From d9a5ea3c45127bd953b0bde0e1c55fb25e14bd3d Mon Sep 17 00:00:00 2001 From: jlevypaloalto Date: Wed, 26 Jun 2024 14:12:49 +0300 Subject: [PATCH 01/39] updated docker --- .../DBotBuildPhishingClassifier/DBotBuildPhishingClassifier.yml | 2 +- .../DBotPredictPhishingWords/DBotPredictPhishingWords.yml | 2 +- .../Scripts/DBotPreprocessTextData/DBotPreprocessTextData.yml | 2 +- .../DBotPredictIncidentsBatch/DBotPredictIncidentsBatch.yml | 2 +- .../DBotPredictOutOfTheBoxV2/DBotPredictOutOfTheBoxV2.yml | 2 +- .../EvaluateMLModllAtProduction/EvaluateMLModllAtProduction.yml | 2 +- 6 files changed, 6 insertions(+), 6 deletions(-) diff --git a/Packs/Base/Scripts/DBotBuildPhishingClassifier/DBotBuildPhishingClassifier.yml b/Packs/Base/Scripts/DBotBuildPhishingClassifier/DBotBuildPhishingClassifier.yml index 8f04d84a19c8..797c2ba81124 100644 --- a/Packs/Base/Scripts/DBotBuildPhishingClassifier/DBotBuildPhishingClassifier.yml +++ b/Packs/Base/Scripts/DBotBuildPhishingClassifier/DBotBuildPhishingClassifier.yml @@ -83,7 +83,7 @@ tags: - ml timeout: 12µs type: python -dockerimage: demisto/ml:1.0.0.45981 +dockerimage: demisto/ml:1.0.0.98071 runonce: true tests: - Create Phishing Classifier V2 ML Test diff --git a/Packs/Base/Scripts/DBotPredictPhishingWords/DBotPredictPhishingWords.yml b/Packs/Base/Scripts/DBotPredictPhishingWords/DBotPredictPhishingWords.yml index 83af245d44e8..2b669cb67afe 100644 --- a/Packs/Base/Scripts/DBotPredictPhishingWords/DBotPredictPhishingWords.yml +++ b/Packs/Base/Scripts/DBotPredictPhishingWords/DBotPredictPhishingWords.yml @@ -98,7 +98,7 @@ tags: - phishing timeout: 60µs type: python -dockerimage: demisto/ml:1.0.0.32340 +dockerimage: demisto/ml:1.0.0.98071 runonce: true tests: - Create Phishing Classifier V2 ML Test diff --git a/Packs/Base/Scripts/DBotPreprocessTextData/DBotPreprocessTextData.yml b/Packs/Base/Scripts/DBotPreprocessTextData/DBotPreprocessTextData.yml index 853640116f5a..f80f35272b58 100644 --- a/Packs/Base/Scripts/DBotPreprocessTextData/DBotPreprocessTextData.yml +++ b/Packs/Base/Scripts/DBotPreprocessTextData/DBotPreprocessTextData.yml @@ -104,7 +104,7 @@ tags: - ml timeout: 120µs type: python -dockerimage: demisto/ml:1.0.0.30541 +dockerimage: demisto/ml:1.0.0.98071 runonce: true tests: - Create Phishing Classifier V2 ML Test diff --git a/Packs/ML/Scripts/DBotPredictIncidentsBatch/DBotPredictIncidentsBatch.yml b/Packs/ML/Scripts/DBotPredictIncidentsBatch/DBotPredictIncidentsBatch.yml index 0debe7c2eff1..876560555f96 100644 --- a/Packs/ML/Scripts/DBotPredictIncidentsBatch/DBotPredictIncidentsBatch.yml +++ b/Packs/ML/Scripts/DBotPredictIncidentsBatch/DBotPredictIncidentsBatch.yml @@ -46,7 +46,7 @@ tags: - ml timeout: '0' type: python -dockerimage: demisto/ml:1.0.0.45981 +dockerimage: demisto/ml:1.0.0.98071 fromversion: 5.0.0 tests: - VerifyOOBV2Predictions-Test diff --git a/Packs/ML/Scripts/DBotPredictOutOfTheBoxV2/DBotPredictOutOfTheBoxV2.yml b/Packs/ML/Scripts/DBotPredictOutOfTheBoxV2/DBotPredictOutOfTheBoxV2.yml index a9c36418e659..fe66c4bae4d8 100644 --- a/Packs/ML/Scripts/DBotPredictOutOfTheBoxV2/DBotPredictOutOfTheBoxV2.yml +++ b/Packs/ML/Scripts/DBotPredictOutOfTheBoxV2/DBotPredictOutOfTheBoxV2.yml @@ -59,7 +59,7 @@ script: '-' subtype: python3 timeout: 60µs type: python -dockerimage: demisto/ml:1.0.0.32340 +dockerimage: demisto/ml:1.0.0.98071 runonce: true tests: - DbotPredictOufOfTheBoxTestV2 diff --git a/Packs/ML/Scripts/EvaluateMLModllAtProduction/EvaluateMLModllAtProduction.yml b/Packs/ML/Scripts/EvaluateMLModllAtProduction/EvaluateMLModllAtProduction.yml index 7e8eb335fe41..89fd7f19d782 100644 --- a/Packs/ML/Scripts/EvaluateMLModllAtProduction/EvaluateMLModllAtProduction.yml +++ b/Packs/ML/Scripts/EvaluateMLModllAtProduction/EvaluateMLModllAtProduction.yml @@ -42,7 +42,7 @@ outputs: script: '-' subtype: python3 type: python -dockerimage: demisto/ml:1.0.0.45981 +dockerimage: demisto/ml:1.0.0.98071 runas: DBotWeakRole fromversion: 5.0.0 tags: From ba9d1095785dfddedd3dcf7135909981cd47cb87 Mon Sep 17 00:00:00 2001 From: jlevypaloalto Date: Fri, 28 Jun 2024 00:23:49 +0300 Subject: [PATCH 02/39] added the rest --- .../DBotFindSimilarIncidents/DBotFindSimilarIncidents.yml | 2 +- .../DBotFindSimilarIncidentsByIndicators.yml | 2 +- .../DBotTrainTextClassifierV2/DBotTrainTextClassifierV2.yml | 2 +- .../Base/Scripts/GetMLModelEvaluation/GetMLModelEvaluation.yml | 2 +- .../script-CompareEnvPredictionsToExpectedPredictions.yml | 2 +- Packs/ML/TestPlaybooks/script-CreateIncidentsOutOfTheBoxV2.yml | 1 - 6 files changed, 5 insertions(+), 6 deletions(-) diff --git a/Packs/Base/Scripts/DBotFindSimilarIncidents/DBotFindSimilarIncidents.yml b/Packs/Base/Scripts/DBotFindSimilarIncidents/DBotFindSimilarIncidents.yml index 60fef5c54f27..cb3309fb626f 100644 --- a/Packs/Base/Scripts/DBotFindSimilarIncidents/DBotFindSimilarIncidents.yml +++ b/Packs/Base/Scripts/DBotFindSimilarIncidents/DBotFindSimilarIncidents.yml @@ -86,7 +86,7 @@ script: '-' subtype: python3 timeout: '0' type: python -dockerimage: demisto/ml:1.0.0.94241 +dockerimage: demisto/ml:1.0.0.98071 runas: DBotWeakRole runonce: true tests: diff --git a/Packs/Base/Scripts/DBotFindSimilarIncidentsByIndicators/DBotFindSimilarIncidentsByIndicators.yml b/Packs/Base/Scripts/DBotFindSimilarIncidentsByIndicators/DBotFindSimilarIncidentsByIndicators.yml index a13bce442cf4..65bfb5ec652b 100644 --- a/Packs/Base/Scripts/DBotFindSimilarIncidentsByIndicators/DBotFindSimilarIncidentsByIndicators.yml +++ b/Packs/Base/Scripts/DBotFindSimilarIncidentsByIndicators/DBotFindSimilarIncidentsByIndicators.yml @@ -42,7 +42,7 @@ script: '-' subtype: python3 timeout: '0' type: python -dockerimage: demisto/ml:1.0.0.88591 +dockerimage: demisto/ml:1.0.0.98071 runas: DBotWeakRole tests: - DBotFindSimilarIncidentsByIndicators - Test diff --git a/Packs/Base/Scripts/DBotTrainTextClassifierV2/DBotTrainTextClassifierV2.yml b/Packs/Base/Scripts/DBotTrainTextClassifierV2/DBotTrainTextClassifierV2.yml index f57578960181..9fe051e94732 100644 --- a/Packs/Base/Scripts/DBotTrainTextClassifierV2/DBotTrainTextClassifierV2.yml +++ b/Packs/Base/Scripts/DBotTrainTextClassifierV2/DBotTrainTextClassifierV2.yml @@ -121,7 +121,7 @@ tags: - ml timeout: 12µs type: python -dockerimage: demisto/ml:1.0.0.93129 +dockerimage: demisto/ml:1.0.0.98071 runonce: true tests: - Create Phishing Classifier V2 ML Test diff --git a/Packs/Base/Scripts/GetMLModelEvaluation/GetMLModelEvaluation.yml b/Packs/Base/Scripts/GetMLModelEvaluation/GetMLModelEvaluation.yml index 4d59a291421a..594229138597 100644 --- a/Packs/Base/Scripts/GetMLModelEvaluation/GetMLModelEvaluation.yml +++ b/Packs/Base/Scripts/GetMLModelEvaluation/GetMLModelEvaluation.yml @@ -43,7 +43,7 @@ tags: - ml timeout: 60µs type: python -dockerimage: demisto/ml:1.0.0.88591 +dockerimage: demisto/ml:1.0.0.98071 tests: - Create Phishing Classifier V2 ML Test fromversion: 5.0.0 diff --git a/Packs/ML/TestPlaybooks/script-CompareEnvPredictionsToExpectedPredictions.yml b/Packs/ML/TestPlaybooks/script-CompareEnvPredictionsToExpectedPredictions.yml index d274790f274c..15b67ba12157 100644 --- a/Packs/ML/TestPlaybooks/script-CompareEnvPredictionsToExpectedPredictions.yml +++ b/Packs/ML/TestPlaybooks/script-CompareEnvPredictionsToExpectedPredictions.yml @@ -32,6 +32,6 @@ scripttarget: 0 subtype: python3 pswd: "" runonce: false -dockerimage: demisto/ml:1.0.0.20606 +dockerimage: demisto/ml:1.0.0.98071 runas: DBotWeakRole fromversion: 5.5.0 \ No newline at end of file diff --git a/Packs/ML/TestPlaybooks/script-CreateIncidentsOutOfTheBoxV2.yml b/Packs/ML/TestPlaybooks/script-CreateIncidentsOutOfTheBoxV2.yml index f1d52f2dba57..66ce67eeb158 100644 --- a/Packs/ML/TestPlaybooks/script-CreateIncidentsOutOfTheBoxV2.yml +++ b/Packs/ML/TestPlaybooks/script-CreateIncidentsOutOfTheBoxV2.yml @@ -5,7 +5,6 @@ vcShouldKeepItemLegacyProdMachine: false name: CreateIncidentsOutOfTheBoxV2 script: |2+ - import json incidents = [ From cdec46ab923fdb83569368ccd9d340c8b9837f3d Mon Sep 17 00:00:00 2001 From: jlevypaloalto Date: Tue, 2 Jul 2024 16:39:36 +0300 Subject: [PATCH 03/39] devdemisto/ml:1.0.0.100486 --- .../DBotBuildPhishingClassifier/DBotBuildPhishingClassifier.yml | 2 +- .../DBotFindSimilarIncidents/DBotFindSimilarIncidents.yml | 2 +- .../DBotFindSimilarIncidentsByIndicators.yml | 2 +- .../DBotPredictPhishingWords/DBotPredictPhishingWords.yml | 2 +- .../Scripts/DBotPreprocessTextData/DBotPreprocessTextData.yml | 2 +- .../DBotTrainTextClassifierV2/DBotTrainTextClassifierV2.yml | 2 +- .../Base/Scripts/GetMLModelEvaluation/GetMLModelEvaluation.yml | 2 +- .../DBotPredictIncidentsBatch/DBotPredictIncidentsBatch.yml | 2 +- .../DBotPredictOutOfTheBoxV2/DBotPredictOutOfTheBoxV2.yml | 2 +- .../EvaluateMLModllAtProduction/EvaluateMLModllAtProduction.yml | 2 +- .../script-CompareEnvPredictionsToExpectedPredictions.yml | 2 +- 11 files changed, 11 insertions(+), 11 deletions(-) diff --git a/Packs/Base/Scripts/DBotBuildPhishingClassifier/DBotBuildPhishingClassifier.yml b/Packs/Base/Scripts/DBotBuildPhishingClassifier/DBotBuildPhishingClassifier.yml index 797c2ba81124..b3e3efa5b530 100644 --- a/Packs/Base/Scripts/DBotBuildPhishingClassifier/DBotBuildPhishingClassifier.yml +++ b/Packs/Base/Scripts/DBotBuildPhishingClassifier/DBotBuildPhishingClassifier.yml @@ -83,7 +83,7 @@ tags: - ml timeout: 12µs type: python -dockerimage: demisto/ml:1.0.0.98071 +dockerimage: devdemisto/ml:1.0.0.100486 runonce: true tests: - Create Phishing Classifier V2 ML Test diff --git a/Packs/Base/Scripts/DBotFindSimilarIncidents/DBotFindSimilarIncidents.yml b/Packs/Base/Scripts/DBotFindSimilarIncidents/DBotFindSimilarIncidents.yml index cb3309fb626f..11c4fc374441 100644 --- a/Packs/Base/Scripts/DBotFindSimilarIncidents/DBotFindSimilarIncidents.yml +++ b/Packs/Base/Scripts/DBotFindSimilarIncidents/DBotFindSimilarIncidents.yml @@ -86,7 +86,7 @@ script: '-' subtype: python3 timeout: '0' type: python -dockerimage: demisto/ml:1.0.0.98071 +dockerimage: devdemisto/ml:1.0.0.100486 runas: DBotWeakRole runonce: true tests: diff --git a/Packs/Base/Scripts/DBotFindSimilarIncidentsByIndicators/DBotFindSimilarIncidentsByIndicators.yml b/Packs/Base/Scripts/DBotFindSimilarIncidentsByIndicators/DBotFindSimilarIncidentsByIndicators.yml index 65bfb5ec652b..edffbbb8f189 100644 --- a/Packs/Base/Scripts/DBotFindSimilarIncidentsByIndicators/DBotFindSimilarIncidentsByIndicators.yml +++ b/Packs/Base/Scripts/DBotFindSimilarIncidentsByIndicators/DBotFindSimilarIncidentsByIndicators.yml @@ -42,7 +42,7 @@ script: '-' subtype: python3 timeout: '0' type: python -dockerimage: demisto/ml:1.0.0.98071 +dockerimage: devdemisto/ml:1.0.0.100486 runas: DBotWeakRole tests: - DBotFindSimilarIncidentsByIndicators - Test diff --git a/Packs/Base/Scripts/DBotPredictPhishingWords/DBotPredictPhishingWords.yml b/Packs/Base/Scripts/DBotPredictPhishingWords/DBotPredictPhishingWords.yml index 2b669cb67afe..58e95ee1bf7a 100644 --- a/Packs/Base/Scripts/DBotPredictPhishingWords/DBotPredictPhishingWords.yml +++ b/Packs/Base/Scripts/DBotPredictPhishingWords/DBotPredictPhishingWords.yml @@ -98,7 +98,7 @@ tags: - phishing timeout: 60µs type: python -dockerimage: demisto/ml:1.0.0.98071 +dockerimage: devdemisto/ml:1.0.0.100486 runonce: true tests: - Create Phishing Classifier V2 ML Test diff --git a/Packs/Base/Scripts/DBotPreprocessTextData/DBotPreprocessTextData.yml b/Packs/Base/Scripts/DBotPreprocessTextData/DBotPreprocessTextData.yml index f80f35272b58..30532cac5dbb 100644 --- a/Packs/Base/Scripts/DBotPreprocessTextData/DBotPreprocessTextData.yml +++ b/Packs/Base/Scripts/DBotPreprocessTextData/DBotPreprocessTextData.yml @@ -104,7 +104,7 @@ tags: - ml timeout: 120µs type: python -dockerimage: demisto/ml:1.0.0.98071 +dockerimage: devdemisto/ml:1.0.0.100486 runonce: true tests: - Create Phishing Classifier V2 ML Test diff --git a/Packs/Base/Scripts/DBotTrainTextClassifierV2/DBotTrainTextClassifierV2.yml b/Packs/Base/Scripts/DBotTrainTextClassifierV2/DBotTrainTextClassifierV2.yml index 9fe051e94732..aa5f22a9c5ea 100644 --- a/Packs/Base/Scripts/DBotTrainTextClassifierV2/DBotTrainTextClassifierV2.yml +++ b/Packs/Base/Scripts/DBotTrainTextClassifierV2/DBotTrainTextClassifierV2.yml @@ -121,7 +121,7 @@ tags: - ml timeout: 12µs type: python -dockerimage: demisto/ml:1.0.0.98071 +dockerimage: devdemisto/ml:1.0.0.100486 runonce: true tests: - Create Phishing Classifier V2 ML Test diff --git a/Packs/Base/Scripts/GetMLModelEvaluation/GetMLModelEvaluation.yml b/Packs/Base/Scripts/GetMLModelEvaluation/GetMLModelEvaluation.yml index 594229138597..fa5103d6812e 100644 --- a/Packs/Base/Scripts/GetMLModelEvaluation/GetMLModelEvaluation.yml +++ b/Packs/Base/Scripts/GetMLModelEvaluation/GetMLModelEvaluation.yml @@ -43,7 +43,7 @@ tags: - ml timeout: 60µs type: python -dockerimage: demisto/ml:1.0.0.98071 +dockerimage: devdemisto/ml:1.0.0.100486 tests: - Create Phishing Classifier V2 ML Test fromversion: 5.0.0 diff --git a/Packs/ML/Scripts/DBotPredictIncidentsBatch/DBotPredictIncidentsBatch.yml b/Packs/ML/Scripts/DBotPredictIncidentsBatch/DBotPredictIncidentsBatch.yml index 876560555f96..44030d60c100 100644 --- a/Packs/ML/Scripts/DBotPredictIncidentsBatch/DBotPredictIncidentsBatch.yml +++ b/Packs/ML/Scripts/DBotPredictIncidentsBatch/DBotPredictIncidentsBatch.yml @@ -46,7 +46,7 @@ tags: - ml timeout: '0' type: python -dockerimage: demisto/ml:1.0.0.98071 +dockerimage: devdemisto/ml:1.0.0.100486 fromversion: 5.0.0 tests: - VerifyOOBV2Predictions-Test diff --git a/Packs/ML/Scripts/DBotPredictOutOfTheBoxV2/DBotPredictOutOfTheBoxV2.yml b/Packs/ML/Scripts/DBotPredictOutOfTheBoxV2/DBotPredictOutOfTheBoxV2.yml index fe66c4bae4d8..b0a5f2af97e5 100644 --- a/Packs/ML/Scripts/DBotPredictOutOfTheBoxV2/DBotPredictOutOfTheBoxV2.yml +++ b/Packs/ML/Scripts/DBotPredictOutOfTheBoxV2/DBotPredictOutOfTheBoxV2.yml @@ -59,7 +59,7 @@ script: '-' subtype: python3 timeout: 60µs type: python -dockerimage: demisto/ml:1.0.0.98071 +dockerimage: devdemisto/ml:1.0.0.100486 runonce: true tests: - DbotPredictOufOfTheBoxTestV2 diff --git a/Packs/ML/Scripts/EvaluateMLModllAtProduction/EvaluateMLModllAtProduction.yml b/Packs/ML/Scripts/EvaluateMLModllAtProduction/EvaluateMLModllAtProduction.yml index 89fd7f19d782..ef3147c884e8 100644 --- a/Packs/ML/Scripts/EvaluateMLModllAtProduction/EvaluateMLModllAtProduction.yml +++ b/Packs/ML/Scripts/EvaluateMLModllAtProduction/EvaluateMLModllAtProduction.yml @@ -42,7 +42,7 @@ outputs: script: '-' subtype: python3 type: python -dockerimage: demisto/ml:1.0.0.98071 +dockerimage: devdemisto/ml:1.0.0.100486 runas: DBotWeakRole fromversion: 5.0.0 tags: diff --git a/Packs/ML/TestPlaybooks/script-CompareEnvPredictionsToExpectedPredictions.yml b/Packs/ML/TestPlaybooks/script-CompareEnvPredictionsToExpectedPredictions.yml index 15b67ba12157..f488d4be429f 100644 --- a/Packs/ML/TestPlaybooks/script-CompareEnvPredictionsToExpectedPredictions.yml +++ b/Packs/ML/TestPlaybooks/script-CompareEnvPredictionsToExpectedPredictions.yml @@ -32,6 +32,6 @@ scripttarget: 0 subtype: python3 pswd: "" runonce: false -dockerimage: demisto/ml:1.0.0.98071 +dockerimage: devdemisto/ml:1.0.0.100486 runas: DBotWeakRole fromversion: 5.5.0 \ No newline at end of file From 0f5fe634c0c2d1ea5456ae655547866b6135d577 Mon Sep 17 00:00:00 2001 From: jlevypaloalto Date: Tue, 2 Jul 2024 23:38:58 +0300 Subject: [PATCH 04/39] fix tpb --- ...-Create_Phishing_Classifier_V2_ML_Test.yml | 418 +++++------------- ...playbook-DBotPredictOutOfTheBoxV2-test.yml | 333 +++++++++----- ...Phishing_Classifier_V2_From_File-_Test.yml | 327 +++----------- 3 files changed, 397 insertions(+), 681 deletions(-) diff --git a/Packs/ML/TestPlaybooks/playbook-Create_Phishing_Classifier_V2_ML_Test.yml b/Packs/ML/TestPlaybooks/playbook-Create_Phishing_Classifier_V2_ML_Test.yml index 83250a63c15d..af7ce16950d5 100644 --- a/Packs/ML/TestPlaybooks/playbook-Create_Phishing_Classifier_V2_ML_Test.yml +++ b/Packs/ML/TestPlaybooks/playbook-Create_Phishing_Classifier_V2_ML_Test.yml @@ -1,28 +1,28 @@ -elasticcommonfields: {} id: Create Phishing Classifier V2 ML Test version: -1 name: Create Phishing Classifier V2 ML Test -description: Test CreatePhishingClassifierML playbook +description: Test CreatePhishingClassifierML playbook. starttaskid: "0" tasks: "0": id: "0" - taskid: 4aeda861-fb7f-490a-89ce-397ea2c1fbca + taskid: fbadefab-5b4a-4360-853c-81893d0cb492 type: start task: - id: 4aeda861-fb7f-490a-89ce-397ea2c1fbca + id: fbadefab-5b4a-4360-853c-81893d0cb492 version: -1 name: "" iscommand: false brand: "" + description: '' nexttasks: '#none#': - - "30" + - "6" separatecontext: false view: |- { "position": { - "x": 695, + "x": 50, "y": 50 } } @@ -31,12 +31,15 @@ tasks: ignoreworker: false skipunavailable: false quietmode: 0 + continueonerrortype: "" + isoversize: false + isautoswitchedtoquietmode: false "2": id: "2" - taskid: 8bbf2fce-f2f1-49fc-8230-fe5b64b5a3c2 + taskid: 0a894a8b-7b17-4ab4-8f79-643b3191165d type: regular task: - id: 8bbf2fce-f2f1-49fc-8230-fe5b64b5a3c2 + id: 0a894a8b-7b17-4ab4-8f79-643b3191165d version: -1 name: Create incidents scriptName: TestCreateIncidentsForPhishingClassifier @@ -55,8 +58,8 @@ tasks: view: |- { "position": { - "x": 695, - "y": 1010 + "x": 50, + "y": 370 } } note: false @@ -64,16 +67,18 @@ tasks: ignoreworker: false skipunavailable: false quietmode: 0 + continueonerrortype: "" + isoversize: false + isautoswitchedtoquietmode: false "3": id: "3" - taskid: 29dd84d6-efb8-4487-8003-141b98934662 + taskid: baf8693e-4995-47f9-805f-3cbfe79f8ebc type: regular task: - id: 29dd84d6-efb8-4487-8003-141b98934662 + id: baf8693e-4995-47f9-805f-3cbfe79f8ebc version: -1 name: Predict Tag1 - description: Predict text label using a pre-trained machine learning phishing - model, and get the most important words used in the classification decision. + description: Predict text label using a pre-trained machine learning phishing model, and get the most important words used in the classification decision. scriptName: DBotPredictPhishingWords type: regular iscommand: false @@ -83,9 +88,7 @@ tasks: - "15" scriptarguments: emailSubject: - simple: closed church squeamish squeamish moaning closed closed closed church - squeamish squeamish moaning closed closed closed church squeamish squeamish - moaning closed closed + simple: closed church squeamish squeamish moaning closed closed closed church squeamish squeamish moaning closed closed closed church squeamish squeamish moaning closed closed labelProbabilityThreshold: simple: "0" minTextLength: @@ -98,8 +101,8 @@ tasks: view: |- { "position": { - "x": 695, - "y": 1535 + "x": 50, + "y": 895 } } note: false @@ -107,23 +110,27 @@ tasks: ignoreworker: false skipunavailable: false quietmode: 0 + continueonerrortype: "" + isoversize: false + isautoswitchedtoquietmode: false "5": id: "5" - taskid: f7a44f7e-0b35-4447-8424-b1d49db3235b + taskid: 5a71b8d6-cf64-494d-8889-46f70cc67c13 type: title task: - id: f7a44f7e-0b35-4447-8424-b1d49db3235b + id: 5a71b8d6-cf64-494d-8889-46f70cc67c13 version: -1 name: Done type: title iscommand: false brand: "" + description: '' separatecontext: false view: |- { "position": { - "x": 695, - "y": 2935 + "x": 50, + "y": 2295 } } note: false @@ -131,12 +138,15 @@ tasks: ignoreworker: false skipunavailable: false quietmode: 0 + continueonerrortype: "" + isoversize: false + isautoswitchedtoquietmode: false "6": id: "6" - taskid: 179f940e-7313-4fa5-8f5e-ba522c765669 + taskid: 74a08b82-f3e3-40c5-8143-fa5c135e2ce9 type: regular task: - id: 179f940e-7313-4fa5-8f5e-ba522c765669 + id: 74a08b82-f3e3-40c5-8143-fa5c135e2ce9 version: -1 name: Clear context scriptName: DeleteContext @@ -153,8 +163,8 @@ tasks: view: |- { "position": { - "x": 695, - "y": 835 + "x": 50, + "y": 195 } } note: false @@ -162,12 +172,15 @@ tasks: ignoreworker: false skipunavailable: false quietmode: 0 + continueonerrortype: "" + isoversize: false + isautoswitchedtoquietmode: false "8": id: "8" - taskid: 2d2c5687-3642-4fec-8a38-e0752ea4d398 + taskid: 88ba54ff-84fd-4c91-8ae8-4f88a4a5cafd type: regular task: - id: 2d2c5687-3642-4fec-8a38-e0752ea4d398 + id: 88ba54ff-84fd-4c91-8ae8-4f88a4a5cafd version: -1 name: clear context scriptName: DeleteContext @@ -184,8 +197,8 @@ tasks: view: |- { "position": { - "x": 695, - "y": 1885 + "x": 50, + "y": 1245 } } note: false @@ -193,16 +206,18 @@ tasks: ignoreworker: false skipunavailable: false quietmode: 0 + continueonerrortype: "" + isoversize: false + isautoswitchedtoquietmode: false "13": id: "13" - taskid: 5d168b90-65c6-4f98-8759-3a9fcddf28b9 + taskid: 67c5f1a7-4b58-4447-8cee-286f22b9139c type: playbook task: - id: 5d168b90-65c6-4f98-8759-3a9fcddf28b9 + id: 67c5f1a7-4b58-4447-8cee-286f22b9139c version: -1 name: DBot Create Phishing Classifier V2 - description: Create a phishing classifier using machine learning technique, - based on email content + description: Create a phishing classifier using machine learning technique, based on email content playbookName: DBot Create Phishing Classifier V2 type: playbook iscommand: false @@ -244,8 +259,8 @@ tasks: view: |- { "position": { - "x": 695, - "y": 1185 + "x": 50, + "y": 545 } } note: false @@ -253,12 +268,15 @@ tasks: ignoreworker: false skipunavailable: false quietmode: 0 + continueonerrortype: "" + isoversize: false + isautoswitchedtoquietmode: false "14": id: "14" - taskid: c786f22a-ce44-4021-84f6-1c74a3157049 + taskid: d0388493-758a-496d-8e20-0f4994316318 type: condition task: - id: c786f22a-ce44-4021-84f6-1c74a3157049 + id: d0388493-758a-496d-8e20-0f4994316318 version: -1 name: Model evaluation exist type: condition @@ -279,8 +297,8 @@ tasks: view: |- { "position": { - "x": 695, - "y": 1360 + "x": 50, + "y": 720 } } note: false @@ -288,12 +306,15 @@ tasks: ignoreworker: false skipunavailable: false quietmode: 0 + continueonerrortype: "" + isoversize: false + isautoswitchedtoquietmode: false "15": id: "15" - taskid: c607874c-eac1-404d-8c31-620e541c5b7c + taskid: 87fcc375-89be-4f44-8123-9e995379a389 type: condition task: - id: c607874c-eac1-404d-8c31-620e541c5b7c + id: 87fcc375-89be-4f44-8123-9e995379a389 version: -1 name: 'Check the prediction label: Tag1' type: condition @@ -317,8 +338,8 @@ tasks: view: |- { "position": { - "x": 695, - "y": 1710 + "x": 50, + "y": 1070 } } note: false @@ -326,12 +347,15 @@ tasks: ignoreworker: false skipunavailable: false quietmode: 0 + continueonerrortype: "" + isoversize: false + isautoswitchedtoquietmode: false "16": id: "16" - taskid: e1de53ff-a890-4c38-863a-3171f8705bc8 + taskid: a4973892-625f-4fcc-8a96-a270795d2751 type: condition task: - id: e1de53ff-a890-4c38-863a-3171f8705bc8 + id: a4973892-625f-4fcc-8a96-a270795d2751 version: -1 name: 'Check the prediction label: Tag2' type: condition @@ -355,8 +379,8 @@ tasks: view: |- { "position": { - "x": 695, - "y": 2235 + "x": 50, + "y": 1595 } } note: false @@ -364,16 +388,18 @@ tasks: ignoreworker: false skipunavailable: false quietmode: 0 + continueonerrortype: "" + isoversize: false + isautoswitchedtoquietmode: false "17": id: "17" - taskid: b783dbbf-bcbf-47be-8a5d-22dcc526df0e + taskid: bc73dcb7-4720-4504-85e0-590b5fe8fe02 type: regular task: - id: b783dbbf-bcbf-47be-8a5d-22dcc526df0e + id: bc73dcb7-4720-4504-85e0-590b5fe8fe02 version: -1 name: Predict Tag2 - description: Predict text label using a pre-trained machine learning phishing - model, and get the most important words used in the classification decision. + description: Predict text label using a pre-trained machine learning phishing model, and get the most important words used in the classification decision. scriptName: DBotPredictPhishingWords type: regular iscommand: false @@ -383,9 +409,7 @@ tasks: - "16" scriptarguments: emailSubject: - simple: ntidy boy substance faulty waves type boat argument ntidy boy substance - faulty waves type boat argument ntidy boy substance faulty waves type boat - argument + simple: ntidy boy substance faulty waves type boat argument ntidy boy substance faulty waves type boat argument ntidy boy substance faulty waves type boat argument labelProbabilityThreshold: simple: "0" minTextLength: @@ -398,8 +422,8 @@ tasks: view: |- { "position": { - "x": 695, - "y": 2060 + "x": 50, + "y": 1420 } } note: false @@ -407,16 +431,18 @@ tasks: ignoreworker: false skipunavailable: false quietmode: 0 + continueonerrortype: "" + isoversize: false + isautoswitchedtoquietmode: false "18": id: "18" - taskid: cb137c7c-1ba3-4fea-8356-f4ecd3bf6193 + taskid: 3573406e-2b81-4d40-8661-2680791e46f8 type: regular task: - id: cb137c7c-1ba3-4fea-8356-f4ecd3bf6193 + id: 3573406e-2b81-4d40-8661-2680791e46f8 version: -1 name: Predict Tag3 - description: Predict text label using a pre-trained machine learning phishing - model, and get the most important words used in the classification decision. + description: Predict text label using a pre-trained machine learning phishing model, and get the most important words used in the classification decision. scriptName: DBotPredictPhishingWords type: regular iscommand: false @@ -426,9 +452,7 @@ tasks: - "20" scriptarguments: emailSubject: - simple: suspend trucks aboriginal thread succeed gray last fall fall suspend - trucks aboriginal thread succeed gray last fall fall suspend trucks aboriginal - thread succeed gray last fall fall + simple: suspend trucks aboriginal thread succeed gray last fall fall suspend trucks aboriginal thread succeed gray last fall fall suspend trucks aboriginal thread succeed gray last fall fall labelProbabilityThreshold: simple: "0" minTextLength: @@ -441,8 +465,8 @@ tasks: view: |- { "position": { - "x": 695, - "y": 2585 + "x": 50, + "y": 1945 } } note: false @@ -450,12 +474,15 @@ tasks: ignoreworker: false skipunavailable: false quietmode: 0 + continueonerrortype: "" + isoversize: false + isautoswitchedtoquietmode: false "19": id: "19" - taskid: ed783755-907d-4097-8974-96034ab3b233 + taskid: d462dd42-6b56-49bf-8428-ae96e1f1be16 type: regular task: - id: ed783755-907d-4097-8974-96034ab3b233 + id: d462dd42-6b56-49bf-8428-ae96e1f1be16 version: -1 name: clear context scriptName: DeleteContext @@ -472,8 +499,8 @@ tasks: view: |- { "position": { - "x": 695, - "y": 2410 + "x": 50, + "y": 1770 } } note: false @@ -481,12 +508,15 @@ tasks: ignoreworker: false skipunavailable: false quietmode: 0 + continueonerrortype: "" + isoversize: false + isautoswitchedtoquietmode: false "20": id: "20" - taskid: 0e035d46-6829-41af-830c-6dfc7353dde1 + taskid: 5cf7405e-c4c2-40a0-8e63-1913319a70f3 type: condition task: - id: 0e035d46-6829-41af-830c-6dfc7353dde1 + id: 5cf7405e-c4c2-40a0-8e63-1913319a70f3 version: -1 name: 'Check the prediction label: Tag3' type: condition @@ -507,241 +537,11 @@ tasks: right: value: simple: Tag3 - view: |- - { - "position": { - "x": 695, - "y": 2760 - } - } - note: false - timertriggers: [] - ignoreworker: false - skipunavailable: false - quietmode: 0 - - "24": - id: "24" - taskid: 69c9af85-903f-4d2a-8540-fd48adb0c89b - type: regular - task: - id: 69c9af85-903f-4d2a-8540-fd48adb0c89b - version: -1 - name: Load prediction docker - description: Predict text label using a pre-trained machine learning phishing - model, and get the most important words used in the classification decision. - scriptName: DBotPredictPhishingWords - type: regular - iscommand: false - brand: "" - nexttasks: - '#none#': - - "28" - scriptarguments: - modelName: - simple: dummy - continueonerror: true - separatecontext: false view: |- { "position": { "x": 50, - "y": 340 - } - } - note: false - timertriggers: [] - ignoreworker: false - skipunavailable: false - quietmode: 0 - - "25": - id: "25" - taskid: ebf1c9ed-92a7-4633-8b37-42fb8570269f - type: regular - task: - id: ebf1c9ed-92a7-4633-8b37-42fb8570269f - version: -1 - name: Load evaluation docker - description: Finds a threshold for ML model, and performs an evaluation based - on it - scriptName: GetMLModelEvaluation - type: regular - iscommand: false - brand: "" - nexttasks: - '#none#': - - "28" - scriptarguments: - yPred: - simple: dummy - yTrue: - simple: dummy - continueonerror: true - separatecontext: false - view: |- - { - "position": { - "x": 480, - "y": 340 - } - } - note: false - timertriggers: [] - ignoreworker: false - skipunavailable: false - quietmode: 0 - "26": - id: "26" - taskid: bb61e790-fd72-49e8-842b-98933451305c - type: regular - task: - id: bb61e790-fd72-49e8-842b-98933451305c - version: -1 - name: Load training docker - description: Train a machine learning text classifier. - scriptName: DBotTrainTextClassifierV2 - type: regular - iscommand: false - brand: "" - nexttasks: - '#none#': - - "28" - scriptarguments: - input: - simple: dummy_input - tagField: - simple: dummy - continueonerror: true - separatecontext: false - view: |- - { - "position": { - "x": 910, - "y": 340 - } - } - note: false - timertriggers: [] - ignoreworker: false - skipunavailable: false - quietmode: 0 - - "27": - id: "27" - taskid: 8e33ab3c-0c36-494a-8b2d-02a838b437a8 - type: regular - task: - id: 8e33ab3c-0c36-494a-8b2d-02a838b437a8 - version: -1 - name: Load Preprocessing Docker - description: Pre-process text data for the machine learning text classifier. - scriptName: DBotPreProcessTextData - type: regular - iscommand: false - brand: "" - nexttasks: - '#none#': - - "28" - scriptarguments: - input: - simple: dummy input - continueonerror: true - separatecontext: false - view: |- - { - "position": { - "x": 1340, - "y": 340 - } - } - note: false - timertriggers: [] - ignoreworker: false - skipunavailable: false - quietmode: 0 - "28": - id: "28" - taskid: 285056a4-c36d-4fe3-836a-0635bbcb2902 - type: regular - task: - id: 285056a4-c36d-4fe3-836a-0635bbcb2902 - version: -1 - name: Wait for docker download - description: Sleep for X seconds - scriptName: Sleep - type: regular - iscommand: false - brand: "" - nexttasks: - '#none#': - - "29" - scriptarguments: - seconds: - simple: "10" - separatecontext: false - view: |- - { - "position": { - "x": 695, - "y": 515 - } - } - note: false - timertriggers: [] - ignoreworker: false - skipunavailable: false - quietmode: 0 - "29": - id: "29" - taskid: 36d855bc-d9a5-47f7-8f3e-5b72ab8fe194 - type: title - task: - id: 36d855bc-d9a5-47f7-8f3e-5b72ab8fe194 - version: -1 - name: Begin tests - type: title - iscommand: false - brand: "" - nexttasks: - '#none#': - - "6" - separatecontext: false - view: |- - { - "position": { - "x": 695, - "y": 690 - } - } - note: false - timertriggers: [] - ignoreworker: false - skipunavailable: false - quietmode: 0 - "30": - id: "30" - taskid: 26c99254-1dd9-4faa-8c80-0762360a7221 - type: title - task: - id: 26c99254-1dd9-4faa-8c80-0762360a7221 - version: -1 - name: Load all dockers - type: title - iscommand: false - brand: "" - nexttasks: - '#none#': - - "27" - - "26" - - "25" - - "24" - separatecontext: false - view: |- - { - "position": { - "x": 695, - "y": 195 + "y": 2120 } } note: false @@ -749,13 +549,17 @@ tasks: ignoreworker: false skipunavailable: false quietmode: 0 + + continueonerrortype: "" + isoversize: false + isautoswitchedtoquietmode: false view: |- { "linkLabelsPosition": {}, "paper": { "dimensions": { - "height": 2950, - "width": 1670, + "height": 2310, + "width": 380, "x": 50, "y": 50 } @@ -763,4 +567,4 @@ view: |- } inputs: [] outputs: [] -fromversion: 6.1.0 \ No newline at end of file +fromversion: 6.1.0 diff --git a/Packs/ML/TestPlaybooks/playbook-DBotPredictOutOfTheBoxV2-test.yml b/Packs/ML/TestPlaybooks/playbook-DBotPredictOutOfTheBoxV2-test.yml index db43403fbdb5..1e133dce27be 100644 --- a/Packs/ML/TestPlaybooks/playbook-DBotPredictOutOfTheBoxV2-test.yml +++ b/Packs/ML/TestPlaybooks/playbook-DBotPredictOutOfTheBoxV2-test.yml @@ -5,14 +5,15 @@ starttaskid: "0" tasks: "0": id: "0" - taskid: b25fa8d2-98fa-4dc6-845c-99809370cfd4 + taskid: 861b09ed-933f-4295-8ef1-1d804f3bd783 type: start task: - id: b25fa8d2-98fa-4dc6-845c-99809370cfd4 + id: 861b09ed-933f-4295-8ef1-1d804f3bd783 version: -1 name: "" iscommand: false brand: "" + description: '' nexttasks: '#none#': - "1" @@ -20,7 +21,7 @@ tasks: view: |- { "position": { - "x": 265, + "x": 50, "y": 50 } } @@ -29,12 +30,15 @@ tasks: ignoreworker: false skipunavailable: false quietmode: 0 + continueonerrortype: "" + isoversize: false + isautoswitchedtoquietmode: false "1": id: "1" - taskid: 8d59f33e-507c-4223-8480-c8bf26b7dac6 + taskid: 82ddcae4-60d6-4ce6-8279-0c2cec7b435e type: regular task: - id: 8d59f33e-507c-4223-8480-c8bf26b7dac6 + id: 82ddcae4-60d6-4ce6-8279-0c2cec7b435e version: -1 name: Clear Context description: Delete field from context @@ -44,20 +48,15 @@ tasks: brand: "" nexttasks: '#none#': - - "5" - - "7" + - "2" scriptarguments: all: simple: "yes" - index: {} - key: {} - keysToKeep: {} - subplaybook: {} separatecontext: false view: |- { "position": { - "x": 265, + "x": 50, "y": 195 } } @@ -66,12 +65,15 @@ tasks: ignoreworker: false skipunavailable: false quietmode: 0 + continueonerrortype: "" + isoversize: false + isautoswitchedtoquietmode: false "2": id: "2" - taskid: 242f4b80-ec3c-4bee-80dd-d835ff633640 + taskid: 7bca2804-4463-46c3-884a-457baf90d247 type: regular task: - id: 242f4b80-ec3c-4bee-80dd-d835ff633640 + id: 7bca2804-4463-46c3-884a-457baf90d247 version: -1 name: Predict Using Out Of The Box Model scriptName: DBotPredictOutOfTheBoxV2 @@ -86,25 +88,14 @@ tasks: simple: "0.5" emailBody: simple: 'Re: PO# OP848784204' - emailBodyHTML: {} emailSubject: - simple: 'Dear office, Kindly find attached our new order (Po# OP848784204) - and the attached letter for the bank payment. Please sign, stamp and resend. Kindly - ship our order by using the service DHL EXPRESS WORLDWIDE. Our DHL account - number is: 950389383 Thanks Best Regards, Cristina Cadano Marketing - Officer - Procurement Officer Marketing@trustm.tv Tel. +974 4431 3336 Fax - +974 4435 3336 P.O. Box 10536 Doha,' - labelProbabilityThreshold: {} - minTextLength: {} - returnError: {} - topWordsLimit: {} - wordThreshold: {} + simple: 'Dear office, Kindly find attached our new order (Po# OP848784204) and the attached letter for the bank payment. Please sign, stamp and resend. Kindly ship our order by using the service DHL EXPRESS WORLDWIDE. Our DHL account number is: 950389383 Thanks Best Regards, Cristina Cadano Marketing Officer - Procurement Officer Marketing@trustm.tv Tel. +974 4431 3336 Fax +974 4435 3336 P.O. Box 10536 Doha,' separatecontext: false view: |- { "position": { - "x": 265, - "y": 720 + "x": 50, + "y": 370 } } note: false @@ -112,12 +103,15 @@ tasks: ignoreworker: false skipunavailable: false quietmode: 0 + continueonerrortype: "" + isoversize: false + isautoswitchedtoquietmode: false "3": id: "3" - taskid: 12333aa3-0590-49b2-866e-8c2b7b7b899a + taskid: f0db71aa-e449-4a5a-8e4f-f45b9725eb3c type: condition task: - id: 12333aa3-0590-49b2-866e-8c2b7b7b899a + id: f0db71aa-e449-4a5a-8e4f-f45b9725eb3c version: -1 name: Check Prediction type: condition @@ -125,7 +119,7 @@ tasks: brand: "" nexttasks: "YES": - - "4" + - "7" separatecontext: false conditions: - label: "YES" @@ -138,19 +132,27 @@ tasks: right: value: simple: Malicious - - - operator: greaterThan + - - operator: isEqualNumber left: value: - simple: DBotPredictPhishingWords.Probability + complex: + root: DBotPredictPhishingWords + accessor: Probability + transformers: + - operator: precision + args: + by: + value: + simple: "2" iscontext: true right: value: - simple: "0.5" + simple: "0.68" view: |- { "position": { - "x": 265, - "y": 895 + "x": 50, + "y": 545 } } note: false @@ -158,23 +160,27 @@ tasks: ignoreworker: false skipunavailable: false quietmode: 0 + continueonerrortype: "" + isoversize: false + isautoswitchedtoquietmode: false "4": id: "4" - taskid: a2a470aa-9a87-4fa2-804d-de19d4d0b285 + taskid: 5183b8ff-ca1f-48a9-8bb7-b14c5681fa39 type: title task: - id: a2a470aa-9a87-4fa2-804d-de19d4d0b285 + id: 5183b8ff-ca1f-48a9-8bb7-b14c5681fa39 version: -1 name: Done type: title iscommand: false brand: "" + description: '' separatecontext: false view: |- { "position": { - "x": 265, - "y": 1070 + "x": 50, + "y": 1770 } } note: false @@ -182,40 +188,38 @@ tasks: ignoreworker: false skipunavailable: false quietmode: 0 + continueonerrortype: "" + isoversize: false + isautoswitchedtoquietmode: false "5": id: "5" - taskid: 45bfa561-25d8-4438-8780-de8166abd545 + taskid: 77722f64-31d6-4da4-87b2-9b876ab1eb3f type: regular task: - id: 45bfa561-25d8-4438-8780-de8166abd545 + id: 77722f64-31d6-4da4-87b2-9b876ab1eb3f version: -1 - name: Load Automation's Docker - description: Predict phishing incidents using the out-of-the-box pretrained - model. + name: Predict Using Out Of The Box Model - Not Malicious + description: Predict phishing incidents using the out-of-the-box pre-trained model. scriptName: DBotPredictOutOfTheBoxV2 type: regular iscommand: false brand: "" nexttasks: '#none#': - - "6" + - "14" scriptarguments: - emailBody: - simple: test - emailBodyHTML: {} - emailSubject: {} - labelProbabilityThreshold: {} - minTextLength: {} - returnError: {} - topWordsLimit: {} - wordThreshold: {} - continueonerror: true + emailBodyHTML: + simple: "Hi testbox@demistodev.onmicrosoft.com,
We've received your email and are investigating.
Do not touch the email until further notice.

