updated the Docker image to: demisto/python3:3.10.9.46032.

EvaluateMLModllAtProduction

Fixed an issue where custom labels resulted in an error.
Updated the Docker image to: demisto/ml:1.0.0.45981.

DBotPredictIncidentsBatch

Fixed an issue where custom labels resulted in an error.
Updated the Docker image to: demisto/ml:1.0.0.45981.

Related pull requests:
- 23844

Download

1.4.3 - R4372591 (January 11, 2023)

Scripts

DBotPredictOutOfTheBoxV2

Updated the Docker image to: demisto/ml:1.0.0.32340.

Related pull requests:
- 20239

Download

1.4.2 - 3134111 (June 22, 2022)

Scripts

DBotPredictOutOfTheBoxV2

Updated the Docker image to: demisto/ml:1.0.0.30541.

Related pull requests:
- 19466

Download

1.4.1 - 2745974 (April 12, 2022)

Scripts

HashIncidentsFields

Updated the Docker image to: demisto/python3:3.10.4.27798.
Fixed lint issues.

Download

1.4.0 - 2419785 (February 15, 2022)

Playbooks

DBot Create Phishing Classifier V2

Improved memory usage while fetching incidents for training.

Scripts

New: ExtendQueryBasedOnPhishingLabels

A helper script for the DBot Create Phishing Classifier V2 playbook. This script extends the query based on the phishingLabels argument. (Available from Cortex XSOAR 5.0.0).

Download

1.3.7 - R2238421 (January 11, 2022)

Scripts

HashIncidentsFields

Updated the Docker image to: demisto/python3:3.9.8.24399.

Download

PUBLISHER

PLATFORMS

Cortex XSOAR

INFO

Certification	Certified	Read more
Supported By	Cortex
Created	June 30, 2020
Last Release	June 22, 2025

DISCLAIMER

Content packs are licensed by the Publisher identified above and subject to the Publisher’s own licensing terms. Palo Alto Networks is not liable for and does not warrant or support any content pack produced by a third-party Publisher, whether or not such packs are designated as “Palo Alto Networks-certified” or otherwise.