Cordially,
Your friendly neighborhood security team\"\"" + emailSubject: + simple: 'Re: Phishing Investigation - Message from Cortex XSOAR Security Operations Server' + confidenceThreshold: + simple: "0.5" separatecontext: false view: |- { "position": { "x": 50, - "y": 370 + "y": 895 } } note: false @@ -223,31 +227,34 @@ tasks: ignoreworker: false skipunavailable: false quietmode: 0 - "6": - id: "6" - taskid: 784d63be-adc2-4c91-8c80-6cb5ba991e1e + continueonerrortype: "" + isoversize: false + isautoswitchedtoquietmode: false + "7": + id: "7" + taskid: 6140b6eb-2472-4dc0-81b9-b0c222947802 type: regular task: - id: 784d63be-adc2-4c91-8c80-6cb5ba991e1e + id: 6140b6eb-2472-4dc0-81b9-b0c222947802 version: -1 - name: Wait for automation - description: Sleep for X seconds - scriptName: Sleep + name: Clear Context + description: Delete field from context + scriptName: DeleteContext type: regular iscommand: false brand: "" nexttasks: '#none#': - - "2" + - "5" scriptarguments: - seconds: - simple: "60" + all: + simple: "yes" separatecontext: false view: |- { "position": { "x": 50, - "y": 545 + "y": 720 } } note: false @@ -255,40 +262,34 @@ tasks: ignoreworker: false skipunavailable: false quietmode: 0 - "7": - id: "7" - taskid: 309a9ea9-16a6-4529-83cb-ac798529290b + continueonerrortype: "" + isoversize: false + isautoswitchedtoquietmode: false + "8": + id: "8" + taskid: 306b2d8c-734a-4cb2-87c1-2909d1fb3a7f type: regular task: - id: 309a9ea9-16a6-4529-83cb-ac798529290b + id: 306b2d8c-734a-4cb2-87c1-2909d1fb3a7f version: -1 - name: Load Automation's Docker - description: Predict phishing incidents using the out-of-the-box pretrained - model. - scriptName: DBotPredictOutOfTheBoxV2 + name: Clear Context + description: Delete field from context + scriptName: DeleteContext type: regular iscommand: false brand: "" nexttasks: '#none#': - - "8" + - "9" scriptarguments: - emailBody: - simple: test - emailBodyHTML: {} - emailSubject: {} - labelProbabilityThreshold: {} - minTextLength: {} - returnError: {} - topWordsLimit: {} - wordThreshold: {} - continueonerror: true + all: + simple: "yes" separatecontext: false view: |- { "position": { - "x": 480, - "y": 370 + "x": 50, + "y": 1245 } } note: false @@ -296,31 +297,152 @@ tasks: ignoreworker: false skipunavailable: false quietmode: 0 - "8": - id: "8" - taskid: ef6ce480-7598-4dfe-85fe-c74104790bdb + continueonerrortype: "" + isoversize: false + isautoswitchedtoquietmode: false + "9": + id: "9" + taskid: d36fbfea-a8d8-472f-8614-a56c73f2950c type: regular task: - id: ef6ce480-7598-4dfe-85fe-c74104790bdb + id: d36fbfea-a8d8-472f-8614-a56c73f2950c version: -1 - name: Wait for automation - description: Sleep for X seconds - scriptName: Sleep + name: Predict Using Out Of The Box Model + scriptName: DBotPredictOutOfTheBoxV2 type: regular iscommand: false brand: "" nexttasks: '#none#': - - "2" + - "15" scriptarguments: - seconds: - simple: "60" + confidenceThreshold: + simple: "0.5" + emailBodyHTML: + simple: "\n\n\n\nUntitled Document\n\n\n\n\n\t\n\t\t\n\t\t\t\n\t\t\n\t\n
\n\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t\t\n\t\t\t\t\t\t\t\n\t\t\t\t\t\t\n\t\t\t\t\t\t\n\t\t\t\t\t\t\t\n\t\t\t\t\t\t\n\t\t\t\t\t\t\n\t\t\t\t\t\t\t\n\t\t\t\t\t\t\n\t\t\t\t\t\t\n\t\t\t\t\t\t\t\n\t\t\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t
\n\t\t\t\t\t\t\t\t

Delivery Notification

\n\t\t\t\t\t\t\t\t
\n\t\t\t\t\t\t\t
\n\t\t\t\t\t\t\t\t

Order: SGH-9226-99950127
\n\t\t\t\t\t\t\t\t

\n\t\t\t\t\t\t\t\t

Dear Customer,

\n\t\t\t\t\t\t\t\t

Your parcel has arrived at the post office. Our courier attempted but was unable to deliver the parcel to you.

\n\t\t\t\t\t\t\t\t

To receive your parcel, please go to the nearest office and show this receipt.

\n\t\t\t\t\t\t\t\t
\n\t\t\t\t\t\t\t\t
\n\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\t
\n\t\t\t\t\t\t\t\t\t\t\t\t

GET AND PRINT RECEIPT\n

\n\t\t\t\t\t\t\t\t\t\t\t
\n\t\t\t\t\t\t\t

\n\t\t\t\t\t\t\t\t

Thank you

\n\t\t\t\t\t\t\t
\n\t\t\t
\n\"\"\n\"\"\n\n
\n\n" + emailSubject: + simple: Package Undeliverable separatecontext: false + continueonerrortype: "" view: |- { "position": { - "x": 480, - "y": 545 + "x": 50, + "y": 1420 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "14": + id: "14" + taskid: f871509d-b1c4-41ce-828c-0659b033b9b1 + type: condition + task: + id: f871509d-b1c4-41ce-828c-0659b033b9b1 + version: -1 + name: Check Prediction + type: condition + iscommand: false + brand: "" + nexttasks: + "YES": + - "8" + separatecontext: false + conditions: + - label: "YES" + condition: + - - operator: isEqualString + left: + value: + simple: DBotPredictPhishingWords.Label + iscontext: true + right: + value: + simple: Non-Malicious + - - operator: isEqualNumber + left: + value: + complex: + root: DBotPredictPhishingWords + accessor: Probability + transformers: + - operator: precision + args: + by: + value: + simple: "2" + iscontext: true + right: + value: + simple: "0.60" + continueonerrortype: "" + view: |- + { + "position": { + "x": 50, + "y": 1070 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "15": + id: "15" + taskid: e1ba8eba-a7e3-43e8-8a8a-031a51f1b99f + type: condition + task: + id: e1ba8eba-a7e3-43e8-8a8a-031a51f1b99f + version: -1 + name: Check Prediction + type: condition + iscommand: false + brand: "" + nexttasks: + "YES": + - "4" + separatecontext: false + conditions: + - label: "YES" + condition: + - - operator: isEqualString + left: + value: + simple: DBotPredictPhishingWords.Label + iscontext: true + right: + value: + simple: Malicious + - - operator: isEqualNumber + left: + value: + complex: + root: DBotPredictPhishingWords + accessor: Probability + transformers: + - operator: precision + args: + by: + value: + simple: "2" + iscontext: true + right: + value: + simple: "0.95" + continueonerrortype: "" + view: |- + { + "position": { + "x": 50, + "y": 1595 } } note: false @@ -328,13 +450,15 @@ tasks: ignoreworker: false skipunavailable: false quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false view: |- { "linkLabelsPosition": {}, "paper": { "dimensions": { - "height": 1085, - "width": 810, + "height": 1785, + "width": 380, "x": 50, "y": 50 } @@ -342,4 +466,5 @@ view: |- } inputs: [] outputs: [] -fromversion: 5.5.0 \ No newline at end of file +fromversion: 5.5.0 +description: '' diff --git a/Packs/ML/TestPlaybooks/playbook-DBot_Create_Phishing_Classifier_V2_From_File-_Test.yml b/Packs/ML/TestPlaybooks/playbook-DBot_Create_Phishing_Classifier_V2_From_File-_Test.yml index c955a614d03f..9e6b3e43c172 100644 --- a/Packs/ML/TestPlaybooks/playbook-DBot_Create_Phishing_Classifier_V2_From_File-_Test.yml +++ b/Packs/ML/TestPlaybooks/playbook-DBot_Create_Phishing_Classifier_V2_From_File-_Test.yml @@ -5,22 +5,23 @@ starttaskid: "0" tasks: "0": id: "0" - taskid: e43d8441-51e2-4201-87ba-a15423de05ec + taskid: 8210b4a0-dd4b-4b24-8893-ab9f3e5d21ad type: start task: - id: e43d8441-51e2-4201-87ba-a15423de05ec + id: 8210b4a0-dd4b-4b24-8893-ab9f3e5d21ad version: -1 name: "" iscommand: false brand: "" + description: '' nexttasks: '#none#': - - "17" + - "6" separatecontext: false view: |- { "position": { - "x": 695, + "x": 50, "y": 50 } } @@ -29,12 +30,15 @@ tasks: ignoreworker: false skipunavailable: false quietmode: 0 + continueonerrortype: "" + isoversize: false + isautoswitchedtoquietmode: false "1": id: "1" - taskid: 6512432c-e980-41da-8a85-e318d7bbffbe + taskid: 622b1351-3b36-41a8-8617-e8c123c7ce02 type: regular task: - id: 6512432c-e980-41da-8a85-e318d7bbffbe + id: 622b1351-3b36-41a8-8617-e8c123c7ce02 version: -1 name: Create Incidents File script: TestCreateIncidentsFile @@ -51,8 +55,8 @@ tasks: view: |- { "position": { - "x": 695, - "y": 1010 + "x": 50, + "y": 370 } } note: false @@ -60,16 +64,18 @@ tasks: ignoreworker: false skipunavailable: false quietmode: 0 + continueonerrortype: "" + isoversize: false + isautoswitchedtoquietmode: false "3": id: "3" - taskid: ae7d8277-e9b2-4c71-8c5d-70979e7f4267 + taskid: 1aa209a9-3d42-4680-8ecf-10d050b9ba6e type: regular task: - id: ae7d8277-e9b2-4c71-8c5d-70979e7f4267 + id: 1aa209a9-3d42-4680-8ecf-10d050b9ba6e version: -1 name: Predict Sentence - description: Predict text label using a pre-trained machine learning phishing - model, and get the most important words used in the classification decision. + description: Predict text label using a pre-trained machine learning phishing model, and get the most important words used in the classification decision. scriptName: DBotPredictPhishingWords type: regular iscommand: false @@ -80,25 +86,18 @@ tasks: scriptarguments: emailBody: simple: this message is spam. this message is spam - emailBodyHTML: {} - emailSubject: {} - hashSeed: {} labelProbabilityThreshold: simple: "0" minTextLength: simple: "0" modelName: simple: ${DBotPhishingClassifier.ModelName} - modelStoreType: {} - returnError: {} - topWordsLimit: {} - wordThreshold: {} separatecontext: false view: |- { "position": { - "x": 695, - "y": 1360 + "x": 50, + "y": 720 } } note: false @@ -106,12 +105,15 @@ tasks: ignoreworker: false skipunavailable: false quietmode: 0 + continueonerrortype: "" + isoversize: false + isautoswitchedtoquietmode: false "4": id: "4" - taskid: e03072b6-e44e-40bd-8389-68c36bb5b435 + taskid: 067671f5-b98d-4e1e-8e6e-fa4c43ff7de0 type: condition task: - id: e03072b6-e44e-40bd-8389-68c36bb5b435 + id: 067671f5-b98d-4e1e-8e6e-fa4c43ff7de0 version: -1 name: Check Prediction type: condition @@ -143,8 +145,8 @@ tasks: view: |- { "position": { - "x": 695, - "y": 1535 + "x": 50, + "y": 895 } } note: false @@ -152,23 +154,27 @@ tasks: ignoreworker: false skipunavailable: false quietmode: 0 + continueonerrortype: "" + isoversize: false + isautoswitchedtoquietmode: false "5": id: "5" - taskid: 2f277472-af83-495c-89d3-44f1585258e2 + taskid: 7f39c142-9139-4e4f-880a-5ac03f42f5f9 type: title task: - id: 2f277472-af83-495c-89d3-44f1585258e2 + id: 7f39c142-9139-4e4f-880a-5ac03f42f5f9 version: -1 name: Done type: title iscommand: false brand: "" + description: '' separatecontext: false view: |- { "position": { - "x": 695, - "y": 1710 + "x": 50, + "y": 1070 } } note: false @@ -176,12 +182,15 @@ tasks: ignoreworker: false skipunavailable: false quietmode: 0 + continueonerrortype: "" + isoversize: false + isautoswitchedtoquietmode: false "6": id: "6" - taskid: 06ebace9-f13b-4e78-88d9-e799beb78b91 + taskid: 47ebe0a5-32d3-404e-851a-99aa212e76ef type: regular task: - id: 06ebace9-f13b-4e78-88d9-e799beb78b91 + id: 47ebe0a5-32d3-404e-851a-99aa212e76ef version: -1 name: Clean Context description: Delete field from context @@ -199,8 +208,8 @@ tasks: view: |- { "position": { - "x": 695, - "y": 835 + "x": 50, + "y": 195 } } note: false @@ -208,16 +217,18 @@ tasks: ignoreworker: false skipunavailable: false quietmode: 0 + continueonerrortype: "" + isoversize: false + isautoswitchedtoquietmode: false "7": id: "7" - taskid: b7804202-3267-454e-8855-6105c41c15f7 + taskid: 76e221f8-85d5-4107-816b-b86cb93a5e7b type: playbook task: - id: b7804202-3267-454e-8855-6105c41c15f7 + id: 76e221f8-85d5-4107-816b-b86cb93a5e7b version: -1 name: DBot Create Phishing Classifier V2 From File - description: Create a phishing classifier using machine learning. The classifier - is based on incidents files extracted from email content. + description: Create a phishing classifier using machine learning. The classifier is based on incidents files extracted from email content. playbookName: DBot Create Phishing Classifier V2 From File type: playbook iscommand: false @@ -235,8 +246,7 @@ tasks: emailTextKey: simple: Email Body|Email Body HTML|details fileID: - simple: '${.=(val.File instanceof Array ? val.File[val.File.length-1].EntryID - : val.File.EntryID)}' + simple: '${.=(val.File instanceof Array ? val.File[val.File.length-1].EntryID : val.File.EntryID)}' incidentTypes: simple: Phishing inputFormat: @@ -261,238 +271,11 @@ tasks: exitCondition: "" wait: 1 max: 0 - view: |- - { - "position": { - "x": 695, - "y": 1185 - } - } - note: false - timertriggers: [] - ignoreworker: false - skipunavailable: false - quietmode: 0 - "11": - id: "11" - taskid: 7ef4beea-9151-425e-8bce-53eb0e993f50 - type: regular - task: - id: 7ef4beea-9151-425e-8bce-53eb0e993f50 - version: -1 - name: Load prediction docker - description: Predict text label using a pre-trained machine learning phishing - model, and get the most important words used in the classification decision. - scriptName: DBotPredictPhishingWords - type: regular - iscommand: false - brand: "" - nexttasks: - '#none#': - - "15" - scriptarguments: - modelName: - simple: dummy - continueonerror: true - separatecontext: false view: |- { "position": { "x": 50, - "y": 340 - } - } - note: false - timertriggers: [] - ignoreworker: false - skipunavailable: false - quietmode: 0 - "12": - id: "12" - taskid: cd9a8a22-a47d-4c3c-83df-592577755ece - type: regular - task: - id: cd9a8a22-a47d-4c3c-83df-592577755ece - version: -1 - name: Load evaluation docker - description: Finds a threshold for ML model, and performs an evaluation based - on it - scriptName: GetMLModelEvaluation - type: regular - iscommand: false - brand: "" - nexttasks: - '#none#': - - "15" - scriptarguments: - yPred: - simple: dummy - yTrue: - simple: dummy - continueonerror: true - separatecontext: false - view: |- - { - "position": { - "x": 480, - "y": 340 - } - } - note: false - timertriggers: [] - ignoreworker: false - skipunavailable: false - quietmode: 0 - "13": - id: "13" - taskid: 5f0baead-ae59-4311-8f28-50effdfd7c1b - type: regular - task: - id: 5f0baead-ae59-4311-8f28-50effdfd7c1b - version: -1 - name: Load training docker - description: Train a machine learning text classifier. - scriptName: DBotTrainTextClassifierV2 - type: regular - iscommand: false - brand: "" - nexttasks: - '#none#': - - "15" - scriptarguments: - input: - simple: dummy_input - tagField: - simple: dummy - continueonerror: true - separatecontext: false - view: |- - { - "position": { - "x": 910, - "y": 340 - } - } - note: false - timertriggers: [] - ignoreworker: false - skipunavailable: false - quietmode: 0 - "14": - id: "14" - taskid: ba870761-cad7-444e-85ca-d6ca9f505f36 - type: regular - task: - id: ba870761-cad7-444e-85ca-d6ca9f505f36 - version: -1 - name: Load Preprocessing Docker - description: Pre-process text data for the machine learning text classifier. - scriptName: DBotPreProcessTextData - type: regular - iscommand: false - brand: "" - nexttasks: - '#none#': - - "15" - scriptarguments: - input: - simple: dummy input - continueonerror: true - separatecontext: false - view: |- - { - "position": { - "x": 1340, - "y": 340 - } - } - note: false - timertriggers: [] - ignoreworker: false - skipunavailable: false - quietmode: 0 - "15": - id: "15" - taskid: 7974be6e-6e04-4da2-8e8c-6131f6d586b5 - type: regular - task: - id: 7974be6e-6e04-4da2-8e8c-6131f6d586b5 - version: -1 - name: Wait for docker download - description: Sleep for X seconds - scriptName: Sleep - type: regular - iscommand: false - brand: "" - nexttasks: - '#none#': - - "16" - scriptarguments: - seconds: - simple: "10" - separatecontext: false - view: |- - { - "position": { - "x": 695, - "y": 515 - } - } - note: false - timertriggers: [] - ignoreworker: false - skipunavailable: false - quietmode: 0 - "16": - id: "16" - taskid: 6d0b0b2e-851a-4f79-8371-56199707908e - type: title - task: - id: 6d0b0b2e-851a-4f79-8371-56199707908e - version: -1 - name: Begin tests - type: title - iscommand: false - brand: "" - nexttasks: - '#none#': - - "6" - separatecontext: false - view: |- - { - "position": { - "x": 695, - "y": 690 - } - } - note: false - timertriggers: [] - ignoreworker: false - skipunavailable: false - quietmode: 0 - "17": - id: "17" - taskid: 07f113b4-ad97-4426-8bb9-47f7cefe0187 - type: title - task: - id: 07f113b4-ad97-4426-8bb9-47f7cefe0187 - version: -1 - name: Load all dockers - type: title - iscommand: false - brand: "" - nexttasks: - '#none#': - - "14" - - "13" - - "12" - - "11" - separatecontext: false - view: |- - { - "position": { - "x": 695, - "y": 195 + "y": 545 } } note: false @@ -500,13 +283,16 @@ tasks: ignoreworker: false skipunavailable: false quietmode: 0 + continueonerrortype: "" + isoversize: false + isautoswitchedtoquietmode: false view: |- { "linkLabelsPosition": {}, "paper": { "dimensions": { - "height": 1725, - "width": 1670, + "height": 1085, + "width": 380, "x": 50, "y": 50 } @@ -514,4 +300,5 @@ view: |- } inputs: [] outputs: [] -fromversion: 6.1.0 \ No newline at end of file +fromversion: 6.1.0 +description: '' From 103ce3db209b18a3545fb559d2523aa53a584ec2 Mon Sep 17 00:00:00 2001 From: jlevypaloalto Date: Wed, 3 Jul 2024 14:03:20 +0300 Subject: [PATCH 05/39] return on no incidents --- .../GetMLModelEvaluation.py | 38 ++++++---- .../GetMLModelEvaluation.yml | 4 +- .../Scripts/GetMLModelEvaluation/README.md | 4 +- .../EvaluateMLModllAtProduction.py | 73 ++++++++++--------- 4 files changed, 64 insertions(+), 55 deletions(-) diff --git a/Packs/Base/Scripts/GetMLModelEvaluation/GetMLModelEvaluation.py b/Packs/Base/Scripts/GetMLModelEvaluation/GetMLModelEvaluation.py index 31713f61858e..67b2d5561fb5 100644 --- a/Packs/Base/Scripts/GetMLModelEvaluation/GetMLModelEvaluation.py +++ b/Packs/Base/Scripts/GetMLModelEvaluation/GetMLModelEvaluation.py @@ -193,9 +193,8 @@ def merge_entries(entry, per_class_entry): return entry -def find_threshold(y_true_str, y_pred_str, customer_target_precision, target_recall, detailed_output=True): - y_true = convert_str_to_json(y_true_str, 'yTrue') - y_pred_all_classes = convert_str_to_json(y_pred_str, 'yPred') +def find_threshold(y_true, y_pred, customer_target_precision, target_recall, detailed_output=True): + labels = sorted(set(y_true + list(y_pred_all_classes[0].keys()))) n_instances = len(y_true) y_true_per_class = {class_: np.zeros(n_instances) for class_ in labels} @@ -325,18 +324,27 @@ def convert_str_to_json(str_json, var_name): def main(): - y_pred_all_classes = demisto.args()["yPred"] - y_true = demisto.args()["yTrue"] - target_precision = calculate_and_validate_float_parameter("targetPrecision") - target_recall = calculate_and_validate_float_parameter("targetRecall") - detailed_output = 'detailedOutput' in demisto.args() and demisto.args()['detailedOutput'] == 'true' - entries = find_threshold(y_true_str=y_true, - y_pred_str=y_pred_all_classes, - customer_target_precision=target_precision, - target_recall=target_recall, - detailed_output=detailed_output) - - demisto.results(entries) + try: + y_pred_all_classes = demisto.args()["yPred"] + y_true = demisto.args()["yTrue"] + target_precision = calculate_and_validate_float_parameter("targetPrecision") + target_recall = calculate_and_validate_float_parameter("targetRecall") + detailed_output = 'detailedOutput' in demisto.args() and demisto.args()['detailedOutput'] == 'true' + y_true = convert_str_to_json(y_true, 'yTrue') + y_pred_all_classes = convert_str_to_json(y_pred_all_classes, 'yPred') + + if not (y_true and y_pred_all_classes): + raise DemistoException('Either "yPred" or "yTrue" are empty.') + else: + entries = find_threshold(y_true=y_true, + y_pred=y_pred_all_classes, + customer_target_precision=target_precision, + target_recall=target_recall, + detailed_output=detailed_output) + + demisto.results(entries) + except Exception as e: + return_error(f'Error in GetMLModelEvaluation:\n{e}') def calculate_and_validate_float_parameter(var_name): diff --git a/Packs/Base/Scripts/GetMLModelEvaluation/GetMLModelEvaluation.yml b/Packs/Base/Scripts/GetMLModelEvaluation/GetMLModelEvaluation.yml index fa5103d6812e..f22786845767 100644 --- a/Packs/Base/Scripts/GetMLModelEvaluation/GetMLModelEvaluation.yml +++ b/Packs/Base/Scripts/GetMLModelEvaluation/GetMLModelEvaluation.yml @@ -15,7 +15,7 @@ args: isArray: true name: targetRecall - defaultValue: 'true' - description: if set to 'true', the output will include a full exaplanation of the confidence threshold meaning. + description: if set to 'true', the output will include a full explanation of the confidence threshold meaning. isArray: true name: detailedOutput predefined: @@ -32,7 +32,7 @@ outputs: description: The found thresholds which meets the conditions of precision and recall. type: String - contextPath: GetMLModelEvaluation.ConfusionMatrixAtThreshold - description: The model evaluation confusion matrix for mails above the threhsold. + description: The model evaluation confusion matrix for mails above the threshold. type: Unknown - contextPath: GetMLModelEvaluation.Metrics description: Metrics per each class (includes precision, true positive, coverage, etc.) diff --git a/Packs/Base/Scripts/GetMLModelEvaluation/README.md b/Packs/Base/Scripts/GetMLModelEvaluation/README.md index 13cc64e0b779..2a1938a4b2bc 100644 --- a/Packs/Base/Scripts/GetMLModelEvaluation/README.md +++ b/Packs/Base/Scripts/GetMLModelEvaluation/README.md @@ -18,7 +18,7 @@ Finds a threshold for ML model, and performs an evaluation based on it | yPred | A list of dictionaries contain probability predictions for all classes | | targetPrecision | minimum precision of all classes, ranges 0-1 | | targetRecall | minimum recall of all classes, ranges 0-1 | -| detailedOutput | if set to 'true', the output will include a full exaplanation of the confidence threshold meaning | +| detailedOutput | if set to 'true', the output will include a full explanation of the confidence threshold meaning | ## Outputs --- @@ -26,5 +26,5 @@ Finds a threshold for ML model, and performs an evaluation based on it | **Path** | **Description** | **Type** | | --- | --- | --- | | GetMLModelEvaluation.Threshold | The found thresholds which meets the conditions of precision and recall | String | -| GetMLModelEvaluation.ConfusionMatrixAtThreshold | The model evaluation confusion matrix for mails above the threhsold. | Unknown | +| GetMLModelEvaluation.ConfusionMatrixAtThreshold | The model evaluation confusion matrix for mails above the threshold. | Unknown | | GetMLModelEvaluation.Metrics | Metrics per each class \(includes precision, true positive, coverage, etc.\) | Unknown | diff --git a/Packs/ML/Scripts/EvaluateMLModllAtProduction/EvaluateMLModllAtProduction.py b/Packs/ML/Scripts/EvaluateMLModllAtProduction/EvaluateMLModllAtProduction.py index 27292ab3b254..258c7e09e92a 100644 --- a/Packs/ML/Scripts/EvaluateMLModllAtProduction/EvaluateMLModllAtProduction.py +++ b/Packs/ML/Scripts/EvaluateMLModllAtProduction/EvaluateMLModllAtProduction.py @@ -106,42 +106,43 @@ def main(incident_types, incident_query, y_true_field, y_pred_field, y_pred_prob incidents_query_res = demisto.executeCommand('GetIncidentsByQuery', incidents_query_args) if is_error(incidents_query_res): return_error(get_error(incidents_query_res)) - incidents = json.loads(incidents_query_res[-1]['Contents']) - demisto.results('Found {} incidents'.format(len(incidents))) - y_true = [] - y_pred = [] - y_pred_prob = [] - incidents_with_missing_pred_prob = 0 - for i in incidents: - y_true.append(i[y_true_field]) - y_pred.append(i[y_pred_field]) - if y_pred_prob_field not in i: - incidents_with_missing_pred_prob += 1 - y_pred_prob.append(i.get(y_pred_prob_field, None)) - y_true, relevant_indices = get_data_with_mapped_label(y_true, labels_mapping) - y_pred = [y_pred[i] for i in relevant_indices] - y_pred_prob = [y_pred_prob[i] for i in relevant_indices] - incidents = [incidents[i] for i in relevant_indices] - y_pred_prob_is_given = incidents_with_missing_pred_prob == 0 - if y_pred_prob_is_given: - y_pred_dict = [{label: prob} for label, prob in zip(y_pred, y_pred_prob)] - else: - y_pred_dict = [{label: 1.0} for label in y_pred] - if y_pred_prob_is_given: - res_threshold = get_ml_model_evaluation(y_true, y_pred_dict, model_target_accuracy, target_recall=0, - detailed=True) - # show results for the threshold found - last result so it will appear first - output_model_evaluation(y_test=y_true, y_pred=y_pred_dict, res=res_threshold, - context_field='EvaluateMLModllAtProduction') - # show results if no threshold (threhsold=0) was used. Following code is reached only if a legal thresh was found: - if not y_pred_prob_is_given or not np.isclose(float(res_threshold[0]['Contents']['threshold']), 0): - res = get_ml_model_evaluation(y_true, y_pred_dict, target_accuracy=0, target_recall=0) - human_readable = '\n'.join(['## Results for No Threshold', - 'The following results were achieved by using no threshold (threshold equals 0)']) - output_model_evaluation(y_test=y_true, y_pred=y_pred_dict, res=res, - context_field='EvaluateMLModllAtProductionNoThresh', - human_readable_title=human_readable) - return_file_result_with_predictions_on_test_set(incidents, y_true, y_pred, y_pred_prob, additional_fields) + incidents = json.loads(incidents_query_res[0]['Contents']) + demisto.results(f'Found {len(incidents)} incidents') + if incidents: + y_true = [] + y_pred = [] + y_pred_prob = [] + incidents_with_missing_pred_prob = 0 + for i in incidents: + y_true.append(i[y_true_field]) + y_pred.append(i[y_pred_field]) + if y_pred_prob_field not in i: + incidents_with_missing_pred_prob += 1 + y_pred_prob.append(i.get(y_pred_prob_field, None)) + y_true, relevant_indices = get_data_with_mapped_label(y_true, labels_mapping) + y_pred = [y_pred[i] for i in relevant_indices] + y_pred_prob = [y_pred_prob[i] for i in relevant_indices] + incidents = [incidents[i] for i in relevant_indices] + y_pred_prob_is_given = incidents_with_missing_pred_prob == 0 + if y_pred_prob_is_given: + y_pred_dict = [{label: prob} for label, prob in zip(y_pred, y_pred_prob)] + else: + y_pred_dict = [{label: 1.0} for label in y_pred] + if y_pred_prob_is_given: + res_threshold = get_ml_model_evaluation(y_true, y_pred_dict, model_target_accuracy, target_recall=0, + detailed=True) + # show results for the threshold found - last result so it will appear first + output_model_evaluation(y_test=y_true, y_pred=y_pred_dict, res=res_threshold, + context_field='EvaluateMLModllAtProduction') + # show results if no threshold (threhsold=0) was used. Following code is reached only if a legal thresh was found: + if not y_pred_prob_is_given or not np.isclose(float(res_threshold[0]['Contents']['threshold']), 0): + res = get_ml_model_evaluation(y_true, y_pred_dict, target_accuracy=0, target_recall=0) + human_readable = '\n'.join(['## Results for No Threshold', + 'The following results were achieved by using no threshold (threshold equals 0)']) + output_model_evaluation(y_test=y_true, y_pred=y_pred_dict, res=res, + context_field='EvaluateMLModllAtProductionNoThresh', + human_readable_title=human_readable) + return_file_result_with_predictions_on_test_set(incidents, y_true, y_pred, y_pred_prob, additional_fields) model_target_accuracy = demisto.args().get('modelTargetAccuracy', 0) From 6cc1c6227e1cd56bae0cdae0ce19e733daff594e Mon Sep 17 00:00:00 2001 From: jlevypaloalto Date: Wed, 3 Jul 2024 14:17:51 +0300 Subject: [PATCH 06/39] remove runonce --- .../DBotBuildPhishingClassifier/DBotBuildPhishingClassifier.yml | 1 - .../DBotFindSimilarIncidents/DBotFindSimilarIncidents.yml | 1 - .../DBotPredictPhishingWords/DBotPredictPhishingWords.yml | 1 - .../Scripts/DBotPreprocessTextData/DBotPreprocessTextData.yml | 1 - .../DBotTrainTextClassifierV2/DBotTrainTextClassifierV2.yml | 1 - .../DBotPredictOutOfTheBoxV2/DBotPredictOutOfTheBoxV2.yml | 1 - .../script-CompareEnvPredictionsToExpectedPredictions.yml | 1 - 7 files changed, 7 deletions(-) diff --git a/Packs/Base/Scripts/DBotBuildPhishingClassifier/DBotBuildPhishingClassifier.yml b/Packs/Base/Scripts/DBotBuildPhishingClassifier/DBotBuildPhishingClassifier.yml index b3e3efa5b530..988901237804 100644 --- a/Packs/Base/Scripts/DBotBuildPhishingClassifier/DBotBuildPhishingClassifier.yml +++ b/Packs/Base/Scripts/DBotBuildPhishingClassifier/DBotBuildPhishingClassifier.yml @@ -84,7 +84,6 @@ tags: timeout: 12µs type: python dockerimage: devdemisto/ml:1.0.0.100486 -runonce: true tests: - Create Phishing Classifier V2 ML Test - DBotCreatePhishingClassifierV2FromFile-Test diff --git a/Packs/Base/Scripts/DBotFindSimilarIncidents/DBotFindSimilarIncidents.yml b/Packs/Base/Scripts/DBotFindSimilarIncidents/DBotFindSimilarIncidents.yml index 11c4fc374441..441b27ba39e2 100644 --- a/Packs/Base/Scripts/DBotFindSimilarIncidents/DBotFindSimilarIncidents.yml +++ b/Packs/Base/Scripts/DBotFindSimilarIncidents/DBotFindSimilarIncidents.yml @@ -88,7 +88,6 @@ timeout: '0' type: python dockerimage: devdemisto/ml:1.0.0.100486 runas: DBotWeakRole -runonce: true tests: - No tests (auto formatted) fromversion: 5.0.0 diff --git a/Packs/Base/Scripts/DBotPredictPhishingWords/DBotPredictPhishingWords.yml b/Packs/Base/Scripts/DBotPredictPhishingWords/DBotPredictPhishingWords.yml index 58e95ee1bf7a..9947b06c8e52 100644 --- a/Packs/Base/Scripts/DBotPredictPhishingWords/DBotPredictPhishingWords.yml +++ b/Packs/Base/Scripts/DBotPredictPhishingWords/DBotPredictPhishingWords.yml @@ -99,7 +99,6 @@ tags: timeout: 60µs type: python dockerimage: devdemisto/ml:1.0.0.100486 -runonce: true tests: - Create Phishing Classifier V2 ML Test fromversion: 5.0.0 diff --git a/Packs/Base/Scripts/DBotPreprocessTextData/DBotPreprocessTextData.yml b/Packs/Base/Scripts/DBotPreprocessTextData/DBotPreprocessTextData.yml index 30532cac5dbb..1cd991823b0d 100644 --- a/Packs/Base/Scripts/DBotPreprocessTextData/DBotPreprocessTextData.yml +++ b/Packs/Base/Scripts/DBotPreprocessTextData/DBotPreprocessTextData.yml @@ -105,7 +105,6 @@ tags: timeout: 120µs type: python dockerimage: devdemisto/ml:1.0.0.100486 -runonce: true tests: - Create Phishing Classifier V2 ML Test fromversion: 5.0.0 diff --git a/Packs/Base/Scripts/DBotTrainTextClassifierV2/DBotTrainTextClassifierV2.yml b/Packs/Base/Scripts/DBotTrainTextClassifierV2/DBotTrainTextClassifierV2.yml index aa5f22a9c5ea..03a0dbce9d7d 100644 --- a/Packs/Base/Scripts/DBotTrainTextClassifierV2/DBotTrainTextClassifierV2.yml +++ b/Packs/Base/Scripts/DBotTrainTextClassifierV2/DBotTrainTextClassifierV2.yml @@ -122,7 +122,6 @@ tags: timeout: 12µs type: python dockerimage: devdemisto/ml:1.0.0.100486 -runonce: true tests: - Create Phishing Classifier V2 ML Test fromversion: 5.0.0 diff --git a/Packs/ML/Scripts/DBotPredictOutOfTheBoxV2/DBotPredictOutOfTheBoxV2.yml b/Packs/ML/Scripts/DBotPredictOutOfTheBoxV2/DBotPredictOutOfTheBoxV2.yml index b0a5f2af97e5..b9e84470f350 100644 --- a/Packs/ML/Scripts/DBotPredictOutOfTheBoxV2/DBotPredictOutOfTheBoxV2.yml +++ b/Packs/ML/Scripts/DBotPredictOutOfTheBoxV2/DBotPredictOutOfTheBoxV2.yml @@ -60,7 +60,6 @@ subtype: python3 timeout: 60µs type: python dockerimage: devdemisto/ml:1.0.0.100486 -runonce: true tests: - DbotPredictOufOfTheBoxTestV2 - VerifyOOBV2Predictions-Test diff --git a/Packs/ML/TestPlaybooks/script-CompareEnvPredictionsToExpectedPredictions.yml b/Packs/ML/TestPlaybooks/script-CompareEnvPredictionsToExpectedPredictions.yml index f488d4be429f..5f32ef021b00 100644 --- a/Packs/ML/TestPlaybooks/script-CompareEnvPredictionsToExpectedPredictions.yml +++ b/Packs/ML/TestPlaybooks/script-CompareEnvPredictionsToExpectedPredictions.yml @@ -31,7 +31,6 @@ outputs: scripttarget: 0 subtype: python3 pswd: "" -runonce: false dockerimage: devdemisto/ml:1.0.0.100486 runas: DBotWeakRole fromversion: 5.5.0 \ No newline at end of file From 2ac96b42a957b05a31278cd8c97736a606dbaaf8 Mon Sep 17 00:00:00 2001 From: jlevypaloalto Date: Wed, 3 Jul 2024 14:55:26 +0300 Subject: [PATCH 07/39] remove space --- .../script-CompareEnvPredictionsToExpectedPredictions.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Packs/ML/TestPlaybooks/script-CompareEnvPredictionsToExpectedPredictions.yml b/Packs/ML/TestPlaybooks/script-CompareEnvPredictionsToExpectedPredictions.yml index 5f32ef021b00..7098f156c0da 100644 --- a/Packs/ML/TestPlaybooks/script-CompareEnvPredictionsToExpectedPredictions.yml +++ b/Packs/ML/TestPlaybooks/script-CompareEnvPredictionsToExpectedPredictions.yml @@ -19,7 +19,7 @@ script: |- message = '{}/{} correct predictions. '.format(len(df)- len(wrong_predictions_ids), len(df)) if len(wrong_predictions_ids) > 0: message += 'Wrong predictions:\n {}'.format('\n'.join([str(id_) for id_ in wrong_predictions_ids])) - return_outputs(message, {'CompareEnvPredictionsToExpectedPredictions .allPredictionsMatched': len(wrong_predictions_ids)== 0}) + return_outputs(message, {'CompareEnvPredictionsToExpectedPredictions.allPredictionsMatched': len(wrong_predictions_ids)== 0}) type: python tags: [] enabled: true @@ -27,7 +27,7 @@ args: - name: input required: true outputs: -- contextPath: CompareEnvPredictionsToExpectedPredictions .allPredictionsMatched +- contextPath: CompareEnvPredictionsToExpectedPredictions.allPredictionsMatched scripttarget: 0 subtype: python3 pswd: "" From a4ab8b71a02357f98e0740b74cb693e916fe2c55 Mon Sep 17 00:00:00 2001 From: jlevypaloalto Date: Wed, 3 Jul 2024 17:09:49 +0300 Subject: [PATCH 08/39] fixed --- .../GetMLModelEvaluation.py | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/Packs/Base/Scripts/GetMLModelEvaluation/GetMLModelEvaluation.py b/Packs/Base/Scripts/GetMLModelEvaluation/GetMLModelEvaluation.py index 67b2d5561fb5..ae87baa03d21 100644 --- a/Packs/Base/Scripts/GetMLModelEvaluation/GetMLModelEvaluation.py +++ b/Packs/Base/Scripts/GetMLModelEvaluation/GetMLModelEvaluation.py @@ -193,7 +193,7 @@ def merge_entries(entry, per_class_entry): return entry -def find_threshold(y_true, y_pred, customer_target_precision, target_recall, detailed_output=True): +def find_threshold(y_true, y_pred_all_classes, customer_target_precision, target_recall, detailed_output=True): labels = sorted(set(y_true + list(y_pred_all_classes[0].keys()))) n_instances = len(y_true) @@ -335,14 +335,14 @@ def main(): if not (y_true and y_pred_all_classes): raise DemistoException('Either "yPred" or "yTrue" are empty.') - else: - entries = find_threshold(y_true=y_true, - y_pred=y_pred_all_classes, - customer_target_precision=target_precision, - target_recall=target_recall, - detailed_output=detailed_output) - - demisto.results(entries) + + entries = find_threshold(y_true=y_true, + y_pred_all_classes=y_pred_all_classes, + customer_target_precision=target_precision, + target_recall=target_recall, + detailed_output=detailed_output) + + demisto.results(entries) except Exception as e: return_error(f'Error in GetMLModelEvaluation:\n{e}') From 6d0354cf18309aa839a574e051bb9811a5a1eb89 Mon Sep 17 00:00:00 2001 From: jlevypaloalto Date: Thu, 4 Jul 2024 14:31:58 +0300 Subject: [PATCH 09/39] fix create incidents script --- ...t-CreateIncidentsForEvaluateMLModllAtProduction.yml | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/Packs/ML/TestPlaybooks/script-CreateIncidentsForEvaluateMLModllAtProduction.yml b/Packs/ML/TestPlaybooks/script-CreateIncidentsForEvaluateMLModllAtProduction.yml index 63ba305fb488..972b677929f9 100644 --- a/Packs/ML/TestPlaybooks/script-CreateIncidentsForEvaluateMLModllAtProduction.yml +++ b/Packs/ML/TestPlaybooks/script-CreateIncidentsForEvaluateMLModllAtProduction.yml @@ -17,16 +17,14 @@ script: >+ incident1_template = { 'type': 'Simulation', 'name': 'Tag1', - 'dbotprediction': 'ham', - 'dbotpredictionprobability': 1.0 + 'additionaldata': ['ham', 1.0] } incident2_template = { 'type': 'Simulation', 'name': 'Tag2', - 'dbotprediction': 'spam', - 'dbotpredictionprobability': 1.0, + 'additionaldata': ['spam', 1.0] } @@ -54,8 +52,8 @@ script: >+ 'EmailBodyKey': 'details', 'EmailTagKey': 'name', 'IncidentsQuery': 'type:Simulation', - 'EmailPredictionKey': 'dbotprediction', - 'EmailPredictionProbabilityKey': 'dbotpredictionprobability' + 'EmailPredictionKey': 'additionaldata.[0]', + 'EmailPredictionProbabilityKey': 'additionaldata.[1]' } }) From f12dc895771ff7e552710b5aa678c9e8410b0eb9 Mon Sep 17 00:00:00 2001 From: jlevypaloalto Date: Thu, 4 Jul 2024 15:39:32 +0300 Subject: [PATCH 10/39] new docker --- .../DBotBuildPhishingClassifier/DBotBuildPhishingClassifier.yml | 2 +- .../DBotFindSimilarIncidents/DBotFindSimilarIncidents.yml | 2 +- .../DBotFindSimilarIncidentsByIndicators.yml | 2 +- .../DBotPredictPhishingWords/DBotPredictPhishingWords.yml | 2 +- .../Scripts/DBotPreprocessTextData/DBotPreprocessTextData.yml | 2 +- .../DBotTrainTextClassifierV2/DBotTrainTextClassifierV2.yml | 2 +- .../Base/Scripts/GetMLModelEvaluation/GetMLModelEvaluation.yml | 2 +- .../DBotPredictIncidentsBatch/DBotPredictIncidentsBatch.yml | 2 +- .../DBotPredictOutOfTheBoxV2/DBotPredictOutOfTheBoxV2.yml | 2 +- .../EvaluateMLModllAtProduction/EvaluateMLModllAtProduction.yml | 2 +- .../script-CompareEnvPredictionsToExpectedPredictions.yml | 2 +- 11 files changed, 11 insertions(+), 11 deletions(-) diff --git a/Packs/Base/Scripts/DBotBuildPhishingClassifier/DBotBuildPhishingClassifier.yml b/Packs/Base/Scripts/DBotBuildPhishingClassifier/DBotBuildPhishingClassifier.yml index 988901237804..079e818c931a 100644 --- a/Packs/Base/Scripts/DBotBuildPhishingClassifier/DBotBuildPhishingClassifier.yml +++ b/Packs/Base/Scripts/DBotBuildPhishingClassifier/DBotBuildPhishingClassifier.yml @@ -83,7 +83,7 @@ tags: - ml timeout: 12µs type: python -dockerimage: devdemisto/ml:1.0.0.100486 +dockerimage: devdemisto/ml:1.0.0.100938 tests: - Create Phishing Classifier V2 ML Test - DBotCreatePhishingClassifierV2FromFile-Test diff --git a/Packs/Base/Scripts/DBotFindSimilarIncidents/DBotFindSimilarIncidents.yml b/Packs/Base/Scripts/DBotFindSimilarIncidents/DBotFindSimilarIncidents.yml index 441b27ba39e2..809edf1f429a 100644 --- a/Packs/Base/Scripts/DBotFindSimilarIncidents/DBotFindSimilarIncidents.yml +++ b/Packs/Base/Scripts/DBotFindSimilarIncidents/DBotFindSimilarIncidents.yml @@ -86,7 +86,7 @@ script: '-' subtype: python3 timeout: '0' type: python -dockerimage: devdemisto/ml:1.0.0.100486 +dockerimage: devdemisto/ml:1.0.0.100938 runas: DBotWeakRole tests: - No tests (auto formatted) diff --git a/Packs/Base/Scripts/DBotFindSimilarIncidentsByIndicators/DBotFindSimilarIncidentsByIndicators.yml b/Packs/Base/Scripts/DBotFindSimilarIncidentsByIndicators/DBotFindSimilarIncidentsByIndicators.yml index edffbbb8f189..3b490ef85878 100644 --- a/Packs/Base/Scripts/DBotFindSimilarIncidentsByIndicators/DBotFindSimilarIncidentsByIndicators.yml +++ b/Packs/Base/Scripts/DBotFindSimilarIncidentsByIndicators/DBotFindSimilarIncidentsByIndicators.yml @@ -42,7 +42,7 @@ script: '-' subtype: python3 timeout: '0' type: python -dockerimage: devdemisto/ml:1.0.0.100486 +dockerimage: devdemisto/ml:1.0.0.100938 runas: DBotWeakRole tests: - DBotFindSimilarIncidentsByIndicators - Test diff --git a/Packs/Base/Scripts/DBotPredictPhishingWords/DBotPredictPhishingWords.yml b/Packs/Base/Scripts/DBotPredictPhishingWords/DBotPredictPhishingWords.yml index 9947b06c8e52..e5a496fe3ff9 100644 --- a/Packs/Base/Scripts/DBotPredictPhishingWords/DBotPredictPhishingWords.yml +++ b/Packs/Base/Scripts/DBotPredictPhishingWords/DBotPredictPhishingWords.yml @@ -98,7 +98,7 @@ tags: - phishing timeout: 60µs type: python -dockerimage: devdemisto/ml:1.0.0.100486 +dockerimage: devdemisto/ml:1.0.0.100938 tests: - Create Phishing Classifier V2 ML Test fromversion: 5.0.0 diff --git a/Packs/Base/Scripts/DBotPreprocessTextData/DBotPreprocessTextData.yml b/Packs/Base/Scripts/DBotPreprocessTextData/DBotPreprocessTextData.yml index 1cd991823b0d..013768e2f5d6 100644 --- a/Packs/Base/Scripts/DBotPreprocessTextData/DBotPreprocessTextData.yml +++ b/Packs/Base/Scripts/DBotPreprocessTextData/DBotPreprocessTextData.yml @@ -104,7 +104,7 @@ tags: - ml timeout: 120µs type: python -dockerimage: devdemisto/ml:1.0.0.100486 +dockerimage: devdemisto/ml:1.0.0.100938 tests: - Create Phishing Classifier V2 ML Test fromversion: 5.0.0 diff --git a/Packs/Base/Scripts/DBotTrainTextClassifierV2/DBotTrainTextClassifierV2.yml b/Packs/Base/Scripts/DBotTrainTextClassifierV2/DBotTrainTextClassifierV2.yml index 03a0dbce9d7d..b5f3cb0956a0 100644 --- a/Packs/Base/Scripts/DBotTrainTextClassifierV2/DBotTrainTextClassifierV2.yml +++ b/Packs/Base/Scripts/DBotTrainTextClassifierV2/DBotTrainTextClassifierV2.yml @@ -121,7 +121,7 @@ tags: - ml timeout: 12µs type: python -dockerimage: devdemisto/ml:1.0.0.100486 +dockerimage: devdemisto/ml:1.0.0.100938 tests: - Create Phishing Classifier V2 ML Test fromversion: 5.0.0 diff --git a/Packs/Base/Scripts/GetMLModelEvaluation/GetMLModelEvaluation.yml b/Packs/Base/Scripts/GetMLModelEvaluation/GetMLModelEvaluation.yml index f22786845767..0251e1d3fd18 100644 --- a/Packs/Base/Scripts/GetMLModelEvaluation/GetMLModelEvaluation.yml +++ b/Packs/Base/Scripts/GetMLModelEvaluation/GetMLModelEvaluation.yml @@ -43,7 +43,7 @@ tags: - ml timeout: 60µs type: python -dockerimage: devdemisto/ml:1.0.0.100486 +dockerimage: devdemisto/ml:1.0.0.100938 tests: - Create Phishing Classifier V2 ML Test fromversion: 5.0.0 diff --git a/Packs/ML/Scripts/DBotPredictIncidentsBatch/DBotPredictIncidentsBatch.yml b/Packs/ML/Scripts/DBotPredictIncidentsBatch/DBotPredictIncidentsBatch.yml index 44030d60c100..ae719d10e764 100644 --- a/Packs/ML/Scripts/DBotPredictIncidentsBatch/DBotPredictIncidentsBatch.yml +++ b/Packs/ML/Scripts/DBotPredictIncidentsBatch/DBotPredictIncidentsBatch.yml @@ -46,7 +46,7 @@ tags: - ml timeout: '0' type: python -dockerimage: devdemisto/ml:1.0.0.100486 +dockerimage: devdemisto/ml:1.0.0.100938 fromversion: 5.0.0 tests: - VerifyOOBV2Predictions-Test diff --git a/Packs/ML/Scripts/DBotPredictOutOfTheBoxV2/DBotPredictOutOfTheBoxV2.yml b/Packs/ML/Scripts/DBotPredictOutOfTheBoxV2/DBotPredictOutOfTheBoxV2.yml index b9e84470f350..6aa78594e704 100644 --- a/Packs/ML/Scripts/DBotPredictOutOfTheBoxV2/DBotPredictOutOfTheBoxV2.yml +++ b/Packs/ML/Scripts/DBotPredictOutOfTheBoxV2/DBotPredictOutOfTheBoxV2.yml @@ -59,7 +59,7 @@ script: '-' subtype: python3 timeout: 60µs type: python -dockerimage: devdemisto/ml:1.0.0.100486 +dockerimage: devdemisto/ml:1.0.0.100938 tests: - DbotPredictOufOfTheBoxTestV2 - VerifyOOBV2Predictions-Test diff --git a/Packs/ML/Scripts/EvaluateMLModllAtProduction/EvaluateMLModllAtProduction.yml b/Packs/ML/Scripts/EvaluateMLModllAtProduction/EvaluateMLModllAtProduction.yml index ef3147c884e8..dc170b3f988f 100644 --- a/Packs/ML/Scripts/EvaluateMLModllAtProduction/EvaluateMLModllAtProduction.yml +++ b/Packs/ML/Scripts/EvaluateMLModllAtProduction/EvaluateMLModllAtProduction.yml @@ -42,7 +42,7 @@ outputs: script: '-' subtype: python3 type: python -dockerimage: devdemisto/ml:1.0.0.100486 +dockerimage: devdemisto/ml:1.0.0.100938 runas: DBotWeakRole fromversion: 5.0.0 tags: diff --git a/Packs/ML/TestPlaybooks/script-CompareEnvPredictionsToExpectedPredictions.yml b/Packs/ML/TestPlaybooks/script-CompareEnvPredictionsToExpectedPredictions.yml index 7098f156c0da..2d63ab8099c4 100644 --- a/Packs/ML/TestPlaybooks/script-CompareEnvPredictionsToExpectedPredictions.yml +++ b/Packs/ML/TestPlaybooks/script-CompareEnvPredictionsToExpectedPredictions.yml @@ -31,6 +31,6 @@ outputs: scripttarget: 0 subtype: python3 pswd: "" -dockerimage: devdemisto/ml:1.0.0.100486 +dockerimage: devdemisto/ml:1.0.0.100938 runas: DBotWeakRole fromversion: 5.5.0 \ No newline at end of file From 4ea1b9a84eafb9f3883385aa73d5add15cb41619 Mon Sep 17 00:00:00 2001 From: jlevypaloalto Date: Thu, 4 Jul 2024 18:18:13 +0300 Subject: [PATCH 11/39] revert: fix create incidents script --- ...t-CreateIncidentsForEvaluateMLModllAtProduction.yml | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/Packs/ML/TestPlaybooks/script-CreateIncidentsForEvaluateMLModllAtProduction.yml b/Packs/ML/TestPlaybooks/script-CreateIncidentsForEvaluateMLModllAtProduction.yml index 972b677929f9..63ba305fb488 100644 --- a/Packs/ML/TestPlaybooks/script-CreateIncidentsForEvaluateMLModllAtProduction.yml +++ b/Packs/ML/TestPlaybooks/script-CreateIncidentsForEvaluateMLModllAtProduction.yml @@ -17,14 +17,16 @@ script: >+ incident1_template = { 'type': 'Simulation', 'name': 'Tag1', - 'additionaldata': ['ham', 1.0] + 'dbotprediction': 'ham', + 'dbotpredictionprobability': 1.0 } incident2_template = { 'type': 'Simulation', 'name': 'Tag2', - 'additionaldata': ['spam', 1.0] + 'dbotprediction': 'spam', + 'dbotpredictionprobability': 1.0, } @@ -52,8 +54,8 @@ script: >+ 'EmailBodyKey': 'details', 'EmailTagKey': 'name', 'IncidentsQuery': 'type:Simulation', - 'EmailPredictionKey': 'additionaldata.[0]', - 'EmailPredictionProbabilityKey': 'additionaldata.[1]' + 'EmailPredictionKey': 'dbotprediction', + 'EmailPredictionProbabilityKey': 'dbotpredictionprobability' } }) From ea383a59fda2a02a5235737c1fef776ebff6a385 Mon Sep 17 00:00:00 2001 From: jlevypaloalto Date: Fri, 5 Jul 2024 12:00:38 +0300 Subject: [PATCH 12/39] add outputs to DBotFindSimilarIncidents --- .../DBotFindSimilarIncidents.yml | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/Packs/Base/Scripts/DBotFindSimilarIncidents/DBotFindSimilarIncidents.yml b/Packs/Base/Scripts/DBotFindSimilarIncidents/DBotFindSimilarIncidents.yml index 809edf1f429a..69c2bd3ee6c8 100644 --- a/Packs/Base/Scripts/DBotFindSimilarIncidents/DBotFindSimilarIncidents.yml +++ b/Packs/Base/Scripts/DBotFindSimilarIncidents/DBotFindSimilarIncidents.yml @@ -74,6 +74,25 @@ args: name: indicatorsTypes - description: Help to filter out indicators that appear in many incidents. Relevant if includeIndicatorsSimilarity is "True". name: maxIncidentsInIndicatorsForWhiteList +outputs: +- contextPath: DBotFindSimilarIncidents.isSimilarIncidentFound + description: Indicates whether similar incidents have been found. + type: boolean +- contextPath: DBotFindSimilarIncidents.similarIncident.created + description: The creation date of the linked incident. + type: date +- contextPath: DBotFindSimilarIncidents.similarIncident.id + description: The ID of the linked incident. + type: string +- contextPath: DBotFindSimilarIncidents.similarIncident.name + description: The name of the linked incident. + type: string +- contextPath: DBotFindSimilarIncidents.similarIncident.similarity incident + description: The similarity of the linked incident represented as a float in the range 0-1. + type: number +- contextPath: DBotFindSimilarIncidents.similarIncident.details + description: The details of the linked incident. + type: string comment: |- Finds past similar incidents based on incident fields' similarity. Includes an option to also display indicators similarity. Note: For the similarity calculation, at least one field must be provided in one of the "similarTextField", "similarCategoricalField", or "similarJsonField" arguments. From 036d9f63dc3f63b3805462ad502ced16801361cc Mon Sep 17 00:00:00 2001 From: jlevypaloalto Date: Fri, 5 Jul 2024 12:48:38 +0300 Subject: [PATCH 13/39] new tpb DBotFindSimilarIncidents-test --- .../DBotFindSimilarIncidents.yml | 2 +- ...playbook-DBotFindSimilarIncidents-test.yml | 300 ++++++++++++++++++ Tests/conf.json | 2 +- 3 files changed, 302 insertions(+), 2 deletions(-) create mode 100644 Packs/Base/TestPlaybooks/playbook-DBotFindSimilarIncidents-test.yml diff --git a/Packs/Base/Scripts/DBotFindSimilarIncidents/DBotFindSimilarIncidents.yml b/Packs/Base/Scripts/DBotFindSimilarIncidents/DBotFindSimilarIncidents.yml index 69c2bd3ee6c8..8df91b9411aa 100644 --- a/Packs/Base/Scripts/DBotFindSimilarIncidents/DBotFindSimilarIncidents.yml +++ b/Packs/Base/Scripts/DBotFindSimilarIncidents/DBotFindSimilarIncidents.yml @@ -108,5 +108,5 @@ type: python dockerimage: devdemisto/ml:1.0.0.100938 runas: DBotWeakRole tests: -- No tests (auto formatted) +- DBotFindSimilarIncidents-test fromversion: 5.0.0 diff --git a/Packs/Base/TestPlaybooks/playbook-DBotFindSimilarIncidents-test.yml b/Packs/Base/TestPlaybooks/playbook-DBotFindSimilarIncidents-test.yml new file mode 100644 index 000000000000..e18d0eca0f9f --- /dev/null +++ b/Packs/Base/TestPlaybooks/playbook-DBotFindSimilarIncidents-test.yml @@ -0,0 +1,300 @@ +id: DBotFindSimilarIncidents-test +version: -1 +name: DBotFindSimilarIncidents-test +starttaskid: "0" +tasks: + "0": + id: "0" + taskid: 53859bf6-0ad5-48e8-83ea-e56e86b07a82 + type: start + task: + id: 53859bf6-0ad5-48e8-83ea-e56e86b07a82 + version: -1 + name: "" + iscommand: false + brand: "" + description: '' + nexttasks: + '#none#': + - "5" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 265, + "y": 50 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "2": + id: "2" + taskid: 45426724-fbd0-417f-89d3-8b71ab784309 + type: regular + task: + id: 45426724-fbd0-417f-89d3-8b71ab784309 + version: -1 + name: DBotFindSimilarIncidents + description: Find past similar incidents based on incident fields' similarity. Includes an option to also display indicators similarity. + scriptName: DBotFindSimilarIncidents + type: regular + iscommand: false + brand: "" + nexttasks: + '#none#': + - "3" + scriptarguments: + fieldExactMatch: + simple: accountname + incidentId: + complex: + root: CreatedIncidentID + transformers: + - operator: atIndex + args: + index: + value: + simple: "0" + similarTextField: + simple: details + toDate: + simple: now + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 265, + "y": 545 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "3": + id: "3" + taskid: bdd0da3d-8aad-4682-8aff-d2c6a3321690 + type: condition + task: + id: bdd0da3d-8aad-4682-8aff-d2c6a3321690 + version: -1 + name: Check results + type: condition + iscommand: false + brand: "" + nexttasks: + "Yes": + - "4" + separatecontext: false + conditions: + - label: "Yes" + condition: + - - operator: isTrue + left: + value: + simple: DBotFindSimilarIncidents.isSimilarIncidentFound + iscontext: true + - - operator: isEqualString + left: + value: + simple: DBotFindSimilarIncidents.similarIncident.id + iscontext: true + right: + value: + complex: + root: CreatedIncidentID + transformers: + - operator: atIndex + args: + index: + value: + simple: "1" + iscontext: true + continueonerrortype: "" + view: |- + { + "position": { + "x": 265, + "y": 720 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "4": + id: "4" + taskid: bd930f7e-c2f1-4b46-8efa-6562c60105fe + type: title + task: + id: bd930f7e-c2f1-4b46-8efa-6562c60105fe + version: -1 + name: Done + type: title + iscommand: false + brand: "" + description: '' + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 265, + "y": 895 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "5": + id: "5" + taskid: c2bb7962-e995-45e1-8636-0ecf2b3ff45c + type: regular + task: + id: c2bb7962-e995-45e1-8636-0ecf2b3ff45c + version: -1 + name: Clear context + description: |- + Delete field from context. + + This automation runs using the default Limited User role, unless you explicitly change the permissions. + For more information, see the section about permissions here: + https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.10/Cortex-XSOAR-Administrator-Guide/Automations + scriptName: DeleteContext + type: regular + iscommand: false + brand: "" + nexttasks: + '#none#': + - "6" + - "7" + scriptarguments: + all: + simple: "yes" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 265, + "y": 195 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "6": + id: "6" + taskid: 58890a1b-198a-4f21-87d6-a73d27b24075 + type: regular + task: + id: 58890a1b-198a-4f21-87d6-a73d27b24075 + version: -1 + name: Create incident 1 + description: commands.local.cmd.create.inc + script: Builtin|||createNewIncident + type: regular + iscommand: true + brand: Builtin + nexttasks: + '#none#': + - "2" + scriptarguments: + accountname: + simple: SimilarAccountName + details: + simple: this is a test incident and should match up with TestIncident_2 + name: + simple: TestIncident_1 + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 50, + "y": 370 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "7": + id: "7" + taskid: 89bf5bb4-77e5-4462-819e-656511050e55 + type: regular + task: + id: 89bf5bb4-77e5-4462-819e-656511050e55 + version: -1 + name: Create incident 2 + description: commands.local.cmd.create.inc + script: Builtin|||createNewIncident + type: regular + iscommand: true + brand: Builtin + nexttasks: + '#none#': + - "2" + scriptarguments: + accountname: + simple: SimilarAccountName + details: + simple: this is a test incident and should match up with TestIncident_1 + name: + simple: TestIncident_2 + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 480, + "y": 370 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false +view: |- + { + "linkLabelsPosition": {}, + "paper": { + "dimensions": { + "height": 910, + "width": 810, + "x": 50, + "y": 50 + } + } + } +inputs: [] +outputs: [] +fromversion: 6.10.0 +description: '' diff --git a/Tests/conf.json b/Tests/conf.json index 658c946d822a..85f017aff602 100644 --- a/Tests/conf.json +++ b/Tests/conf.json @@ -3673,7 +3673,7 @@ "is_mockable": false }, { - "playbookID": "GetIndicatorsByQuery - Test" + "playbookID": "DBotFindSimilarIncidents-test" }, { "playbookID": "DBotCreatePhishingClassifierV2FromFile-Test", From 3d0c6c4e24eed471b864b20940991dbc4f2e4205 Mon Sep 17 00:00:00 2001 From: jlevypaloalto Date: Sun, 7 Jul 2024 03:22:18 +0300 Subject: [PATCH 14/39] new docker --- .../DBotBuildPhishingClassifier/DBotBuildPhishingClassifier.yml | 2 +- .../DBotFindSimilarIncidents/DBotFindSimilarIncidents.yml | 2 +- .../DBotFindSimilarIncidentsByIndicators.yml | 2 +- .../DBotPredictPhishingWords/DBotPredictPhishingWords.yml | 2 +- .../Scripts/DBotPreprocessTextData/DBotPreprocessTextData.yml | 2 +- .../DBotTrainTextClassifierV2/DBotTrainTextClassifierV2.yml | 2 +- .../Base/Scripts/GetMLModelEvaluation/GetMLModelEvaluation.yml | 2 +- .../DBotPredictIncidentsBatch/DBotPredictIncidentsBatch.yml | 2 +- .../DBotPredictOutOfTheBoxV2/DBotPredictOutOfTheBoxV2.yml | 2 +- .../EvaluateMLModllAtProduction/EvaluateMLModllAtProduction.yml | 2 +- .../script-CompareEnvPredictionsToExpectedPredictions.yml | 2 +- 11 files changed, 11 insertions(+), 11 deletions(-) diff --git a/Packs/Base/Scripts/DBotBuildPhishingClassifier/DBotBuildPhishingClassifier.yml b/Packs/Base/Scripts/DBotBuildPhishingClassifier/DBotBuildPhishingClassifier.yml index 079e818c931a..90c3ea995e91 100644 --- a/Packs/Base/Scripts/DBotBuildPhishingClassifier/DBotBuildPhishingClassifier.yml +++ b/Packs/Base/Scripts/DBotBuildPhishingClassifier/DBotBuildPhishingClassifier.yml @@ -83,7 +83,7 @@ tags: - ml timeout: 12µs type: python -dockerimage: devdemisto/ml:1.0.0.100938 +dockerimage: devdemisto/ml:1.0.0.101124 tests: - Create Phishing Classifier V2 ML Test - DBotCreatePhishingClassifierV2FromFile-Test diff --git a/Packs/Base/Scripts/DBotFindSimilarIncidents/DBotFindSimilarIncidents.yml b/Packs/Base/Scripts/DBotFindSimilarIncidents/DBotFindSimilarIncidents.yml index 8df91b9411aa..24f9ac07e46e 100644 --- a/Packs/Base/Scripts/DBotFindSimilarIncidents/DBotFindSimilarIncidents.yml +++ b/Packs/Base/Scripts/DBotFindSimilarIncidents/DBotFindSimilarIncidents.yml @@ -105,7 +105,7 @@ script: '-' subtype: python3 timeout: '0' type: python -dockerimage: devdemisto/ml:1.0.0.100938 +dockerimage: devdemisto/ml:1.0.0.101124 runas: DBotWeakRole tests: - DBotFindSimilarIncidents-test diff --git a/Packs/Base/Scripts/DBotFindSimilarIncidentsByIndicators/DBotFindSimilarIncidentsByIndicators.yml b/Packs/Base/Scripts/DBotFindSimilarIncidentsByIndicators/DBotFindSimilarIncidentsByIndicators.yml index 3b490ef85878..e29e9dcb6168 100644 --- a/Packs/Base/Scripts/DBotFindSimilarIncidentsByIndicators/DBotFindSimilarIncidentsByIndicators.yml +++ b/Packs/Base/Scripts/DBotFindSimilarIncidentsByIndicators/DBotFindSimilarIncidentsByIndicators.yml @@ -42,7 +42,7 @@ script: '-' subtype: python3 timeout: '0' type: python -dockerimage: devdemisto/ml:1.0.0.100938 +dockerimage: devdemisto/ml:1.0.0.101124 runas: DBotWeakRole tests: - DBotFindSimilarIncidentsByIndicators - Test diff --git a/Packs/Base/Scripts/DBotPredictPhishingWords/DBotPredictPhishingWords.yml b/Packs/Base/Scripts/DBotPredictPhishingWords/DBotPredictPhishingWords.yml index e5a496fe3ff9..9d73ebceab3b 100644 --- a/Packs/Base/Scripts/DBotPredictPhishingWords/DBotPredictPhishingWords.yml +++ b/Packs/Base/Scripts/DBotPredictPhishingWords/DBotPredictPhishingWords.yml @@ -98,7 +98,7 @@ tags: - phishing timeout: 60µs type: python -dockerimage: devdemisto/ml:1.0.0.100938 +dockerimage: devdemisto/ml:1.0.0.101124 tests: - Create Phishing Classifier V2 ML Test fromversion: 5.0.0 diff --git a/Packs/Base/Scripts/DBotPreprocessTextData/DBotPreprocessTextData.yml b/Packs/Base/Scripts/DBotPreprocessTextData/DBotPreprocessTextData.yml index 013768e2f5d6..0909cce1b478 100644 --- a/Packs/Base/Scripts/DBotPreprocessTextData/DBotPreprocessTextData.yml +++ b/Packs/Base/Scripts/DBotPreprocessTextData/DBotPreprocessTextData.yml @@ -104,7 +104,7 @@ tags: - ml timeout: 120µs type: python -dockerimage: devdemisto/ml:1.0.0.100938 +dockerimage: devdemisto/ml:1.0.0.101124 tests: - Create Phishing Classifier V2 ML Test fromversion: 5.0.0 diff --git a/Packs/Base/Scripts/DBotTrainTextClassifierV2/DBotTrainTextClassifierV2.yml b/Packs/Base/Scripts/DBotTrainTextClassifierV2/DBotTrainTextClassifierV2.yml index b5f3cb0956a0..5dd98f143c7b 100644 --- a/Packs/Base/Scripts/DBotTrainTextClassifierV2/DBotTrainTextClassifierV2.yml +++ b/Packs/Base/Scripts/DBotTrainTextClassifierV2/DBotTrainTextClassifierV2.yml @@ -121,7 +121,7 @@ tags: - ml timeout: 12µs type: python -dockerimage: devdemisto/ml:1.0.0.100938 +dockerimage: devdemisto/ml:1.0.0.101124 tests: - Create Phishing Classifier V2 ML Test fromversion: 5.0.0 diff --git a/Packs/Base/Scripts/GetMLModelEvaluation/GetMLModelEvaluation.yml b/Packs/Base/Scripts/GetMLModelEvaluation/GetMLModelEvaluation.yml index 0251e1d3fd18..602343be9780 100644 --- a/Packs/Base/Scripts/GetMLModelEvaluation/GetMLModelEvaluation.yml +++ b/Packs/Base/Scripts/GetMLModelEvaluation/GetMLModelEvaluation.yml @@ -43,7 +43,7 @@ tags: - ml timeout: 60µs type: python -dockerimage: devdemisto/ml:1.0.0.100938 +dockerimage: devdemisto/ml:1.0.0.101124 tests: - Create Phishing Classifier V2 ML Test fromversion: 5.0.0 diff --git a/Packs/ML/Scripts/DBotPredictIncidentsBatch/DBotPredictIncidentsBatch.yml b/Packs/ML/Scripts/DBotPredictIncidentsBatch/DBotPredictIncidentsBatch.yml index ae719d10e764..4daabcdbb18a 100644 --- a/Packs/ML/Scripts/DBotPredictIncidentsBatch/DBotPredictIncidentsBatch.yml +++ b/Packs/ML/Scripts/DBotPredictIncidentsBatch/DBotPredictIncidentsBatch.yml @@ -46,7 +46,7 @@ tags: - ml timeout: '0' type: python -dockerimage: devdemisto/ml:1.0.0.100938 +dockerimage: devdemisto/ml:1.0.0.101124 fromversion: 5.0.0 tests: - VerifyOOBV2Predictions-Test diff --git a/Packs/ML/Scripts/DBotPredictOutOfTheBoxV2/DBotPredictOutOfTheBoxV2.yml b/Packs/ML/Scripts/DBotPredictOutOfTheBoxV2/DBotPredictOutOfTheBoxV2.yml index 6aa78594e704..a45c26f00236 100644 --- a/Packs/ML/Scripts/DBotPredictOutOfTheBoxV2/DBotPredictOutOfTheBoxV2.yml +++ b/Packs/ML/Scripts/DBotPredictOutOfTheBoxV2/DBotPredictOutOfTheBoxV2.yml @@ -59,7 +59,7 @@ script: '-' subtype: python3 timeout: 60µs type: python -dockerimage: devdemisto/ml:1.0.0.100938 +dockerimage: devdemisto/ml:1.0.0.101124 tests: - DbotPredictOufOfTheBoxTestV2 - VerifyOOBV2Predictions-Test diff --git a/Packs/ML/Scripts/EvaluateMLModllAtProduction/EvaluateMLModllAtProduction.yml b/Packs/ML/Scripts/EvaluateMLModllAtProduction/EvaluateMLModllAtProduction.yml index dc170b3f988f..ced999aa0b08 100644 --- a/Packs/ML/Scripts/EvaluateMLModllAtProduction/EvaluateMLModllAtProduction.yml +++ b/Packs/ML/Scripts/EvaluateMLModllAtProduction/EvaluateMLModllAtProduction.yml @@ -42,7 +42,7 @@ outputs: script: '-' subtype: python3 type: python -dockerimage: devdemisto/ml:1.0.0.100938 +dockerimage: devdemisto/ml:1.0.0.101124 runas: DBotWeakRole fromversion: 5.0.0 tags: diff --git a/Packs/ML/TestPlaybooks/script-CompareEnvPredictionsToExpectedPredictions.yml b/Packs/ML/TestPlaybooks/script-CompareEnvPredictionsToExpectedPredictions.yml index 2d63ab8099c4..a2061d0a6023 100644 --- a/Packs/ML/TestPlaybooks/script-CompareEnvPredictionsToExpectedPredictions.yml +++ b/Packs/ML/TestPlaybooks/script-CompareEnvPredictionsToExpectedPredictions.yml @@ -31,6 +31,6 @@ outputs: scripttarget: 0 subtype: python3 pswd: "" -dockerimage: devdemisto/ml:1.0.0.100938 +dockerimage: devdemisto/ml:1.0.0.101124 runas: DBotWeakRole fromversion: 5.5.0 \ No newline at end of file From 1fb8d9ea3632182d16d011e7f2548af6b05c0bf7 Mon Sep 17 00:00:00 2001 From: jlevypaloalto Date: Sun, 7 Jul 2024 16:07:13 +0300 Subject: [PATCH 15/39] bump transformers --- .../DBotBuildPhishingClassifier.yml | 2 +- .../DBotFindSimilarIncidents.yml | 2 +- .../DBotFindSimilarIncidentsByIndicators.yml | 2 +- .../DBotPredictPhishingWords.yml | 2 +- .../DBotPreprocessTextData.yml | 2 +- .../DBotTrainTextClassifierV2.yml | 2 +- .../GetMLModelEvaluation/GetMLModelEvaluation.yml | 2 +- .../playbook-DBotFindSimilarIncidents-test.yml | 2 +- .../DBotPredictIncidentsBatch.yml | 2 +- .../DBotPredictOutOfTheBoxV2.yml | 2 +- .../EvaluateMLModllAtProduction.yml | 2 +- ...pt-CompareEnvPredictionsToExpectedPredictions.yml | 2 +- ...CreateIncidentsForEvaluateMLModllAtProduction.yml | 12 ++++++------ Tests/conf.json | 5 ++++- 14 files changed, 22 insertions(+), 19 deletions(-) diff --git a/Packs/Base/Scripts/DBotBuildPhishingClassifier/DBotBuildPhishingClassifier.yml b/Packs/Base/Scripts/DBotBuildPhishingClassifier/DBotBuildPhishingClassifier.yml index 90c3ea995e91..768635cdda77 100644 --- a/Packs/Base/Scripts/DBotBuildPhishingClassifier/DBotBuildPhishingClassifier.yml +++ b/Packs/Base/Scripts/DBotBuildPhishingClassifier/DBotBuildPhishingClassifier.yml @@ -83,7 +83,7 @@ tags: - ml timeout: 12µs type: python -dockerimage: devdemisto/ml:1.0.0.101124 +dockerimage: devdemisto/ml:1.0.0.101872 tests: - Create Phishing Classifier V2 ML Test - DBotCreatePhishingClassifierV2FromFile-Test diff --git a/Packs/Base/Scripts/DBotFindSimilarIncidents/DBotFindSimilarIncidents.yml b/Packs/Base/Scripts/DBotFindSimilarIncidents/DBotFindSimilarIncidents.yml index 24f9ac07e46e..a6660affde47 100644 --- a/Packs/Base/Scripts/DBotFindSimilarIncidents/DBotFindSimilarIncidents.yml +++ b/Packs/Base/Scripts/DBotFindSimilarIncidents/DBotFindSimilarIncidents.yml @@ -105,7 +105,7 @@ script: '-' subtype: python3 timeout: '0' type: python -dockerimage: devdemisto/ml:1.0.0.101124 +dockerimage: devdemisto/ml:1.0.0.101872 runas: DBotWeakRole tests: - DBotFindSimilarIncidents-test diff --git a/Packs/Base/Scripts/DBotFindSimilarIncidentsByIndicators/DBotFindSimilarIncidentsByIndicators.yml b/Packs/Base/Scripts/DBotFindSimilarIncidentsByIndicators/DBotFindSimilarIncidentsByIndicators.yml index e29e9dcb6168..7a71577e7439 100644 --- a/Packs/Base/Scripts/DBotFindSimilarIncidentsByIndicators/DBotFindSimilarIncidentsByIndicators.yml +++ b/Packs/Base/Scripts/DBotFindSimilarIncidentsByIndicators/DBotFindSimilarIncidentsByIndicators.yml @@ -42,7 +42,7 @@ script: '-' subtype: python3 timeout: '0' type: python -dockerimage: devdemisto/ml:1.0.0.101124 +dockerimage: devdemisto/ml:1.0.0.101872 runas: DBotWeakRole tests: - DBotFindSimilarIncidentsByIndicators - Test diff --git a/Packs/Base/Scripts/DBotPredictPhishingWords/DBotPredictPhishingWords.yml b/Packs/Base/Scripts/DBotPredictPhishingWords/DBotPredictPhishingWords.yml index 9d73ebceab3b..d06cf33fa2db 100644 --- a/Packs/Base/Scripts/DBotPredictPhishingWords/DBotPredictPhishingWords.yml +++ b/Packs/Base/Scripts/DBotPredictPhishingWords/DBotPredictPhishingWords.yml @@ -98,7 +98,7 @@ tags: - phishing timeout: 60µs type: python -dockerimage: devdemisto/ml:1.0.0.101124 +dockerimage: devdemisto/ml:1.0.0.101872 tests: - Create Phishing Classifier V2 ML Test fromversion: 5.0.0 diff --git a/Packs/Base/Scripts/DBotPreprocessTextData/DBotPreprocessTextData.yml b/Packs/Base/Scripts/DBotPreprocessTextData/DBotPreprocessTextData.yml index 0909cce1b478..6acade2b7975 100644 --- a/Packs/Base/Scripts/DBotPreprocessTextData/DBotPreprocessTextData.yml +++ b/Packs/Base/Scripts/DBotPreprocessTextData/DBotPreprocessTextData.yml @@ -104,7 +104,7 @@ tags: - ml timeout: 120µs type: python -dockerimage: devdemisto/ml:1.0.0.101124 +dockerimage: devdemisto/ml:1.0.0.101872 tests: - Create Phishing Classifier V2 ML Test fromversion: 5.0.0 diff --git a/Packs/Base/Scripts/DBotTrainTextClassifierV2/DBotTrainTextClassifierV2.yml b/Packs/Base/Scripts/DBotTrainTextClassifierV2/DBotTrainTextClassifierV2.yml index 5dd98f143c7b..9a5761680e9a 100644 --- a/Packs/Base/Scripts/DBotTrainTextClassifierV2/DBotTrainTextClassifierV2.yml +++ b/Packs/Base/Scripts/DBotTrainTextClassifierV2/DBotTrainTextClassifierV2.yml @@ -121,7 +121,7 @@ tags: - ml timeout: 12µs type: python -dockerimage: devdemisto/ml:1.0.0.101124 +dockerimage: devdemisto/ml:1.0.0.101872 tests: - Create Phishing Classifier V2 ML Test fromversion: 5.0.0 diff --git a/Packs/Base/Scripts/GetMLModelEvaluation/GetMLModelEvaluation.yml b/Packs/Base/Scripts/GetMLModelEvaluation/GetMLModelEvaluation.yml index 602343be9780..b4e47ef65db7 100644 --- a/Packs/Base/Scripts/GetMLModelEvaluation/GetMLModelEvaluation.yml +++ b/Packs/Base/Scripts/GetMLModelEvaluation/GetMLModelEvaluation.yml @@ -43,7 +43,7 @@ tags: - ml timeout: 60µs type: python -dockerimage: devdemisto/ml:1.0.0.101124 +dockerimage: devdemisto/ml:1.0.0.101872 tests: - Create Phishing Classifier V2 ML Test fromversion: 5.0.0 diff --git a/Packs/Base/TestPlaybooks/playbook-DBotFindSimilarIncidents-test.yml b/Packs/Base/TestPlaybooks/playbook-DBotFindSimilarIncidents-test.yml index e18d0eca0f9f..80d5b69490d5 100644 --- a/Packs/Base/TestPlaybooks/playbook-DBotFindSimilarIncidents-test.yml +++ b/Packs/Base/TestPlaybooks/playbook-DBotFindSimilarIncidents-test.yml @@ -296,5 +296,5 @@ view: |- } inputs: [] outputs: [] -fromversion: 6.10.0 +fromversion: 6.9.0 description: '' diff --git a/Packs/ML/Scripts/DBotPredictIncidentsBatch/DBotPredictIncidentsBatch.yml b/Packs/ML/Scripts/DBotPredictIncidentsBatch/DBotPredictIncidentsBatch.yml index 4daabcdbb18a..e45e47552512 100644 --- a/Packs/ML/Scripts/DBotPredictIncidentsBatch/DBotPredictIncidentsBatch.yml +++ b/Packs/ML/Scripts/DBotPredictIncidentsBatch/DBotPredictIncidentsBatch.yml @@ -46,7 +46,7 @@ tags: - ml timeout: '0' type: python -dockerimage: devdemisto/ml:1.0.0.101124 +dockerimage: devdemisto/ml:1.0.0.101872 fromversion: 5.0.0 tests: - VerifyOOBV2Predictions-Test diff --git a/Packs/ML/Scripts/DBotPredictOutOfTheBoxV2/DBotPredictOutOfTheBoxV2.yml b/Packs/ML/Scripts/DBotPredictOutOfTheBoxV2/DBotPredictOutOfTheBoxV2.yml index a45c26f00236..a94253b3fd79 100644 --- a/Packs/ML/Scripts/DBotPredictOutOfTheBoxV2/DBotPredictOutOfTheBoxV2.yml +++ b/Packs/ML/Scripts/DBotPredictOutOfTheBoxV2/DBotPredictOutOfTheBoxV2.yml @@ -59,7 +59,7 @@ script: '-' subtype: python3 timeout: 60µs type: python -dockerimage: devdemisto/ml:1.0.0.101124 +dockerimage: devdemisto/ml:1.0.0.101872 tests: - DbotPredictOufOfTheBoxTestV2 - VerifyOOBV2Predictions-Test diff --git a/Packs/ML/Scripts/EvaluateMLModllAtProduction/EvaluateMLModllAtProduction.yml b/Packs/ML/Scripts/EvaluateMLModllAtProduction/EvaluateMLModllAtProduction.yml index ced999aa0b08..35686515429c 100644 --- a/Packs/ML/Scripts/EvaluateMLModllAtProduction/EvaluateMLModllAtProduction.yml +++ b/Packs/ML/Scripts/EvaluateMLModllAtProduction/EvaluateMLModllAtProduction.yml @@ -42,7 +42,7 @@ outputs: script: '-' subtype: python3 type: python -dockerimage: devdemisto/ml:1.0.0.101124 +dockerimage: devdemisto/ml:1.0.0.101872 runas: DBotWeakRole fromversion: 5.0.0 tags: diff --git a/Packs/ML/TestPlaybooks/script-CompareEnvPredictionsToExpectedPredictions.yml b/Packs/ML/TestPlaybooks/script-CompareEnvPredictionsToExpectedPredictions.yml index a2061d0a6023..a5d9fe3ca037 100644 --- a/Packs/ML/TestPlaybooks/script-CompareEnvPredictionsToExpectedPredictions.yml +++ b/Packs/ML/TestPlaybooks/script-CompareEnvPredictionsToExpectedPredictions.yml @@ -31,6 +31,6 @@ outputs: scripttarget: 0 subtype: python3 pswd: "" -dockerimage: devdemisto/ml:1.0.0.101124 +dockerimage: devdemisto/ml:1.0.0.101872 runas: DBotWeakRole fromversion: 5.5.0 \ No newline at end of file diff --git a/Packs/ML/TestPlaybooks/script-CreateIncidentsForEvaluateMLModllAtProduction.yml b/Packs/ML/TestPlaybooks/script-CreateIncidentsForEvaluateMLModllAtProduction.yml index 63ba305fb488..40210d5aaa1e 100644 --- a/Packs/ML/TestPlaybooks/script-CreateIncidentsForEvaluateMLModllAtProduction.yml +++ b/Packs/ML/TestPlaybooks/script-CreateIncidentsForEvaluateMLModllAtProduction.yml @@ -17,16 +17,16 @@ script: >+ incident1_template = { 'type': 'Simulation', 'name': 'Tag1', - 'dbotprediction': 'ham', - 'dbotpredictionprobability': 1.0 + 'details': 'ham', + 'description': 1.0 } incident2_template = { 'type': 'Simulation', 'name': 'Tag2', - 'dbotprediction': 'spam', - 'dbotpredictionprobability': 1.0, + 'details': 'spam', + 'description': 1.0, } @@ -54,8 +54,8 @@ script: >+ 'EmailBodyKey': 'details', 'EmailTagKey': 'name', 'IncidentsQuery': 'type:Simulation', - 'EmailPredictionKey': 'dbotprediction', - 'EmailPredictionProbabilityKey': 'dbotpredictionprobability' + 'EmailPredictionKey': 'details', + 'EmailPredictionProbabilityKey': 'description' } }) diff --git a/Tests/conf.json b/Tests/conf.json index 85f017aff602..08d5d9dfa6d3 100644 --- a/Tests/conf.json +++ b/Tests/conf.json @@ -3673,7 +3673,10 @@ "is_mockable": false }, { - "playbookID": "DBotFindSimilarIncidents-test" + "playbookID": "GetIndicatorsByQuery - Test" + }, + { + "playbookID": "DBotFindSimilarIncidents-test", }, { "playbookID": "DBotCreatePhishingClassifierV2FromFile-Test", From bde59b79f4b70e020092632ec4585d767351f78d Mon Sep 17 00:00:00 2001 From: jlevypaloalto Date: Sun, 7 Jul 2024 17:29:48 +0300 Subject: [PATCH 16/39] Empty-Commit From 9f04953cb4b16dc9714bc32ed6bc7dd56982c9b3 Mon Sep 17 00:00:00 2001 From: jlevypaloalto Date: Sun, 7 Jul 2024 18:43:23 +0300 Subject: [PATCH 17/39] fix conf.json --- Tests/conf.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Tests/conf.json b/Tests/conf.json index 08d5d9dfa6d3..82a7cef8d5ef 100644 --- a/Tests/conf.json +++ b/Tests/conf.json @@ -3676,7 +3676,7 @@ "playbookID": "GetIndicatorsByQuery - Test" }, { - "playbookID": "DBotFindSimilarIncidents-test", + "playbookID": "DBotFindSimilarIncidents-test" }, { "playbookID": "DBotCreatePhishingClassifierV2FromFile-Test", From 5fe453489075c56ff9f6e94c2eb3b440a274342c Mon Sep 17 00:00:00 2001 From: jlevypaloalto Date: Sun, 7 Jul 2024 22:31:34 +0300 Subject: [PATCH 18/39] more fixes --- ...ybook-EvaluateMLModllAtProduction-Test.yml | 273 +++++++++++++----- ...ncidentsForEvaluateMLModllAtProduction.yml | 6 +- 2 files changed, 196 insertions(+), 83 deletions(-) diff --git a/Packs/ML/TestPlaybooks/playbook-EvaluateMLModllAtProduction-Test.yml b/Packs/ML/TestPlaybooks/playbook-EvaluateMLModllAtProduction-Test.yml index c98969885c5a..f7eb3e4b1827 100644 --- a/Packs/ML/TestPlaybooks/playbook-EvaluateMLModllAtProduction-Test.yml +++ b/Packs/ML/TestPlaybooks/playbook-EvaluateMLModllAtProduction-Test.yml @@ -1,28 +1,27 @@ -elasticcommonfields: {} id: EvaluateMLModllAtProduction-Test version: -1 -name: EvaluateMLModllAtProduction-Test +name: DBotFindSimilarIncidents-test starttaskid: "0" tasks: "0": id: "0" - taskid: 29ce4aa3-1c60-4977-81a8-ccd4534c9e8e + taskid: 53859bf6-0ad5-48e8-83ea-e56e86b07a82 type: start task: - elasticcommonfields: {} - id: 29ce4aa3-1c60-4977-81a8-ccd4534c9e8e + id: 53859bf6-0ad5-48e8-83ea-e56e86b07a82 version: -1 name: "" iscommand: false brand: "" + description: '' nexttasks: '#none#': - - "1" + - "5" separatecontext: false view: |- { "position": { - "x": 450, + "x": 265, "y": 50 } } @@ -31,50 +30,19 @@ tasks: ignoreworker: false skipunavailable: false quietmode: 0 - "1": - id: "1" - taskid: df1817d1-ba19-419e-8aa2-694f6b8eeca7 - type: regular - task: - elasticcommonfields: {} - id: df1817d1-ba19-419e-8aa2-694f6b8eeca7 - version: -1 - name: Create Incidents - scriptName: CreateIncidentsForEvaluateMLModllAtProduction - type: regular - iscommand: false - brand: "" - nexttasks: - '#none#': - - "2" - scriptarguments: - historicListName: {} - numberOfIncidents: - simple: "100" - separatecontext: false - view: |- - { - "position": { - "x": 450, - "y": 220 - } - } - note: false - timertriggers: [] - ignoreworker: false - skipunavailable: false - quietmode: 0 + continueonerrortype: "" + isoversize: false + isautoswitchedtoquietmode: false "2": id: "2" - taskid: b65f3ed9-a3e8-490f-8d32-d19fbe712c10 + taskid: ab3d08f1-8bc2-4c87-857b-2e29bb3f5f38 type: regular task: - elasticcommonfields: {} - id: b65f3ed9-a3e8-490f-8d32-d19fbe712c10 + id: ab3d08f1-8bc2-4c87-857b-2e29bb3f5f38 version: -1 - name: Evaluate Model - description: Evaluate ML model in production - scriptName: EvaluateMLModllAtProduction + name: DBotFindSimilarIncidents + description: Find past similar incidents based on incident fields' similarity. Includes an option to also display indicators similarity. + scriptName: DBotFindSimilarIncidents type: regular iscommand: false brand: "" @@ -82,25 +50,29 @@ tasks: '#none#': - "3" scriptarguments: - additionalFields: {} - emailPredictionKey: - simple: ${EmailPredictionKey} - emailPredictionProbabilityKey: - simple: ${EmailPredictionProbabilityKey} - emailTagKey: - simple: ${EmailTagKey} - incidentTypes: - simple: Simulation - incidentsQuery: {} - modelTargetAccuracy: {} - phishingLabels: - simple: Tag1:ham,Tag2:spam + fieldExactMatch: + simple: accountname + fromDate: + simple: 1 hour + incidentId: + complex: + root: CreatedIncidentID + transformers: + - operator: atIndex + args: + index: + value: + simple: "0" + similarTextField: + simple: details + toDate: + simple: now separatecontext: false view: |- { "position": { - "x": 450, - "y": 420 + "x": 265, + "y": 545 } } note: false @@ -108,38 +80,53 @@ tasks: ignoreworker: false skipunavailable: false quietmode: 0 + continueonerrortype: "" + isoversize: false + isautoswitchedtoquietmode: false "3": id: "3" - taskid: f884e4d2-30f8-4def-87c9-2c027ef8270a + taskid: bdd0da3d-8aad-4682-8aff-d2c6a3321690 type: condition task: - elasticcommonfields: {} - id: f884e4d2-30f8-4def-87c9-2c027ef8270a + id: bdd0da3d-8aad-4682-8aff-d2c6a3321690 version: -1 - name: Check Precision equals 1 + name: Check results type: condition iscommand: false brand: "" nexttasks: - "yes": + "Yes": - "4" separatecontext: false conditions: - - label: "yes" + - label: "Yes" condition: - - - operator: greaterThan + - - operator: isTrue left: value: - simple: EvaluateMLModllAtProduction.EvaluationScores.Precision.All + simple: DBotFindSimilarIncidents.isSimilarIncidentFound + iscontext: true + - - operator: isEqualString + left: + value: + simple: DBotFindSimilarIncidents.similarIncident.id iscontext: true right: value: - simple: "0.95" + complex: + root: CreatedIncidentID + transformers: + - operator: atIndex + args: + index: + value: + simple: "1" + iscontext: true view: |- { "position": { - "x": 450, - "y": 610 + "x": 265, + "y": 720 } } note: false @@ -147,24 +134,147 @@ tasks: ignoreworker: false skipunavailable: false quietmode: 0 + continueonerrortype: "" + isoversize: false + isautoswitchedtoquietmode: false "4": id: "4" - taskid: 14b3a70e-27cb-4582-8ea0-659eef8b932c + taskid: bd930f7e-c2f1-4b46-8efa-6562c60105fe type: title task: - elasticcommonfields: {} - id: 14b3a70e-27cb-4582-8ea0-659eef8b932c + id: bd930f7e-c2f1-4b46-8efa-6562c60105fe version: -1 name: Done type: title iscommand: false brand: "" + description: '' + separatecontext: false + view: |- + { + "position": { + "x": 265, + "y": 895 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + continueonerrortype: "" + isoversize: false + isautoswitchedtoquietmode: false + "5": + id: "5" + taskid: c2bb7962-e995-45e1-8636-0ecf2b3ff45c + type: regular + task: + id: c2bb7962-e995-45e1-8636-0ecf2b3ff45c + version: -1 + name: Clear context + description: |- + Delete field from context. + + This automation runs using the default Limited User role, unless you explicitly change the permissions. + For more information, see the section about permissions here: + https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.10/Cortex-XSOAR-Administrator-Guide/Automations + scriptName: DeleteContext + type: regular + iscommand: false + brand: "" + nexttasks: + '#none#': + - "6" + - "7" + scriptarguments: + all: + simple: "yes" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 265, + "y": 195 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "6": + id: "6" + taskid: 58890a1b-198a-4f21-87d6-a73d27b24075 + type: regular + task: + id: 58890a1b-198a-4f21-87d6-a73d27b24075 + version: -1 + name: Create incident 1 + description: commands.local.cmd.create.inc + script: Builtin|||createNewIncident + type: regular + iscommand: true + brand: Builtin + nexttasks: + '#none#': + - "2" + scriptarguments: + accountname: + simple: SimilarAccountName + details: + simple: this is a test incident and should match up with TestIncident_2 + name: + simple: TestIncident_1 + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 50, + "y": 370 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "7": + id: "7" + taskid: 89bf5bb4-77e5-4462-819e-656511050e55 + type: regular + task: + id: 89bf5bb4-77e5-4462-819e-656511050e55 + version: -1 + name: Create incident 2 + description: commands.local.cmd.create.inc + script: Builtin|||createNewIncident + type: regular + iscommand: true + brand: Builtin + nexttasks: + '#none#': + - "2" + scriptarguments: + accountname: + simple: SimilarAccountName + details: + simple: this is a test incident and should match up with TestIncident_1 + name: + simple: TestIncident_2 separatecontext: false + continueonerrortype: "" view: |- { "position": { - "x": 450, - "y": 800 + "x": 480, + "y": 370 } } note: false @@ -172,14 +282,16 @@ tasks: ignoreworker: false skipunavailable: false quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false view: |- { "linkLabelsPosition": {}, "paper": { "dimensions": { - "height": 815, - "width": 380, - "x": 450, + "height": 910, + "width": 810, + "x": 50, "y": 50 } } @@ -187,3 +299,4 @@ view: |- inputs: [] outputs: [] fromversion: 5.0.0 +description: '' diff --git a/Packs/ML/TestPlaybooks/script-CreateIncidentsForEvaluateMLModllAtProduction.yml b/Packs/ML/TestPlaybooks/script-CreateIncidentsForEvaluateMLModllAtProduction.yml index 40210d5aaa1e..8b6cd736e775 100644 --- a/Packs/ML/TestPlaybooks/script-CreateIncidentsForEvaluateMLModllAtProduction.yml +++ b/Packs/ML/TestPlaybooks/script-CreateIncidentsForEvaluateMLModllAtProduction.yml @@ -17,7 +17,7 @@ script: >+ incident1_template = { 'type': 'Simulation', 'name': 'Tag1', - 'details': 'ham', + 'classification': 'ham', 'description': 1.0 } @@ -25,7 +25,7 @@ script: >+ incident2_template = { 'type': 'Simulation', 'name': 'Tag2', - 'details': 'spam', + 'classification': 'spam', 'description': 1.0, } @@ -54,7 +54,7 @@ script: >+ 'EmailBodyKey': 'details', 'EmailTagKey': 'name', 'IncidentsQuery': 'type:Simulation', - 'EmailPredictionKey': 'details', + 'EmailPredictionKey': 'classification', 'EmailPredictionProbabilityKey': 'description' } }) From c0aae9ecbff4f8d2ee56b69ba0b998b3ade8c165 Mon Sep 17 00:00:00 2001 From: jlevypaloalto Date: Mon, 8 Jul 2024 09:29:06 +0300 Subject: [PATCH 19/39] more fixes --- ...playbook-DBotFindSimilarIncidents-test.yml | 16 +- ...ybook-EvaluateMLModllAtProduction-Test.yml | 273 +++++------------- 2 files changed, 89 insertions(+), 200 deletions(-) diff --git a/Packs/Base/TestPlaybooks/playbook-DBotFindSimilarIncidents-test.yml b/Packs/Base/TestPlaybooks/playbook-DBotFindSimilarIncidents-test.yml index 80d5b69490d5..b0e91ffc0c35 100644 --- a/Packs/Base/TestPlaybooks/playbook-DBotFindSimilarIncidents-test.yml +++ b/Packs/Base/TestPlaybooks/playbook-DBotFindSimilarIncidents-test.yml @@ -18,7 +18,6 @@ tasks: '#none#': - "5" separatecontext: false - continueonerrortype: "" view: |- { "position": { @@ -31,14 +30,15 @@ tasks: ignoreworker: false skipunavailable: false quietmode: 0 + continueonerrortype: "" isoversize: false isautoswitchedtoquietmode: false "2": id: "2" - taskid: 45426724-fbd0-417f-89d3-8b71ab784309 + taskid: ab3d08f1-8bc2-4c87-857b-2e29bb3f5f38 type: regular task: - id: 45426724-fbd0-417f-89d3-8b71ab784309 + id: ab3d08f1-8bc2-4c87-857b-2e29bb3f5f38 version: -1 name: DBotFindSimilarIncidents description: Find past similar incidents based on incident fields' similarity. Includes an option to also display indicators similarity. @@ -52,6 +52,8 @@ tasks: scriptarguments: fieldExactMatch: simple: accountname + fromDate: + simple: 1 hour incidentId: complex: root: CreatedIncidentID @@ -66,7 +68,6 @@ tasks: toDate: simple: now separatecontext: false - continueonerrortype: "" view: |- { "position": { @@ -79,6 +80,7 @@ tasks: ignoreworker: false skipunavailable: false quietmode: 0 + continueonerrortype: "" isoversize: false isautoswitchedtoquietmode: false "3": @@ -120,7 +122,6 @@ tasks: value: simple: "1" iscontext: true - continueonerrortype: "" view: |- { "position": { @@ -133,6 +134,7 @@ tasks: ignoreworker: false skipunavailable: false quietmode: 0 + continueonerrortype: "" isoversize: false isautoswitchedtoquietmode: false "4": @@ -148,7 +150,6 @@ tasks: brand: "" description: '' separatecontext: false - continueonerrortype: "" view: |- { "position": { @@ -161,6 +162,7 @@ tasks: ignoreworker: false skipunavailable: false quietmode: 0 + continueonerrortype: "" isoversize: false isautoswitchedtoquietmode: false "5": @@ -296,5 +298,5 @@ view: |- } inputs: [] outputs: [] -fromversion: 6.9.0 +fromversion: 5.0.0 description: '' diff --git a/Packs/ML/TestPlaybooks/playbook-EvaluateMLModllAtProduction-Test.yml b/Packs/ML/TestPlaybooks/playbook-EvaluateMLModllAtProduction-Test.yml index f7eb3e4b1827..c98969885c5a 100644 --- a/Packs/ML/TestPlaybooks/playbook-EvaluateMLModllAtProduction-Test.yml +++ b/Packs/ML/TestPlaybooks/playbook-EvaluateMLModllAtProduction-Test.yml @@ -1,27 +1,28 @@ +elasticcommonfields: {} id: EvaluateMLModllAtProduction-Test version: -1 -name: DBotFindSimilarIncidents-test +name: EvaluateMLModllAtProduction-Test starttaskid: "0" tasks: "0": id: "0" - taskid: 53859bf6-0ad5-48e8-83ea-e56e86b07a82 + taskid: 29ce4aa3-1c60-4977-81a8-ccd4534c9e8e type: start task: - id: 53859bf6-0ad5-48e8-83ea-e56e86b07a82 + elasticcommonfields: {} + id: 29ce4aa3-1c60-4977-81a8-ccd4534c9e8e version: -1 name: "" iscommand: false brand: "" - description: '' nexttasks: '#none#': - - "5" + - "1" separatecontext: false view: |- { "position": { - "x": 265, + "x": 450, "y": 50 } } @@ -30,19 +31,50 @@ tasks: ignoreworker: false skipunavailable: false quietmode: 0 - continueonerrortype: "" - isoversize: false - isautoswitchedtoquietmode: false + "1": + id: "1" + taskid: df1817d1-ba19-419e-8aa2-694f6b8eeca7 + type: regular + task: + elasticcommonfields: {} + id: df1817d1-ba19-419e-8aa2-694f6b8eeca7 + version: -1 + name: Create Incidents + scriptName: CreateIncidentsForEvaluateMLModllAtProduction + type: regular + iscommand: false + brand: "" + nexttasks: + '#none#': + - "2" + scriptarguments: + historicListName: {} + numberOfIncidents: + simple: "100" + separatecontext: false + view: |- + { + "position": { + "x": 450, + "y": 220 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 "2": id: "2" - taskid: ab3d08f1-8bc2-4c87-857b-2e29bb3f5f38 + taskid: b65f3ed9-a3e8-490f-8d32-d19fbe712c10 type: regular task: - id: ab3d08f1-8bc2-4c87-857b-2e29bb3f5f38 + elasticcommonfields: {} + id: b65f3ed9-a3e8-490f-8d32-d19fbe712c10 version: -1 - name: DBotFindSimilarIncidents - description: Find past similar incidents based on incident fields' similarity. Includes an option to also display indicators similarity. - scriptName: DBotFindSimilarIncidents + name: Evaluate Model + description: Evaluate ML model in production + scriptName: EvaluateMLModllAtProduction type: regular iscommand: false brand: "" @@ -50,29 +82,25 @@ tasks: '#none#': - "3" scriptarguments: - fieldExactMatch: - simple: accountname - fromDate: - simple: 1 hour - incidentId: - complex: - root: CreatedIncidentID - transformers: - - operator: atIndex - args: - index: - value: - simple: "0" - similarTextField: - simple: details - toDate: - simple: now + additionalFields: {} + emailPredictionKey: + simple: ${EmailPredictionKey} + emailPredictionProbabilityKey: + simple: ${EmailPredictionProbabilityKey} + emailTagKey: + simple: ${EmailTagKey} + incidentTypes: + simple: Simulation + incidentsQuery: {} + modelTargetAccuracy: {} + phishingLabels: + simple: Tag1:ham,Tag2:spam separatecontext: false view: |- { "position": { - "x": 265, - "y": 545 + "x": 450, + "y": 420 } } note: false @@ -80,53 +108,38 @@ tasks: ignoreworker: false skipunavailable: false quietmode: 0 - continueonerrortype: "" - isoversize: false - isautoswitchedtoquietmode: false "3": id: "3" - taskid: bdd0da3d-8aad-4682-8aff-d2c6a3321690 + taskid: f884e4d2-30f8-4def-87c9-2c027ef8270a type: condition task: - id: bdd0da3d-8aad-4682-8aff-d2c6a3321690 + elasticcommonfields: {} + id: f884e4d2-30f8-4def-87c9-2c027ef8270a version: -1 - name: Check results + name: Check Precision equals 1 type: condition iscommand: false brand: "" nexttasks: - "Yes": + "yes": - "4" separatecontext: false conditions: - - label: "Yes" + - label: "yes" condition: - - - operator: isTrue + - - operator: greaterThan left: value: - simple: DBotFindSimilarIncidents.isSimilarIncidentFound - iscontext: true - - - operator: isEqualString - left: - value: - simple: DBotFindSimilarIncidents.similarIncident.id + simple: EvaluateMLModllAtProduction.EvaluationScores.Precision.All iscontext: true right: value: - complex: - root: CreatedIncidentID - transformers: - - operator: atIndex - args: - index: - value: - simple: "1" - iscontext: true + simple: "0.95" view: |- { "position": { - "x": 265, - "y": 720 + "x": 450, + "y": 610 } } note: false @@ -134,147 +147,24 @@ tasks: ignoreworker: false skipunavailable: false quietmode: 0 - continueonerrortype: "" - isoversize: false - isautoswitchedtoquietmode: false "4": id: "4" - taskid: bd930f7e-c2f1-4b46-8efa-6562c60105fe + taskid: 14b3a70e-27cb-4582-8ea0-659eef8b932c type: title task: - id: bd930f7e-c2f1-4b46-8efa-6562c60105fe + elasticcommonfields: {} + id: 14b3a70e-27cb-4582-8ea0-659eef8b932c version: -1 name: Done type: title iscommand: false brand: "" - description: '' - separatecontext: false - view: |- - { - "position": { - "x": 265, - "y": 895 - } - } - note: false - timertriggers: [] - ignoreworker: false - skipunavailable: false - quietmode: 0 - continueonerrortype: "" - isoversize: false - isautoswitchedtoquietmode: false - "5": - id: "5" - taskid: c2bb7962-e995-45e1-8636-0ecf2b3ff45c - type: regular - task: - id: c2bb7962-e995-45e1-8636-0ecf2b3ff45c - version: -1 - name: Clear context - description: |- - Delete field from context. - - This automation runs using the default Limited User role, unless you explicitly change the permissions. - For more information, see the section about permissions here: - https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.10/Cortex-XSOAR-Administrator-Guide/Automations - scriptName: DeleteContext - type: regular - iscommand: false - brand: "" - nexttasks: - '#none#': - - "6" - - "7" - scriptarguments: - all: - simple: "yes" - separatecontext: false - continueonerrortype: "" - view: |- - { - "position": { - "x": 265, - "y": 195 - } - } - note: false - timertriggers: [] - ignoreworker: false - skipunavailable: false - quietmode: 0 - isoversize: false - isautoswitchedtoquietmode: false - "6": - id: "6" - taskid: 58890a1b-198a-4f21-87d6-a73d27b24075 - type: regular - task: - id: 58890a1b-198a-4f21-87d6-a73d27b24075 - version: -1 - name: Create incident 1 - description: commands.local.cmd.create.inc - script: Builtin|||createNewIncident - type: regular - iscommand: true - brand: Builtin - nexttasks: - '#none#': - - "2" - scriptarguments: - accountname: - simple: SimilarAccountName - details: - simple: this is a test incident and should match up with TestIncident_2 - name: - simple: TestIncident_1 - separatecontext: false - continueonerrortype: "" - view: |- - { - "position": { - "x": 50, - "y": 370 - } - } - note: false - timertriggers: [] - ignoreworker: false - skipunavailable: false - quietmode: 0 - isoversize: false - isautoswitchedtoquietmode: false - "7": - id: "7" - taskid: 89bf5bb4-77e5-4462-819e-656511050e55 - type: regular - task: - id: 89bf5bb4-77e5-4462-819e-656511050e55 - version: -1 - name: Create incident 2 - description: commands.local.cmd.create.inc - script: Builtin|||createNewIncident - type: regular - iscommand: true - brand: Builtin - nexttasks: - '#none#': - - "2" - scriptarguments: - accountname: - simple: SimilarAccountName - details: - simple: this is a test incident and should match up with TestIncident_1 - name: - simple: TestIncident_2 separatecontext: false - continueonerrortype: "" view: |- { "position": { - "x": 480, - "y": 370 + "x": 450, + "y": 800 } } note: false @@ -282,16 +172,14 @@ tasks: ignoreworker: false skipunavailable: false quietmode: 0 - isoversize: false - isautoswitchedtoquietmode: false view: |- { "linkLabelsPosition": {}, "paper": { "dimensions": { - "height": 910, - "width": 810, - "x": 50, + "height": 815, + "width": 380, + "x": 450, "y": 50 } } @@ -299,4 +187,3 @@ view: |- inputs: [] outputs: [] fromversion: 5.0.0 -description: '' From 31ee063a9f714cf9623134e3407417d87703a7dc Mon Sep 17 00:00:00 2001 From: jlevypaloalto Date: Mon, 8 Jul 2024 10:30:15 +0300 Subject: [PATCH 20/39] new docker --- .../DBotBuildPhishingClassifier/DBotBuildPhishingClassifier.yml | 2 +- .../DBotFindSimilarIncidents/DBotFindSimilarIncidents.yml | 2 +- .../DBotFindSimilarIncidentsByIndicators.yml | 2 +- .../DBotPredictPhishingWords/DBotPredictPhishingWords.yml | 2 +- .../Scripts/DBotPreprocessTextData/DBotPreprocessTextData.yml | 2 +- .../DBotTrainTextClassifierV2/DBotTrainTextClassifierV2.yml | 2 +- .../Base/Scripts/GetMLModelEvaluation/GetMLModelEvaluation.yml | 2 +- .../DBotPredictIncidentsBatch/DBotPredictIncidentsBatch.yml | 2 +- .../DBotPredictOutOfTheBoxV2/DBotPredictOutOfTheBoxV2.yml | 2 +- .../EvaluateMLModllAtProduction/EvaluateMLModllAtProduction.yml | 2 +- .../script-CompareEnvPredictionsToExpectedPredictions.yml | 2 +- 11 files changed, 11 insertions(+), 11 deletions(-) diff --git a/Packs/Base/Scripts/DBotBuildPhishingClassifier/DBotBuildPhishingClassifier.yml b/Packs/Base/Scripts/DBotBuildPhishingClassifier/DBotBuildPhishingClassifier.yml index 768635cdda77..4a9a642fef74 100644 --- a/Packs/Base/Scripts/DBotBuildPhishingClassifier/DBotBuildPhishingClassifier.yml +++ b/Packs/Base/Scripts/DBotBuildPhishingClassifier/DBotBuildPhishingClassifier.yml @@ -83,7 +83,7 @@ tags: - ml timeout: 12µs type: python -dockerimage: devdemisto/ml:1.0.0.101872 +dockerimage: demisto/ml:1.0.0.101889 tests: - Create Phishing Classifier V2 ML Test - DBotCreatePhishingClassifierV2FromFile-Test diff --git a/Packs/Base/Scripts/DBotFindSimilarIncidents/DBotFindSimilarIncidents.yml b/Packs/Base/Scripts/DBotFindSimilarIncidents/DBotFindSimilarIncidents.yml index a6660affde47..a2a5aa3aaf7a 100644 --- a/Packs/Base/Scripts/DBotFindSimilarIncidents/DBotFindSimilarIncidents.yml +++ b/Packs/Base/Scripts/DBotFindSimilarIncidents/DBotFindSimilarIncidents.yml @@ -105,7 +105,7 @@ script: '-' subtype: python3 timeout: '0' type: python -dockerimage: devdemisto/ml:1.0.0.101872 +dockerimage: demisto/ml:1.0.0.101889 runas: DBotWeakRole tests: - DBotFindSimilarIncidents-test diff --git a/Packs/Base/Scripts/DBotFindSimilarIncidentsByIndicators/DBotFindSimilarIncidentsByIndicators.yml b/Packs/Base/Scripts/DBotFindSimilarIncidentsByIndicators/DBotFindSimilarIncidentsByIndicators.yml index 7a71577e7439..cd7351ea300d 100644 --- a/Packs/Base/Scripts/DBotFindSimilarIncidentsByIndicators/DBotFindSimilarIncidentsByIndicators.yml +++ b/Packs/Base/Scripts/DBotFindSimilarIncidentsByIndicators/DBotFindSimilarIncidentsByIndicators.yml @@ -42,7 +42,7 @@ script: '-' subtype: python3 timeout: '0' type: python -dockerimage: devdemisto/ml:1.0.0.101872 +dockerimage: demisto/ml:1.0.0.101889 runas: DBotWeakRole tests: - DBotFindSimilarIncidentsByIndicators - Test diff --git a/Packs/Base/Scripts/DBotPredictPhishingWords/DBotPredictPhishingWords.yml b/Packs/Base/Scripts/DBotPredictPhishingWords/DBotPredictPhishingWords.yml index d06cf33fa2db..27c72e5598eb 100644 --- a/Packs/Base/Scripts/DBotPredictPhishingWords/DBotPredictPhishingWords.yml +++ b/Packs/Base/Scripts/DBotPredictPhishingWords/DBotPredictPhishingWords.yml @@ -98,7 +98,7 @@ tags: - phishing timeout: 60µs type: python -dockerimage: devdemisto/ml:1.0.0.101872 +dockerimage: demisto/ml:1.0.0.101889 tests: - Create Phishing Classifier V2 ML Test fromversion: 5.0.0 diff --git a/Packs/Base/Scripts/DBotPreprocessTextData/DBotPreprocessTextData.yml b/Packs/Base/Scripts/DBotPreprocessTextData/DBotPreprocessTextData.yml index 6acade2b7975..06a9b3809ec2 100644 --- a/Packs/Base/Scripts/DBotPreprocessTextData/DBotPreprocessTextData.yml +++ b/Packs/Base/Scripts/DBotPreprocessTextData/DBotPreprocessTextData.yml @@ -104,7 +104,7 @@ tags: - ml timeout: 120µs type: python -dockerimage: devdemisto/ml:1.0.0.101872 +dockerimage: demisto/ml:1.0.0.101889 tests: - Create Phishing Classifier V2 ML Test fromversion: 5.0.0 diff --git a/Packs/Base/Scripts/DBotTrainTextClassifierV2/DBotTrainTextClassifierV2.yml b/Packs/Base/Scripts/DBotTrainTextClassifierV2/DBotTrainTextClassifierV2.yml index 9a5761680e9a..4bb5b1d03e35 100644 --- a/Packs/Base/Scripts/DBotTrainTextClassifierV2/DBotTrainTextClassifierV2.yml +++ b/Packs/Base/Scripts/DBotTrainTextClassifierV2/DBotTrainTextClassifierV2.yml @@ -121,7 +121,7 @@ tags: - ml timeout: 12µs type: python -dockerimage: devdemisto/ml:1.0.0.101872 +dockerimage: demisto/ml:1.0.0.101889 tests: - Create Phishing Classifier V2 ML Test fromversion: 5.0.0 diff --git a/Packs/Base/Scripts/GetMLModelEvaluation/GetMLModelEvaluation.yml b/Packs/Base/Scripts/GetMLModelEvaluation/GetMLModelEvaluation.yml index b4e47ef65db7..651f08b8e424 100644 --- a/Packs/Base/Scripts/GetMLModelEvaluation/GetMLModelEvaluation.yml +++ b/Packs/Base/Scripts/GetMLModelEvaluation/GetMLModelEvaluation.yml @@ -43,7 +43,7 @@ tags: - ml timeout: 60µs type: python -dockerimage: devdemisto/ml:1.0.0.101872 +dockerimage: demisto/ml:1.0.0.101889 tests: - Create Phishing Classifier V2 ML Test fromversion: 5.0.0 diff --git a/Packs/ML/Scripts/DBotPredictIncidentsBatch/DBotPredictIncidentsBatch.yml b/Packs/ML/Scripts/DBotPredictIncidentsBatch/DBotPredictIncidentsBatch.yml index e45e47552512..b299319b82a0 100644 --- a/Packs/ML/Scripts/DBotPredictIncidentsBatch/DBotPredictIncidentsBatch.yml +++ b/Packs/ML/Scripts/DBotPredictIncidentsBatch/DBotPredictIncidentsBatch.yml @@ -46,7 +46,7 @@ tags: - ml timeout: '0' type: python -dockerimage: devdemisto/ml:1.0.0.101872 +dockerimage: demisto/ml:1.0.0.101889 fromversion: 5.0.0 tests: - VerifyOOBV2Predictions-Test diff --git a/Packs/ML/Scripts/DBotPredictOutOfTheBoxV2/DBotPredictOutOfTheBoxV2.yml b/Packs/ML/Scripts/DBotPredictOutOfTheBoxV2/DBotPredictOutOfTheBoxV2.yml index a94253b3fd79..6da8da23377f 100644 --- a/Packs/ML/Scripts/DBotPredictOutOfTheBoxV2/DBotPredictOutOfTheBoxV2.yml +++ b/Packs/ML/Scripts/DBotPredictOutOfTheBoxV2/DBotPredictOutOfTheBoxV2.yml @@ -59,7 +59,7 @@ script: '-' subtype: python3 timeout: 60µs type: python -dockerimage: devdemisto/ml:1.0.0.101872 +dockerimage: demisto/ml:1.0.0.101889 tests: - DbotPredictOufOfTheBoxTestV2 - VerifyOOBV2Predictions-Test diff --git a/Packs/ML/Scripts/EvaluateMLModllAtProduction/EvaluateMLModllAtProduction.yml b/Packs/ML/Scripts/EvaluateMLModllAtProduction/EvaluateMLModllAtProduction.yml index 35686515429c..48168d89c79b 100644 --- a/Packs/ML/Scripts/EvaluateMLModllAtProduction/EvaluateMLModllAtProduction.yml +++ b/Packs/ML/Scripts/EvaluateMLModllAtProduction/EvaluateMLModllAtProduction.yml @@ -42,7 +42,7 @@ outputs: script: '-' subtype: python3 type: python -dockerimage: devdemisto/ml:1.0.0.101872 +dockerimage: demisto/ml:1.0.0.101889 runas: DBotWeakRole fromversion: 5.0.0 tags: diff --git a/Packs/ML/TestPlaybooks/script-CompareEnvPredictionsToExpectedPredictions.yml b/Packs/ML/TestPlaybooks/script-CompareEnvPredictionsToExpectedPredictions.yml index a5d9fe3ca037..72ae780aa8b2 100644 --- a/Packs/ML/TestPlaybooks/script-CompareEnvPredictionsToExpectedPredictions.yml +++ b/Packs/ML/TestPlaybooks/script-CompareEnvPredictionsToExpectedPredictions.yml @@ -31,6 +31,6 @@ outputs: scripttarget: 0 subtype: python3 pswd: "" -dockerimage: devdemisto/ml:1.0.0.101872 +dockerimage: demisto/ml:1.0.0.101889 runas: DBotWeakRole fromversion: 5.5.0 \ No newline at end of file From 9bec1451512cb64d703da7a2daf2b6468c5ed0b1 Mon Sep 17 00:00:00 2001 From: jlevypaloalto Date: Mon, 8 Jul 2024 10:39:39 +0300 Subject: [PATCH 21/39] RN --- Packs/Base/ReleaseNotes/1_34_27.md | 30 ++++++++++++++++++++++++++++++ Packs/Base/pack_metadata.json | 2 +- Packs/ML/ReleaseNotes/1_4_11.md | 14 ++++++++++++++ Packs/ML/pack_metadata.json | 2 +- 4 files changed, 46 insertions(+), 2 deletions(-) create mode 100644 Packs/Base/ReleaseNotes/1_34_27.md create mode 100644 Packs/ML/ReleaseNotes/1_4_11.md diff --git a/Packs/Base/ReleaseNotes/1_34_27.md b/Packs/Base/ReleaseNotes/1_34_27.md new file mode 100644 index 000000000000..752223d6d51f --- /dev/null +++ b/Packs/Base/ReleaseNotes/1_34_27.md @@ -0,0 +1,30 @@ + +#### Scripts + +##### DBotFindSimilarIncidents + +- Updated the Docker image to: *demisto/ml:1.0.0.101889*. + +##### DBotPredictPhishingWords + +- Updated the Docker image to: *demisto/ml:1.0.0.101889*. + +##### DBotFindSimilarIncidentsByIndicators + +- Updated the Docker image to: *demisto/ml:1.0.0.101889*. + +##### DBotBuildPhishingClassifier + +- Updated the Docker image to: *demisto/ml:1.0.0.101889*. + +##### DBotPreProcessTextData + +- Updated the Docker image to: *demisto/ml:1.0.0.101889*. + +##### DBotTrainTextClassifierV2 + +- Updated the Docker image to: *demisto/ml:1.0.0.101889*. + +##### GetMLModelEvaluation + +- Updated the Docker image to: *demisto/ml:1.0.0.101889*. diff --git a/Packs/Base/pack_metadata.json b/Packs/Base/pack_metadata.json index fe70744f2b12..7809b945f12f 100644 --- a/Packs/Base/pack_metadata.json +++ b/Packs/Base/pack_metadata.json @@ -2,7 +2,7 @@ "name": "Base", "description": "The base pack for Cortex XSOAR.", "support": "xsoar", - "currentVersion": "1.34.26", + "currentVersion": "1.34.27", "author": "Cortex XSOAR", "serverMinVersion": "6.0.0", "url": "https://www.paloaltonetworks.com/cortex", diff --git a/Packs/ML/ReleaseNotes/1_4_11.md b/Packs/ML/ReleaseNotes/1_4_11.md new file mode 100644 index 000000000000..67cf5e246719 --- /dev/null +++ b/Packs/ML/ReleaseNotes/1_4_11.md @@ -0,0 +1,14 @@ + +#### Scripts + +##### EvaluateMLModllAtProduction + +- Updated the Docker image to: *demisto/ml:1.0.0.101889*. + +##### DBotPredictOutOfTheBoxV2 + +- Updated the Docker image to: *demisto/ml:1.0.0.101889*. + +##### DBotPredictIncidentsBatch + +- Updated the Docker image to: *demisto/ml:1.0.0.101889*. diff --git a/Packs/ML/pack_metadata.json b/Packs/ML/pack_metadata.json index 4ac67ca6f356..379bd599d230 100644 --- a/Packs/ML/pack_metadata.json +++ b/Packs/ML/pack_metadata.json @@ -2,7 +2,7 @@ "name": "Machine Learning", "description": "Help to manage machine learning models in Cortex XSOAR", "support": "xsoar", - "currentVersion": "1.4.10", + "currentVersion": "1.4.11", "author": "Cortex XSOAR", "url": "https://www.paloaltonetworks.com/cortex", "email": "", From acf5aa76d6f7cc52430b99362669d0c081b0c2a7 Mon Sep 17 00:00:00 2001 From: jlevypaloalto Date: Mon, 8 Jul 2024 12:47:33 +0300 Subject: [PATCH 22/39] new docker --- .../DBotBuildPhishingClassifier.py | 33 +++++++--------- .../DBotBuildPhishingClassifier.yml | 2 +- .../DBotBuildPhishingClassifier_test.py | 7 ++-- .../DBotPredictPhishingWords.py | 12 +++--- .../DBotPreprocessTextData.py | 15 +++---- .../DBotTrainTextClassifierV2.py | 29 +++++++------- .../DBotTrainTextClassifierV2_test.py | 4 +- .../GetMLModelEvaluation.py | 39 +++++++++---------- ...playbook-DBotFindSimilarIncidents-test.yml | 2 +- .../DBotPredictIncidentsBatch.py | 12 +++--- .../DBotPredictOutOfTheBoxV2.py | 2 +- .../EvaluateMLModllAtProduction.py | 4 +- 12 files changed, 79 insertions(+), 82 deletions(-) diff --git a/Packs/Base/Scripts/DBotBuildPhishingClassifier/DBotBuildPhishingClassifier.py b/Packs/Base/Scripts/DBotBuildPhishingClassifier/DBotBuildPhishingClassifier.py index 463a366e73ba..15c00554f906 100644 --- a/Packs/Base/Scripts/DBotBuildPhishingClassifier/DBotBuildPhishingClassifier.py +++ b/Packs/Base/Scripts/DBotBuildPhishingClassifier/DBotBuildPhishingClassifier.py @@ -1,19 +1,12 @@ +from CommonServerPython import * import base64 -import copy import gc -from CommonServerPython import * - -PREFIXES_TO_REMOVE = ['incident.'] ALL_LABELS = "*" def preprocess_incidents_field(incidents_field): - incidents_field = incidents_field.strip() - for prefix in PREFIXES_TO_REMOVE: - if incidents_field.startswith(prefix): - incidents_field = incidents_field[len(prefix):] - return incidents_field + return incidents_field.strip().removeprefix('incident.') def get_phishing_map_labels(comma_values): @@ -28,7 +21,7 @@ def get_phishing_map_labels(comma_values): labels_dict[splited[0].strip()] = splited[1].strip() else: labels_dict[v] = v - return {k: v for k, v in labels_dict.items()} + return dict(labels_dict.items()) def build_query_in_reepect_to_phishing_labels(args): @@ -38,17 +31,17 @@ def build_query_in_reepect_to_phishing_labels(args): return args mapping_dict = get_phishing_map_labels(mapping) tag_field = args['tagField'] - tags_union = ' '.join(['"{}"'.format(label) for label in mapping_dict]) - mapping_query = '{}:({})'.format(tag_field, tags_union) + tags_union = ' '.join([f'"{label}"' for label in mapping_dict]) + mapping_query = f'{tag_field}:({tags_union})' if 'query' not in args or args['query'].strip() == '': args['query'] = mapping_query else: - args['query'] = '({}) and ({})'.format(query, mapping_query) + args['query'] = f'({query}) and ({mapping_query})' return args def get_incidents(d_args): - get_incidents_by_query_args = copy.deepcopy(d_args) + get_incidents_by_query_args = d_args.copy() get_incidents_by_query_args['NonEmptyFields'] = d_args['tagField'] fields_names_to_populate = ['tagField', 'emailsubject', 'emailbody', "emailbodyhtml"] fields_to_populate = [get_incidents_by_query_args.get(x, None) for x in fields_names_to_populate] @@ -63,15 +56,15 @@ def get_incidents(d_args): def preprocess_incidents(incidents, d_args): - text_pre_process_args = copy.deepcopy(d_args) + text_pre_process_args = d_args.copy() text_pre_process_args['inputType'] = 'json_b64_string' text_pre_process_args['input'] = base64.b64encode(incidents.encode('utf-8')).decode('ascii') text_pre_process_args['preProcessType'] = 'nlp' email_body_fields = [text_pre_process_args.get("emailbody"), text_pre_process_args.get("emailbodyhtml")] email_body = "|".join([x for x in email_body_fields if x]) - text_pre_process_args['textFields'] = "%s,%s" % (text_pre_process_args['emailsubject'], email_body) - text_pre_process_args['whitelistFields'] = "{0},{1}".format('dbot_processed_text', - text_pre_process_args['tagField']) + text_pre_process_args['textFields'] = "{},{}".format(text_pre_process_args['emailsubject'], email_body) + text_pre_process_args['whitelistFields'] = "{},{}".format('dbot_processed_text', + text_pre_process_args['tagField']) res = demisto.executeCommand("DBotPreProcessTextData", text_pre_process_args) if is_error(res): return_error(get_error(res)) @@ -81,7 +74,7 @@ def preprocess_incidents(incidents, d_args): def train_model(processed_text_data, d_args): - train_model_args = copy.deepcopy(d_args) + train_model_args = d_args.copy() train_model_args['inputType'] = 'json_b64_string' train_model_args['input'] = base64.b64encode(processed_text_data.encode('utf-8')).decode('ascii') train_model_args['overrideExistingModel'] = 'true' @@ -90,7 +83,7 @@ def train_model(processed_text_data, d_args): def main(): - d_args = dict(demisto.args()) + d_args = demisto.args() for arg in ['tagField', 'emailbody', 'emailbodyhtml', 'emailsubject', 'timeField']: d_args[arg] = preprocess_incidents_field(d_args.get(arg, '')) diff --git a/Packs/Base/Scripts/DBotBuildPhishingClassifier/DBotBuildPhishingClassifier.yml b/Packs/Base/Scripts/DBotBuildPhishingClassifier/DBotBuildPhishingClassifier.yml index 4a9a642fef74..cd19468c271f 100644 --- a/Packs/Base/Scripts/DBotBuildPhishingClassifier/DBotBuildPhishingClassifier.yml +++ b/Packs/Base/Scripts/DBotBuildPhishingClassifier/DBotBuildPhishingClassifier.yml @@ -83,7 +83,7 @@ tags: - ml timeout: 12µs type: python -dockerimage: demisto/ml:1.0.0.101889 +dockerimage: demisto/python3:3.10.14.101217 tests: - Create Phishing Classifier V2 ML Test - DBotCreatePhishingClassifierV2FromFile-Test diff --git a/Packs/Base/Scripts/DBotBuildPhishingClassifier/DBotBuildPhishingClassifier_test.py b/Packs/Base/Scripts/DBotBuildPhishingClassifier/DBotBuildPhishingClassifier_test.py index 44a4660752c0..08e291edd12b 100644 --- a/Packs/Base/Scripts/DBotBuildPhishingClassifier/DBotBuildPhishingClassifier_test.py +++ b/Packs/Base/Scripts/DBotBuildPhishingClassifier/DBotBuildPhishingClassifier_test.py @@ -13,7 +13,8 @@ def test_no_mapping_no_query(): def test_no_mapping_with_query(): args = {'phishingLabels': '*', 'query': QUERY} args = build_query_in_reepect_to_phishing_labels(args) - assert 'query' in args and args['query'] == QUERY + assert 'query' in args + assert args['query'] == QUERY def test_mapping_no_query(): @@ -27,6 +28,6 @@ def test_mapping_with_query(): args = {'phishingLabels': MAPPING, 'tagField': 'closeReason', 'query': QUERY} args = build_query_in_reepect_to_phishing_labels(args) assert 'query' in args - opt1 = args['query'] == '({}) and (closeReason:("spam" "legit"))'.format(QUERY) - opt2 = args['query'] == '({}) and (closeReason:("legit" "spam"))'.format(QUERY) + opt1 = args['query'] == f'({QUERY}) and (closeReason:("spam" "legit"))' + opt2 = args['query'] == f'({QUERY}) and (closeReason:("legit" "spam"))' assert opt1 or opt2 diff --git a/Packs/Base/Scripts/DBotPredictPhishingWords/DBotPredictPhishingWords.py b/Packs/Base/Scripts/DBotPredictPhishingWords/DBotPredictPhishingWords.py index c8c668af7b07..2318e3d384b8 100644 --- a/Packs/Base/Scripts/DBotPredictPhishingWords/DBotPredictPhishingWords.py +++ b/Packs/Base/Scripts/DBotPredictPhishingWords/DBotPredictPhishingWords.py @@ -35,6 +35,7 @@ def get_model_data(model_name, store_type, is_return_error): return model_data, model_type else: handle_error("error reading model %s from Demisto" % model_name, is_return_error) + return None def handle_error(message, is_return_error): @@ -88,6 +89,7 @@ def preprocess_text(text, model_type, is_return_error): else: words_to_token_maps = tokenized_text_result['originalWordsToTokens'] return input_text, words_to_token_maps + return None def predict_phishing_words(model_name, model_store_type, email_subject, email_body, min_text_length, label_threshold, @@ -110,7 +112,7 @@ def predict_phishing_words(model_name, model_store_type, email_subject, email_bo def predict_batch_incidents_light_output(email_subject, email_body, phishing_model, model_type, min_text_length): - text_list = [{'text': "%s \n%s" % (subject, body)} for subject, body in zip(email_subject, email_body)] + text_list = [{'text': f"{subject} \n{body}"} for subject, body in zip(email_subject, email_body)] preprocessed_text_list = preprocess_text(text_list, model_type, is_return_error=False) batch_predictions = [] for input_text in preprocessed_text_list: @@ -132,14 +134,14 @@ def predict_batch_incidents_light_output(email_subject, email_body, phishing_mod 'Type': entryTypes['note'], 'Contents': batch_predictions, 'ContentsFormat': formats['json'], - 'HumanReadable': 'Applied predictions on {} incidents.'.format(len(batch_predictions)), + 'HumanReadable': f'Applied predictions on {len(batch_predictions)} incidents.', } def predict_single_incident_full_output(email_subject, email_body, is_return_error, label_threshold, min_text_length, model_type, phishing_model, set_incidents_fields, top_word_limit, word_threshold): - text = "%s \n%s" % (email_subject, email_body) + text = f"{email_subject} \n{email_body}" input_text, words_to_token_maps = preprocess_text(text, model_type, is_return_error) filtered_text, filtered_text_number_of_words = phishing_model.filter_model_words(input_text) if filtered_text_number_of_words == 0: @@ -170,7 +172,7 @@ def predict_single_incident_full_output(email_subject, email_body, is_return_err highlighted_text_markdown = text.strip() for word in positive_words: for cased_word in [word.lower(), word.title(), word.upper()]: - highlighted_text_markdown = re.sub(r'(? 0: lang_counter = Counter(inc[LANGUAGE_KEY] for inc in data).most_common() description += "Dropped %d sample(s) that were detected as being in foreign languages. " % dropped_count - description += 'Found language counts: {}'.format(', '.join(['{}:{}'.format(lang, count) for lang, count + description += 'Found language counts: {}'.format(', '.join([f'{lang}:{count}' for lang, count in lang_counter])) description += "\n" return filtered_data, description @@ -441,7 +442,7 @@ def main(): # clean text if pre_process_type not in PRE_PROCESS_TYPES: - return_error('Pre-process type {} is not supported'.format(pre_process_type)) + return_error(f'Pre-process type {pre_process_type} is not supported') # clean html and new lines data = clean_text_of_incidents_list(data, DBOT_TEXT_FIELD, remove_html_tags) diff --git a/Packs/Base/Scripts/DBotTrainTextClassifierV2/DBotTrainTextClassifierV2.py b/Packs/Base/Scripts/DBotTrainTextClassifierV2/DBotTrainTextClassifierV2.py index a557dd0921f5..407124e3031a 100644 --- a/Packs/Base/Scripts/DBotTrainTextClassifierV2/DBotTrainTextClassifierV2.py +++ b/Packs/Base/Scripts/DBotTrainTextClassifierV2/DBotTrainTextClassifierV2.py @@ -2,7 +2,6 @@ import gc import pandas as pd -from typing import List, Dict from collections import defaultdict, Counter from sklearn.model_selection import StratifiedKFold from CommonServerPython import * @@ -63,10 +62,10 @@ def read_file(input_data, input_type): else: res = demisto.getFilePath(input_data) if not res: - return_error("Entry {} not found".format(input_data)) + return_error(f"Entry {input_data} not found") file_path = res['path'] if input_type.startswith('json'): - with open(file_path, 'r') as f: + with open(file_path) as f: file_content = f.read() if input_type.startswith('csv'): return pd.read_csv(file_path).fillna('').to_dict(orient='records') @@ -76,6 +75,7 @@ def read_file(input_data, input_type): return pd.read_pickle(file_path, compression=None) else: return_error("Unsupported file type %s" % input_type) + return None def get_file_entry_id(file_name): @@ -156,7 +156,7 @@ def find_keywords(data, tag_field, text_field, min_score): human_readable = "# Keywords per category\n" for category, scores in keywords.items(): sorted_scores = sorted(scores.items(), key=lambda x: x[1], reverse=True) - table_items = [{"Word": word, "Score": '{:.2f}'.format(score)} for + table_items = [{"Word": word, "Score": f'{score:.2f}'} for word, score in sorted_scores if score >= min_score] human_readable += tableToMarkdown(category, table_items, ["Word", "Score"]) demisto.results({ @@ -238,13 +238,13 @@ def validate_data_and_labels(data, exist_labels_counter, labels_mapping, missing labels_counter = Counter([x[DBOT_TAG_FIELD] for x in data]) labels_below_thresh = [label for label, count in labels_counter.items() if count < MIN_INCIDENTS_THRESHOLD] if len(labels_below_thresh) > 0: - err = ['Minimum number of incidents per label required for training is {}.'.format(MIN_INCIDENTS_THRESHOLD)] - err += ['The following labels have less than {} incidents: '.format(MIN_INCIDENTS_THRESHOLD)] + err = [f'Minimum number of incidents per label required for training is {MIN_INCIDENTS_THRESHOLD}.'] + err += [f'The following labels have less than {MIN_INCIDENTS_THRESHOLD} incidents: '] for x in labels_below_thresh: - err += ['- {}: {}'.format(x, str(labels_counter[x]))] + err += [f'- {x}: {str(labels_counter[x])}'] err += ['Make sure that enough incidents exist in the environment per each of these labels.'] missing_labels = ', '.join(missing_labels_counter.keys()) - err += ['The following labels were not mapped to any label in the labels mapping: {}.'.format(missing_labels)] + err += [f'The following labels were not mapped to any label in the labels mapping: {missing_labels}.'] if labels_mapping != ALL_LABELS: err += ['The given mapped labels are: {}.'.format(', '.join(labels_mapping.keys()))] return_error('\n'.join(err)) @@ -269,7 +269,7 @@ def validate_data_and_labels(data, exist_labels_counter, labels_mapping, missing for label, count in exist_labels_counter.items(): mapped_label = labels_mapping[label] if isinstance(labels_mapping, dict) else label if mapped_label != label: - label = "%s -> %s" % (label, mapped_label) + label = f"{label} -> {mapped_label}" exist_labels_counter_mapped[label] = count human_readable = tableToMarkdown("Found labels", exist_labels_counter_mapped) entry = { @@ -280,23 +280,23 @@ def validate_data_and_labels(data, exist_labels_counter, labels_mapping, missing 'HumanReadableFormat': formats['markdown'], } demisto.results(entry) - if len(set([x[DBOT_TAG_FIELD] for x in data])) == 1: + if len({x[DBOT_TAG_FIELD] for x in data}) == 1: single_label = [x[DBOT_TAG_FIELD] for x in data][0] if labels_mapping == ALL_LABELS: - err = ['All received incidents have the same label: {}.'.format(single_label)] + err = [f'All received incidents have the same label: {single_label}.'] else: - err = ['All received incidents mapped to the same label: {}.'.format(single_label)] + err = [f'All received incidents mapped to the same label: {single_label}.'] err += ['At least 2 different labels are required to train a classifier.'] if labels_mapping == ALL_LABELS: err += ['Please make sure that incidents of at least 2 labels exist in the environment.'] else: err += ['The following labels were not mapped to any label in the labels mapping:'] - err += [', '.join([x for x in missing_labels_counter])] + err += [', '.join(list(missing_labels_counter))] not_found_mapped_label = [x for x in labels_mapping if x not in exist_labels_counter or exist_labels_counter[x] == 0] if len(not_found_mapped_label) > 0: miss = ', '.join(not_found_mapped_label) - err += ['Notice that the following mapped labels were not found among all incidents: {}.'.format(miss)] + err += [f'Notice that the following mapped labels were not found among all incidents: {miss}.'] return_error('\n'.join(err)) @@ -354,6 +354,7 @@ def validate_labels_and_decide_algorithm(y, algorithm): error += ['The following labels/verdicts need to be mapped to one of those values: '] error += [', '.join(illegal_labels_for_fine_tune) + '.'] return_error('\n'.join(error)) + return None elif algorithm == AUTO_TRAINING_ALGO: return FASTTEXT_TRAINING_ALGO else: diff --git a/Packs/Base/Scripts/DBotTrainTextClassifierV2/DBotTrainTextClassifierV2_test.py b/Packs/Base/Scripts/DBotTrainTextClassifierV2/DBotTrainTextClassifierV2_test.py index 9793f0c45994..fd7072e30f04 100644 --- a/Packs/Base/Scripts/DBotTrainTextClassifierV2/DBotTrainTextClassifierV2_test.py +++ b/Packs/Base/Scripts/DBotTrainTextClassifierV2/DBotTrainTextClassifierV2_test.py @@ -22,10 +22,10 @@ def test_read_file(mocker): mocker.patch.object(demisto, 'getFilePath', return_value={'path': './TestData/input_json_file_test'}) obj = read_file('231342@343', 'json') assert len(obj) >= 1 - with open('./TestData/input_json_file_test', 'r') as f: + with open('./TestData/input_json_file_test') as f: obj = read_file(f.read(), 'json_string') assert len(obj) >= 1 - with open('./TestData/input_json_file_test', 'r') as f: + with open('./TestData/input_json_file_test') as f: b64_input = base64.b64encode(f.read().encode('utf-8')) # base64.b64encode(f.read()) obj = read_file(b64_input, 'json_b64_string') assert len(obj) >= 1 diff --git a/Packs/Base/Scripts/GetMLModelEvaluation/GetMLModelEvaluation.py b/Packs/Base/Scripts/GetMLModelEvaluation/GetMLModelEvaluation.py index ae87baa03d21..814b35692286 100644 --- a/Packs/Base/Scripts/GetMLModelEvaluation/GetMLModelEvaluation.py +++ b/Packs/Base/Scripts/GetMLModelEvaluation/GetMLModelEvaluation.py @@ -2,7 +2,6 @@ import pandas as pd from sklearn.metrics import precision_score, recall_score, precision_recall_curve from tabulate import tabulate -from typing import Dict from CommonServerPython import * # pylint: disable=no-member @@ -20,7 +19,7 @@ def bold_hr(s): - return '**{}:**'.format(s) + return f'**{s}:**' def binarize(arr, threshold): @@ -61,8 +60,8 @@ def generate_metrics_df(y_true, y_true_per_class, y_pred, y_pred_per_class, thre ], ignore_index=True) df = df[['Class', 'Precision', 'TP', 'FP', 'Coverage', 'Total']] explained_metrics = ['Precision', 'TP (true positive)', 'FP (false positive)', 'Coverage', 'Total'] - explanation = ['{} {}'.format(bold_hr(metric), METRICS[metric]) for metric in explained_metrics] - df.set_index('Class', inplace=True) + explanation = [f'{bold_hr(metric)} {METRICS[metric]}' for metric in explained_metrics] + df = df.set_index('Class') return df, explanation @@ -153,7 +152,7 @@ def output_report(y_true, y_true_per_class, y_pred, y_pred_per_class, found_thre if detailed_output: human_readable += human_readable_threshold + ['\n'] else: - human_readable += ['## Results for confidence threshold = {:.2f}'.format(found_threshold)] + ['\n'] + human_readable += [f'## Results for confidence threshold = {found_threshold:.2f}'] + ['\n'] human_readable += class_metrics_human_readable + ['\n'] human_readable += class_metrics_explanation_human_readable human_readable += csr_matrix_readable @@ -247,7 +246,7 @@ def find_best_threshold_for_target_precision(class_to_arrs, customer_target_prec precision_per_class[class_] = precision break if len(threshold_per_class) == len(labels): - threshold_candidates = sorted(list(threshold_per_class.values())) + threshold_candidates = sorted(threshold_per_class.values()) for threshold in threshold_candidates: legal_threshold_for_all_classes = True threshold_precision = sys.maxsize @@ -275,7 +274,7 @@ def calculate_per_class_report_entry(class_to_arrs, labels, y_pred_per_class, y_ 'The following tables present evlauation of the model per class at different confidence thresholds:'] class_to_thresholds = {} for class_ in labels: - class_to_thresholds[class_] = set([0.001]) # using no threshold + class_to_thresholds[class_] = {0.001} # using no threshold for target_precision in np.arange(0.95, 0.5, -0.05): # indexing is done by purpose - the ith precision corresponds with threshold i-1. Last precision is 1 for i, precision in enumerate(class_to_arrs[class_]['precisions'][:-1]): @@ -295,15 +294,15 @@ def calculate_per_class_report_entry(class_to_arrs, labels, y_pred_per_class, y_ row['Threshold'] = threshold class_threshold_df = pd.concat([class_threshold_df, pd.DataFrame([row])], ignore_index=True) class_threshold_df = reformat_df_fractions_to_percentage(class_threshold_df) - class_threshold_df['Threshold'] = class_threshold_df['Threshold'].apply(lambda p: '{:.2f}'.format(p)) + class_threshold_df['Threshold'] = class_threshold_df['Threshold'].apply(lambda p: f'{p:.2f}') class_threshold_df = class_threshold_df[['Threshold', 'Precision', 'TP', 'FP', 'Coverage', 'Total']] - class_threshold_df.sort_values(by='Coverage', ascending=False, inplace=True) - class_threshold_df.drop_duplicates(subset='Threshold', inplace=True, keep='first') - class_threshold_df.drop_duplicates(subset='Precision', inplace=True, keep='first') - class_threshold_df.set_index('Threshold', inplace=True) + class_threshold_df = class_threshold_df.sort_values(by='Coverage', ascending=False) + class_threshold_df = class_threshold_df.drop_duplicates(subset='Threshold', keep='first') + class_threshold_df = class_threshold_df.drop_duplicates(subset='Precision', keep='first') + class_threshold_df = class_threshold_df.set_index('Threshold') per_class_context[class_] = class_threshold_df.to_json() tabulated_class_df = tabulate(class_threshold_df, tablefmt="pipe", headers="keys") - per_class_hr += ['### {}'.format(class_), tabulated_class_df] + per_class_hr += [f'### {class_}', tabulated_class_df] per_class_entry = { 'Type': entryTypes['note'], 'ContentsFormat': formats['json'], @@ -320,7 +319,7 @@ def convert_str_to_json(str_json, var_name): y_true = json.loads(str_json) return y_true except Exception as e: - return_error('Exception while reading {} :{}'.format(var_name, e)) + return_error(f'Exception while reading {var_name} :{e}') def main(): @@ -337,10 +336,10 @@ def main(): raise DemistoException('Either "yPred" or "yTrue" are empty.') entries = find_threshold(y_true=y_true, - y_pred_all_classes=y_pred_all_classes, - customer_target_precision=target_precision, - target_recall=target_recall, - detailed_output=detailed_output) + y_pred_all_classes=y_pred_all_classes, + customer_target_precision=target_precision, + target_recall=target_recall, + detailed_output=detailed_output) demisto.results(entries) except Exception as e: @@ -351,9 +350,9 @@ def calculate_and_validate_float_parameter(var_name): try: res = float(demisto.args()[var_name]) if var_name in demisto.args() else 0 except Exception: - return_error('{} must be a float between 0-1 or left empty'.format(var_name)) + return_error(f'{var_name} must be a float between 0-1 or left empty') if res < 0 or res > 1: - return_error('{} must be a float between 0-1 or left empty'.format(var_name)) + return_error(f'{var_name} must be a float between 0-1 or left empty') return res diff --git a/Packs/Base/TestPlaybooks/playbook-DBotFindSimilarIncidents-test.yml b/Packs/Base/TestPlaybooks/playbook-DBotFindSimilarIncidents-test.yml index b0e91ffc0c35..e1a78525a5f7 100644 --- a/Packs/Base/TestPlaybooks/playbook-DBotFindSimilarIncidents-test.yml +++ b/Packs/Base/TestPlaybooks/playbook-DBotFindSimilarIncidents-test.yml @@ -66,7 +66,7 @@ tasks: similarTextField: simple: details toDate: - simple: now + simple: tomorrow separatecontext: false view: |- { diff --git a/Packs/ML/Scripts/DBotPredictIncidentsBatch/DBotPredictIncidentsBatch.py b/Packs/ML/Scripts/DBotPredictIncidentsBatch/DBotPredictIncidentsBatch.py index 0600e8045aac..297d09211d9f 100644 --- a/Packs/ML/Scripts/DBotPredictIncidentsBatch/DBotPredictIncidentsBatch.py +++ b/Packs/ML/Scripts/DBotPredictIncidentsBatch/DBotPredictIncidentsBatch.py @@ -19,7 +19,7 @@ def get_phishing_map_labels(comma_values): labels_dict[splited[0].strip()] = splited[1].strip() else: labels_dict[v] = v - return {k: v for k, v in labels_dict.items()} + return dict(labels_dict.items()) def build_query_in_respect_to_phishing_labels(args): @@ -29,12 +29,12 @@ def build_query_in_respect_to_phishing_labels(args): return args mapping_dict = get_phishing_map_labels(mapping) tag_field = args['tagField'] - tags_union = ' '.join(['"{}"'.format(label) for label in mapping_dict]) - mapping_query = '{}:({})'.format(tag_field, tags_union) + tags_union = ' '.join([f'"{label}"' for label in mapping_dict]) + mapping_query = f'{tag_field}:({tags_union})' if 'query' not in args: args['query'] = mapping_query else: - args['query'] = '({}) and ({})'.format(query, mapping_query) + args['query'] = f'({query}) and ({mapping_query})' return args @@ -78,7 +78,7 @@ def main(): incidents_df = pd.DataFrame(incidents) predictions_df = pd.DataFrame(res[-1]['Contents']) df = pd.concat([incidents_df, predictions_df], axis=1) - df.rename(columns={"Label": "Prediction"}, inplace=True) + df = df.rename(columns={"Label": "Prediction"}) file_name = 'predictions.csv' file_columns = ['id', tag_field_name, 'Prediction', 'Probability', @@ -90,7 +90,7 @@ def main(): csv_data = filtered_df.to_csv() entry = fileResult(file_name, csv_data) entry['Contents'] = filtered_df.to_json(orient='records') - entry['HumanReadable'] = 'File contains predictions of {} incidents'.format(len(incidents)) + entry['HumanReadable'] = f'File contains predictions of {len(incidents)} incidents' return entry diff --git a/Packs/ML/Scripts/DBotPredictOutOfTheBoxV2/DBotPredictOutOfTheBoxV2.py b/Packs/ML/Scripts/DBotPredictOutOfTheBoxV2/DBotPredictOutOfTheBoxV2.py index 8bc85fac9f72..0e7d45042808 100644 --- a/Packs/ML/Scripts/DBotPredictOutOfTheBoxV2/DBotPredictOutOfTheBoxV2.py +++ b/Packs/ML/Scripts/DBotPredictOutOfTheBoxV2/DBotPredictOutOfTheBoxV2.py @@ -37,7 +37,7 @@ def load_oob_model(): if is_error(res): return_error(get_error(res)) - with open(EVALUATION_PATH, 'r') as json_file: + with open(EVALUATION_PATH) as json_file: data = json.load(json_file) y_test = data['YTrue'] y_pred = data['YPred'] diff --git a/Packs/ML/Scripts/EvaluateMLModllAtProduction/EvaluateMLModllAtProduction.py b/Packs/ML/Scripts/EvaluateMLModllAtProduction/EvaluateMLModllAtProduction.py index 258c7e09e92a..5842c352b451 100644 --- a/Packs/ML/Scripts/EvaluateMLModllAtProduction/EvaluateMLModllAtProduction.py +++ b/Packs/ML/Scripts/EvaluateMLModllAtProduction/EvaluateMLModllAtProduction.py @@ -25,7 +25,7 @@ def get_phishing_map_labels(comma_values): labels_dict[v] = v if len(set(labels_dict.values())) == 1: mapped_value = list(labels_dict.values())[0] - error = ['Label mapping error: you need to map to at least two labels: {}.'.format(mapped_value)] + error = [f'Label mapping error: you need to map to at least two labels: {mapped_value}.'] return_error('\n'.join(error)) return {k: canonize_label(v) for k, v in labels_dict.items()} @@ -97,7 +97,7 @@ def return_file_result_with_predictions_on_test_set(data, y_true, y_pred, y_pred def main(incident_types, incident_query, y_true_field, y_pred_field, y_pred_prob_field, model_target_accuracy, labels_mapping, additional_fields): - non_empty_fields = '{},{}'.format(y_true_field.strip(), y_pred_field.strip()) + non_empty_fields = f'{y_true_field.strip()},{y_pred_field.strip()}' incidents_query_args = {'incidentTypes': incident_types, 'NonEmptyFields': non_empty_fields, } From 1220212450d515abd4c447bd86e05c10c476192b Mon Sep 17 00:00:00 2001 From: Jacob Levy <129657918+jlevypaloalto@users.noreply.github.com> Date: Mon, 8 Jul 2024 18:34:14 +0300 Subject: [PATCH 23/39] revert dockers --- .../DBotPredictPhishingWords/DBotPredictPhishingWords.yml | 2 +- .../Scripts/DBotPreprocessTextData/DBotPreprocessTextData.yml | 2 +- .../DBotTrainTextClassifierV2/DBotTrainTextClassifierV2.yml | 2 +- .../Base/Scripts/GetMLModelEvaluation/GetMLModelEvaluation.yml | 2 +- .../DBotPredictIncidentsBatch/DBotPredictIncidentsBatch.yml | 2 +- .../DBotPredictOutOfTheBoxV2/DBotPredictOutOfTheBoxV2.yml | 2 +- .../EvaluateMLModllAtProduction/EvaluateMLModllAtProduction.yml | 2 +- 7 files changed, 7 insertions(+), 7 deletions(-) diff --git a/Packs/Base/Scripts/DBotPredictPhishingWords/DBotPredictPhishingWords.yml b/Packs/Base/Scripts/DBotPredictPhishingWords/DBotPredictPhishingWords.yml index 27c72e5598eb..d2f3b9d5b62b 100644 --- a/Packs/Base/Scripts/DBotPredictPhishingWords/DBotPredictPhishingWords.yml +++ b/Packs/Base/Scripts/DBotPredictPhishingWords/DBotPredictPhishingWords.yml @@ -98,7 +98,7 @@ tags: - phishing timeout: 60µs type: python -dockerimage: demisto/ml:1.0.0.101889 +dockerimage: demisto/ml:1.0.0.32340 tests: - Create Phishing Classifier V2 ML Test fromversion: 5.0.0 diff --git a/Packs/Base/Scripts/DBotPreprocessTextData/DBotPreprocessTextData.yml b/Packs/Base/Scripts/DBotPreprocessTextData/DBotPreprocessTextData.yml index 06a9b3809ec2..d43858f26af8 100644 --- a/Packs/Base/Scripts/DBotPreprocessTextData/DBotPreprocessTextData.yml +++ b/Packs/Base/Scripts/DBotPreprocessTextData/DBotPreprocessTextData.yml @@ -104,7 +104,7 @@ tags: - ml timeout: 120µs type: python -dockerimage: demisto/ml:1.0.0.101889 +dockerimage: demisto/ml:1.0.0.30541 tests: - Create Phishing Classifier V2 ML Test fromversion: 5.0.0 diff --git a/Packs/Base/Scripts/DBotTrainTextClassifierV2/DBotTrainTextClassifierV2.yml b/Packs/Base/Scripts/DBotTrainTextClassifierV2/DBotTrainTextClassifierV2.yml index 4bb5b1d03e35..097a4846c1e1 100644 --- a/Packs/Base/Scripts/DBotTrainTextClassifierV2/DBotTrainTextClassifierV2.yml +++ b/Packs/Base/Scripts/DBotTrainTextClassifierV2/DBotTrainTextClassifierV2.yml @@ -121,7 +121,7 @@ tags: - ml timeout: 12µs type: python -dockerimage: demisto/ml:1.0.0.101889 +dockerimage: demisto/ml:1.0.0.93129 tests: - Create Phishing Classifier V2 ML Test fromversion: 5.0.0 diff --git a/Packs/Base/Scripts/GetMLModelEvaluation/GetMLModelEvaluation.yml b/Packs/Base/Scripts/GetMLModelEvaluation/GetMLModelEvaluation.yml index 651f08b8e424..9aaf9d2c933b 100644 --- a/Packs/Base/Scripts/GetMLModelEvaluation/GetMLModelEvaluation.yml +++ b/Packs/Base/Scripts/GetMLModelEvaluation/GetMLModelEvaluation.yml @@ -43,7 +43,7 @@ tags: - ml timeout: 60µs type: python -dockerimage: demisto/ml:1.0.0.101889 +dockerimage: demisto/ml:1.0.0.88591 tests: - Create Phishing Classifier V2 ML Test fromversion: 5.0.0 diff --git a/Packs/ML/Scripts/DBotPredictIncidentsBatch/DBotPredictIncidentsBatch.yml b/Packs/ML/Scripts/DBotPredictIncidentsBatch/DBotPredictIncidentsBatch.yml index b299319b82a0..0debe7c2eff1 100644 --- a/Packs/ML/Scripts/DBotPredictIncidentsBatch/DBotPredictIncidentsBatch.yml +++ b/Packs/ML/Scripts/DBotPredictIncidentsBatch/DBotPredictIncidentsBatch.yml @@ -46,7 +46,7 @@ tags: - ml timeout: '0' type: python -dockerimage: demisto/ml:1.0.0.101889 +dockerimage: demisto/ml:1.0.0.45981 fromversion: 5.0.0 tests: - VerifyOOBV2Predictions-Test diff --git a/Packs/ML/Scripts/DBotPredictOutOfTheBoxV2/DBotPredictOutOfTheBoxV2.yml b/Packs/ML/Scripts/DBotPredictOutOfTheBoxV2/DBotPredictOutOfTheBoxV2.yml index 6da8da23377f..e0510c400069 100644 --- a/Packs/ML/Scripts/DBotPredictOutOfTheBoxV2/DBotPredictOutOfTheBoxV2.yml +++ b/Packs/ML/Scripts/DBotPredictOutOfTheBoxV2/DBotPredictOutOfTheBoxV2.yml @@ -59,7 +59,7 @@ script: '-' subtype: python3 timeout: 60µs type: python -dockerimage: demisto/ml:1.0.0.101889 +dockerimage: demisto/ml:1.0.0.32340 tests: - DbotPredictOufOfTheBoxTestV2 - VerifyOOBV2Predictions-Test diff --git a/Packs/ML/Scripts/EvaluateMLModllAtProduction/EvaluateMLModllAtProduction.yml b/Packs/ML/Scripts/EvaluateMLModllAtProduction/EvaluateMLModllAtProduction.yml index 48168d89c79b..7e8eb335fe41 100644 --- a/Packs/ML/Scripts/EvaluateMLModllAtProduction/EvaluateMLModllAtProduction.yml +++ b/Packs/ML/Scripts/EvaluateMLModllAtProduction/EvaluateMLModllAtProduction.yml @@ -42,7 +42,7 @@ outputs: script: '-' subtype: python3 type: python -dockerimage: demisto/ml:1.0.0.101889 +dockerimage: demisto/ml:1.0.0.45981 runas: DBotWeakRole fromversion: 5.0.0 tags: From a5584e1a6e809276064a784dcf7a53be2e37ef16 Mon Sep 17 00:00:00 2001 From: jlevypaloalto Date: Mon, 8 Jul 2024 19:57:17 +0300 Subject: [PATCH 24/39] more stuff --- .../GetMLModelEvaluation_test.py | 41 +++++++-------- .../DBotPredictIncidentsBatch/README.md | 51 ++++++++++++++++++ .../EvaluateMLModllAtProduction/README.md | 52 +++++++++++++++++++ 3 files changed, 123 insertions(+), 21 deletions(-) create mode 100644 Packs/ML/Scripts/DBotPredictIncidentsBatch/README.md create mode 100644 Packs/ML/Scripts/EvaluateMLModllAtProduction/README.md diff --git a/Packs/Base/Scripts/GetMLModelEvaluation/GetMLModelEvaluation_test.py b/Packs/Base/Scripts/GetMLModelEvaluation/GetMLModelEvaluation_test.py index e69aa533abe2..cc6835394e28 100644 --- a/Packs/Base/Scripts/GetMLModelEvaluation/GetMLModelEvaluation_test.py +++ b/Packs/Base/Scripts/GetMLModelEvaluation/GetMLModelEvaluation_test.py @@ -1,4 +1,3 @@ -import json from GetMLModelEvaluation import find_threshold @@ -48,8 +47,8 @@ class 2 precision per threshold: def test_threshold_found_0(mocker): global y_true, y_pred - entry = find_threshold(y_pred_str=json.dumps(y_pred), - y_true_str=json.dumps(y_true), + entry = find_threshold(y_pred_all_classes=y_pred, + y_true=y_true, customer_target_precision=0, target_recall=0) assert abs(entry['Contents']['threshold'] - 0.7) < 10 ** -2 @@ -57,8 +56,8 @@ def test_threshold_found_0(mocker): def test_threshold_found_1(mocker): global y_true, y_pred - entry = find_threshold(y_pred_str=json.dumps(y_pred), - y_true_str=json.dumps(y_true), + entry = find_threshold(y_pred_all_classes=y_pred, + y_true=y_true, customer_target_precision=0.63, target_recall=0) assert abs(entry['Contents']['threshold'] - 0.7) < 10 ** -2 @@ -66,8 +65,8 @@ def test_threshold_found_1(mocker): def test_threshold_found_2(mocker): global y_true, y_pred - entry = find_threshold(y_pred_str=json.dumps(y_pred), - y_true_str=json.dumps(y_true), + entry = find_threshold(y_pred_all_classes=y_pred, + y_true=y_true, customer_target_precision=0.7, target_recall=0) assert abs(entry['Contents']['threshold'] - 0.8) < 10 ** -2 @@ -75,16 +74,16 @@ def test_threshold_found_2(mocker): def test_threshold_found_3(mocker): global y_true, y_pred - entry = find_threshold(y_pred_str=json.dumps(y_pred), - y_true_str=json.dumps(y_true), + entry = find_threshold(y_pred_all_classes=y_pred, + y_true=y_true, customer_target_precision=0.875, target_recall=0) assert abs(entry['Contents']['threshold'] - 0.8) < 10 ** -2 def test_no_existing_threshold(mocker): - entry = find_threshold(y_pred_str=json.dumps(y_pred), - y_true_str=json.dumps(y_true), + entry = find_threshold(y_pred_all_classes=y_pred, + y_true=y_true, customer_target_precision=0.9, target_recall=0) assert abs(entry['Contents']['threshold'] - 0.8) < 10 ** -2 @@ -93,8 +92,8 @@ def test_no_existing_threshold(mocker): def test_predictions_are_correct_and_all_equals_one_prob(mocker): y_true = ['class1'] * 7 + ['class2'] * 7 y_pred = [{'class1': 0.95}] * 7 + [{'class2': 0.95}] * 7 - entry = find_threshold(y_pred_str=json.dumps(y_pred), - y_true_str=json.dumps(y_true), + entry = find_threshold(y_pred_all_classes=y_pred, + y_true=y_true, customer_target_precision=0.6, target_recall=0) assert abs(entry['Contents']['threshold'] - 0.95) < 10 ** -2 @@ -103,8 +102,8 @@ def test_predictions_are_correct_and_all_equals_one_prob(mocker): def test_predictions_are_correct_and_almost_all_equals_one_prob(mocker): y_true = ['class1'] * 7 + ['class2'] * 7 y_pred = [{'class1': 1}] * 6 + [{'class1': 0.95}] + [{'class2': 1}] * 7 - entry = find_threshold(y_pred_str=json.dumps(y_pred), - y_true_str=json.dumps(y_true), + entry = find_threshold(y_pred_all_classes=y_pred, + y_true=y_true, customer_target_precision=0.6, target_recall=0) assert abs(entry['Contents']['threshold'] - 0.95) < 10 ** -2 @@ -113,8 +112,8 @@ def test_predictions_are_correct_and_almost_all_equals_one_prob(mocker): def test_plabook_test_simulation(mocker): y_pred = [{"spam": 0.9987042546272278}, {"ham": 0.9987037777900696}] y_true = ["spam", "ham"] - entry = find_threshold(y_pred_str=json.dumps(y_pred), - y_true_str=json.dumps(y_true), + entry = find_threshold(y_pred_all_classes=y_pred, + y_true=y_true, customer_target_precision=0.7, target_recall=0) assert abs(entry['Contents']['threshold'] - 0.9987037777900696) < 10 ** -2 @@ -123,8 +122,8 @@ def test_plabook_test_simulation(mocker): def test_all_wrong_predictions(mocker): y_true = ['class1'] * 7 + ['class2'] * 7 y_pred = [{'class2': 0.5}] * 7 + [{'class1': 0.5}] * 7 - entry = find_threshold(y_pred_str=json.dumps(y_pred), - y_true_str=json.dumps(y_true), + entry = find_threshold(y_pred_all_classes=y_pred, + y_true=y_true, customer_target_precision=0.6, target_recall=0) assert entry['Contents']['threshold'] >= 0.5 @@ -133,8 +132,8 @@ def test_all_wrong_predictions(mocker): def test_all_wrong_predictions_2(mocker): y_true = ['class1'] * 7 + ['class2'] * 7 y_pred = [{'class2': 0.5}] * 7 + [{'class1': 0.5}] * 7 - entry = find_threshold(y_pred_str=json.dumps(y_pred), - y_true_str=json.dumps(y_true), + entry = find_threshold(y_pred_all_classes=y_pred, + y_true=y_true, customer_target_precision=0, target_recall=0) assert entry['Contents']['threshold'] >= 0.5 diff --git a/Packs/ML/Scripts/DBotPredictIncidentsBatch/README.md b/Packs/ML/Scripts/DBotPredictIncidentsBatch/README.md new file mode 100644 index 000000000000..89b2cf074c89 --- /dev/null +++ b/Packs/ML/Scripts/DBotPredictIncidentsBatch/README.md @@ -0,0 +1,51 @@ +Apply a trained ML model on multiple incidents at once, to compare incidents how the incidents were labeled by analysts, to the predictions of the model. This script is aimed to help evaluate a trained model using past incidents. + +## Script Data + +--- + +| **Name** | **Description** | +| --- | --- | +| Script Type | python3 | +| Tags | phishing, ml | +| Cortex XSOAR Version | 5.0.0 | + +## Dependencies + +--- +This script uses the following commands and scripts. + +* GetIncidentsByQuery +* DBotPredictPhishingWords + +## Used In + +--- +This script is used in the following playbooks and scripts. + +* VerifyOOBV2Predictions-Test + +## Inputs + +--- + +| **Argument Name** | **Description** | +| --- | --- | +| query | Additional text by which to query incidents. | +| incidentTypes | A comma-separated list of incident types by which to filter. | +| fromDate | The start date by which to filter incidents. Date format will be the same as in the incidents query page \(valid strings exaple: "3 days ago", ""2019-01-01T00:00:00 \+0200"\) | +| toDate | The end date by which to filter incidents. Date format will be the same as in the incidents query page \(valid strings exaple: "3 days ago", ""2019-01-01T00:00:00 \+0200"\) | +| limit | The maximum number of incidents to fetch. | +| tagField | The field name with the label. Supports a comma-separated list, the first non-empty value will be taken. | +| hashSeed | If non-empty, hash every word with this seed. | +| phishingLabels | A comma-separated list of email tags values and mapping. The script considers only the tags specified in this field. You can map a label to another value by using this format: LABEL:MAPPED_LABEL. For example, for 4 values in email tag: malicious, credentials harvesting, inner communitcation, external legit email, unclassified. While training, we want to ignore "unclassified" tag, and refer to "credentials harvesting" as "malicious" too. Also, we want to merge "inner communitcation" and "external legit email" to one tag called "non-malicious". The input will be: malicious, credentials harvesting:malicious, inner communitcation:non-malicious, external legit email:non-malicious | +| modelName | The model name to store in the system. | +| emailsubject | Incident field name with the email subject. | +| emailbody | Incident field name with the email body \(text\). | +| emailbodyhtml | Incident field name with the email body \(html\). | +| populateFields | A comma-separated list of fields in the object to poplulate. | + +## Outputs + +--- +There are no outputs for this script. diff --git a/Packs/ML/Scripts/EvaluateMLModllAtProduction/README.md b/Packs/ML/Scripts/EvaluateMLModllAtProduction/README.md new file mode 100644 index 000000000000..799b77172067 --- /dev/null +++ b/Packs/ML/Scripts/EvaluateMLModllAtProduction/README.md @@ -0,0 +1,52 @@ +Evaluates an ML model in production. + +## Script Data + +--- + +| **Name** | **Description** | +| --- | --- | +| Script Type | python3 | +| Tags | ml | +| Cortex XSOAR Version | 5.0.0 | + +## Dependencies + +--- +This script uses the following commands and scripts. + +* GetIncidentsByQuery +* GetMLModelEvaluation + +## Used In + +--- +This script is used in the following playbooks and scripts. + +* EvaluateMLModllAtProduction-Test + +## Inputs + +--- + +| **Argument Name** | **Description** | +| --- | --- | +| incidentTypes | A common-separated list of incident types by which to filter. | +| incidentsQuery | The incident query to fetch the training data for the model. | +| emailTagKey | The field name with the email tag. Supports a comma-separated list, the first non-empty value will be taken. | +| emailPredictionKey | The field name with the model prediction. | +| emailPredictionProbabilityKey | The field name with the model prediction probability. | +| modelTargetAccuracy | The model target accuracy, between 0 and 1. | +| phishingLabels | A comma-separated list of email tags values and mapping. The script considers only the tags specified in this field. You can map label to another value by using this format: LABEL:MAPPED_LABEL. For example, for 4 values in email tag: malicious, credentials harvesting, inner communitcation, external legit email, unclassified. While training, we want to ignore "unclassified" tag, and refer to "credentials harvesting" as "malicious" too. Also, we want to merge "inner communitcation" and "external legit email" to one tag called "non-malicious". The input will be: malicious, credentials harvesting:malicious, inner communitcation:non-malicious, external legit email:non-malicious | +| additionalFields | A comma-separated list of incident field names to include in the results file. | + +## Outputs + +--- + +| **Path** | **Description** | **Type** | +| --- | --- | --- | +| EvaluateMLModllAtProduction.EvaluationScores | The model evaluation scores \(precision, coverage, etc.\) for the found threshold. | Unknown | +| EvaluateMLModllAtProduction.ConfusionMatrix | The model evaluation confusion matrix for the found threshold. | Unknown | +| EvaluateMLModllAtProductionNoThresh.EvaluationScores | The model evaluation scores \(precision, coverage, etc.\) for threshold = 0. | Unknown | +| EvaluateMLModllAtProductionNoThresh.ConfusionMatrix | The model evaluation confusion matrix for threshold = 0. | Unknown | From 60c90d69696357034dfe6bbe53c4f5b7a4115d43 Mon Sep 17 00:00:00 2001 From: jlevypaloalto Date: Tue, 9 Jul 2024 11:01:17 +0300 Subject: [PATCH 25/39] redirect stderr --- .../DBotPredictPhishingWords.py | 31 ++++++++++++++++++- 1 file changed, 30 insertions(+), 1 deletion(-) diff --git a/Packs/Base/Scripts/DBotPredictPhishingWords/DBotPredictPhishingWords.py b/Packs/Base/Scripts/DBotPredictPhishingWords/DBotPredictPhishingWords.py index 2318e3d384b8..20d26a5df092 100644 --- a/Packs/Base/Scripts/DBotPredictPhishingWords/DBotPredictPhishingWords.py +++ b/Packs/Base/Scripts/DBotPredictPhishingWords/DBotPredictPhishingWords.py @@ -4,10 +4,34 @@ from string import punctuation import demisto_ml import numpy as np +import tempfile FASTTEXT_MODEL_TYPE = 'FASTTEXT_MODEL_TYPE' TORCH_TYPE = 'torch' UNKNOWN_MODEL_TYPE = 'UNKNOWN_MODEL_TYPE' +BERT_TOKENIZER_ERROR = "The tokenizer class you load from this checkpoint is not the same type as the class this function is called from. It may result in unexpected tokenization. \nThe tokenizer class you load from this checkpoint is 'BertTokenizer'. \nThe class this function is called from is 'DistilBertTokenizer'.\n" + +class StderrRedirect: + '''Context manager to redirect stderr.''' + temp_stderr: Any + old_stderr: int + error: str + + def __enter__(self): + demisto.debug('entering StderrRedirect') + self.temp_stderr = tempfile.TemporaryFile() + self.old_stderr = os.dup(sys.stderr.fileno()) # make a copy of stderr + os.dup2(self.temp_stderr.fileno(), sys.stderr.fileno()) # redirect stderr to the temporary file + return self + + def __exit__(self, exc_type, exc_value, exc_traceback): + demisto.debug(f'exiting StderrRedirect: {exc_type=}, {exc_value=}, {exc_traceback=}') + self.temp_stderr.seek(0) + self.error = self.temp_stderr.read().encode() + demisto.debug(f'stderr: {self.error}') + os.dup2(self.old_stderr, sys.stderr.fileno()) # restore stderr + os.close(self.old_stderr) + self.temp_stderr.close() def OrderedSet(iterable): @@ -99,7 +123,12 @@ def predict_phishing_words(model_name, model_store_type, email_subject, email_bo model_type = FASTTEXT_MODEL_TYPE if model_type not in [FASTTEXT_MODEL_TYPE, TORCH_TYPE, UNKNOWN_MODEL_TYPE]: model_type = UNKNOWN_MODEL_TYPE - phishing_model = demisto_ml.phishing_model_loads_handler(model_data, model_type) + + with StderrRedirect() as s: + phishing_model = demisto_ml.phishing_model_loads_handler(model_data, model_type) + if s.error != BERT_TOKENIZER_ERROR: + raise DemistoException(s.error) + is_model_applied_on_a_single_incidents = isinstance(email_subject, str) and isinstance(email_body, str) if is_model_applied_on_a_single_incidents: return predict_single_incident_full_output(email_subject, email_body, is_return_error, label_threshold, From 5564338bea65d4c8cee075aab2c785af5e1f111a Mon Sep 17 00:00:00 2001 From: jlevypaloalto Date: Tue, 9 Jul 2024 11:21:39 +0300 Subject: [PATCH 26/39] docker --- .../DBotPredictPhishingWords/DBotPredictPhishingWords.yml | 2 +- .../Scripts/DBotPreprocessTextData/DBotPreprocessTextData.yml | 2 +- .../DBotTrainTextClassifierV2/DBotTrainTextClassifierV2.yml | 2 +- .../Base/Scripts/GetMLModelEvaluation/GetMLModelEvaluation.yml | 2 +- .../DBotPredictIncidentsBatch/DBotPredictIncidentsBatch.yml | 2 +- .../DBotPredictOutOfTheBoxV2/DBotPredictOutOfTheBoxV2.yml | 2 +- .../EvaluateMLModllAtProduction/EvaluateMLModllAtProduction.yml | 2 +- 7 files changed, 7 insertions(+), 7 deletions(-) diff --git a/Packs/Base/Scripts/DBotPredictPhishingWords/DBotPredictPhishingWords.yml b/Packs/Base/Scripts/DBotPredictPhishingWords/DBotPredictPhishingWords.yml index d2f3b9d5b62b..27c72e5598eb 100644 --- a/Packs/Base/Scripts/DBotPredictPhishingWords/DBotPredictPhishingWords.yml +++ b/Packs/Base/Scripts/DBotPredictPhishingWords/DBotPredictPhishingWords.yml @@ -98,7 +98,7 @@ tags: - phishing timeout: 60µs type: python -dockerimage: demisto/ml:1.0.0.32340 +dockerimage: demisto/ml:1.0.0.101889 tests: - Create Phishing Classifier V2 ML Test fromversion: 5.0.0 diff --git a/Packs/Base/Scripts/DBotPreprocessTextData/DBotPreprocessTextData.yml b/Packs/Base/Scripts/DBotPreprocessTextData/DBotPreprocessTextData.yml index d43858f26af8..06a9b3809ec2 100644 --- a/Packs/Base/Scripts/DBotPreprocessTextData/DBotPreprocessTextData.yml +++ b/Packs/Base/Scripts/DBotPreprocessTextData/DBotPreprocessTextData.yml @@ -104,7 +104,7 @@ tags: - ml timeout: 120µs type: python -dockerimage: demisto/ml:1.0.0.30541 +dockerimage: demisto/ml:1.0.0.101889 tests: - Create Phishing Classifier V2 ML Test fromversion: 5.0.0 diff --git a/Packs/Base/Scripts/DBotTrainTextClassifierV2/DBotTrainTextClassifierV2.yml b/Packs/Base/Scripts/DBotTrainTextClassifierV2/DBotTrainTextClassifierV2.yml index 097a4846c1e1..4bb5b1d03e35 100644 --- a/Packs/Base/Scripts/DBotTrainTextClassifierV2/DBotTrainTextClassifierV2.yml +++ b/Packs/Base/Scripts/DBotTrainTextClassifierV2/DBotTrainTextClassifierV2.yml @@ -121,7 +121,7 @@ tags: - ml timeout: 12µs type: python -dockerimage: demisto/ml:1.0.0.93129 +dockerimage: demisto/ml:1.0.0.101889 tests: - Create Phishing Classifier V2 ML Test fromversion: 5.0.0 diff --git a/Packs/Base/Scripts/GetMLModelEvaluation/GetMLModelEvaluation.yml b/Packs/Base/Scripts/GetMLModelEvaluation/GetMLModelEvaluation.yml index 9aaf9d2c933b..651f08b8e424 100644 --- a/Packs/Base/Scripts/GetMLModelEvaluation/GetMLModelEvaluation.yml +++ b/Packs/Base/Scripts/GetMLModelEvaluation/GetMLModelEvaluation.yml @@ -43,7 +43,7 @@ tags: - ml timeout: 60µs type: python -dockerimage: demisto/ml:1.0.0.88591 +dockerimage: demisto/ml:1.0.0.101889 tests: - Create Phishing Classifier V2 ML Test fromversion: 5.0.0 diff --git a/Packs/ML/Scripts/DBotPredictIncidentsBatch/DBotPredictIncidentsBatch.yml b/Packs/ML/Scripts/DBotPredictIncidentsBatch/DBotPredictIncidentsBatch.yml index 0debe7c2eff1..b299319b82a0 100644 --- a/Packs/ML/Scripts/DBotPredictIncidentsBatch/DBotPredictIncidentsBatch.yml +++ b/Packs/ML/Scripts/DBotPredictIncidentsBatch/DBotPredictIncidentsBatch.yml @@ -46,7 +46,7 @@ tags: - ml timeout: '0' type: python -dockerimage: demisto/ml:1.0.0.45981 +dockerimage: demisto/ml:1.0.0.101889 fromversion: 5.0.0 tests: - VerifyOOBV2Predictions-Test diff --git a/Packs/ML/Scripts/DBotPredictOutOfTheBoxV2/DBotPredictOutOfTheBoxV2.yml b/Packs/ML/Scripts/DBotPredictOutOfTheBoxV2/DBotPredictOutOfTheBoxV2.yml index e0510c400069..6da8da23377f 100644 --- a/Packs/ML/Scripts/DBotPredictOutOfTheBoxV2/DBotPredictOutOfTheBoxV2.yml +++ b/Packs/ML/Scripts/DBotPredictOutOfTheBoxV2/DBotPredictOutOfTheBoxV2.yml @@ -59,7 +59,7 @@ script: '-' subtype: python3 timeout: 60µs type: python -dockerimage: demisto/ml:1.0.0.32340 +dockerimage: demisto/ml:1.0.0.101889 tests: - DbotPredictOufOfTheBoxTestV2 - VerifyOOBV2Predictions-Test diff --git a/Packs/ML/Scripts/EvaluateMLModllAtProduction/EvaluateMLModllAtProduction.yml b/Packs/ML/Scripts/EvaluateMLModllAtProduction/EvaluateMLModllAtProduction.yml index 7e8eb335fe41..48168d89c79b 100644 --- a/Packs/ML/Scripts/EvaluateMLModllAtProduction/EvaluateMLModllAtProduction.yml +++ b/Packs/ML/Scripts/EvaluateMLModllAtProduction/EvaluateMLModllAtProduction.yml @@ -42,7 +42,7 @@ outputs: script: '-' subtype: python3 type: python -dockerimage: demisto/ml:1.0.0.45981 +dockerimage: demisto/ml:1.0.0.101889 runas: DBotWeakRole fromversion: 5.0.0 tags: From a3473004a6742bd3f6c7dd8acfdb366fb6f6bb95 Mon Sep 17 00:00:00 2001 From: jlevypaloalto Date: Tue, 9 Jul 2024 13:30:29 +0300 Subject: [PATCH 27/39] format --- .../DBotBuildPhishingClassifier.yml | 6 ++-- .../DBotFindSimilarIncidents.yml | 34 +++++++++---------- .../DBotPredictPhishingWords.py | 27 +++++++++++++-- .../Scripts/GetMLModelEvaluation/README.md | 3 ++ .../DBotPredictIncidentsBatch.yml | 6 ++-- .../EvaluateMLModllAtProduction.yml | 2 +- 6 files changed, 51 insertions(+), 27 deletions(-) diff --git a/Packs/Base/Scripts/DBotBuildPhishingClassifier/DBotBuildPhishingClassifier.yml b/Packs/Base/Scripts/DBotBuildPhishingClassifier/DBotBuildPhishingClassifier.yml index cd19468c271f..3cf8ef4133f3 100644 --- a/Packs/Base/Scripts/DBotBuildPhishingClassifier/DBotBuildPhishingClassifier.yml +++ b/Packs/Base/Scripts/DBotBuildPhishingClassifier/DBotBuildPhishingClassifier.yml @@ -4,9 +4,9 @@ args: - defaultValue: Phishing description: A comma-separated list of incident types by which to filter. name: incidentTypes -- description: 'The start date by which to filter incidents. Date format will be the same as in the incidents query page (valid strings example: "3 days ago", ""2019-01-01T00:00:00 +0200")' +- description: 'The start date by which to filter incidents. Date format will be the same as in the incidents query page (valid strings example: "3 days ago", ""2019-01-01T00:00:00 +0200").' name: fromDate -- description: 'The end date by which to filter incidents. Date format will be the same as in the incidents query page (valid strings example: "3 days ago", ""2019-01-01T00:00:00 +0200")' +- description: 'The end date by which to filter incidents. Date format will be the same as in the incidents query page (valid strings example: "3 days ago", ""2019-01-01T00:00:00 +0200").' name: toDate - defaultValue: '3000' description: The maximum number of incidents to fetch. @@ -39,7 +39,7 @@ args: - description: The model name to store in the system. name: modelName - defaultValue: '*' - description: 'A comma-separated list of email tags values and mapping. The script considers only the tags specified in this field. You can map a label to another value by using this format: LABEL:MAPPED_LABEL. For example, for 4 values in email tag: malicious, credentials harvesting, inner communitcation, external legit email, unclassified. While training, we want to ignore "unclassified" tag, and refer to "credentials harvesting" as "malicious" too. Also, we want to merge "inner communitcation" and "external legit email" to one tag called "non-malicious". The input will be: malicious, credentials harvesting:malicious, inner communitcation:non-malicious, external legit email:non-malicious' + description: 'A comma-separated list of email tags values and mapping. The script considers only the tags specified in this field. You can map a label to another value by using this format: LABEL:MAPPED_LABEL. For example, for 4 values in email tag: malicious, credentials harvesting, inner communitcation, external legit email, unclassified. While training, we want to ignore "unclassified" tag, and refer to "credentials harvesting" as "malicious" too. Also, we want to merge "inner communitcation" and "external legit email" to one tag called "non-malicious". The input will be: malicious, credentials harvesting:malicious, inner communitcation:non-malicious, external legit email:non-malicious.' name: phishingLabels - defaultValue: emailsubject description: Incident field name with the email subject. diff --git a/Packs/Base/Scripts/DBotFindSimilarIncidents/DBotFindSimilarIncidents.yml b/Packs/Base/Scripts/DBotFindSimilarIncidents/DBotFindSimilarIncidents.yml index a2a5aa3aaf7a..05d67d6f9fde 100644 --- a/Packs/Base/Scripts/DBotFindSimilarIncidents/DBotFindSimilarIncidents.yml +++ b/Packs/Base/Scripts/DBotFindSimilarIncidents/DBotFindSimilarIncidents.yml @@ -74,6 +74,23 @@ args: name: indicatorsTypes - description: Help to filter out indicators that appear in many incidents. Relevant if includeIndicatorsSimilarity is "True". name: maxIncidentsInIndicatorsForWhiteList +comment: |- + Finds past similar incidents based on incident fields' similarity. Includes an option to also display indicators similarity. + Note: For the similarity calculation, at least one field must be provided in one of the "similarTextField", "similarCategoricalField", or "similarJsonField" arguments. +commonfields: + id: DBotFindSimilarIncidents + version: -1 +enabled: true +name: DBotFindSimilarIncidents +script: '-' +subtype: python3 +timeout: '0' +type: python +dockerimage: demisto/ml:1.0.0.101889 +runas: DBotWeakRole +tests: +- DBotFindSimilarIncidents-test +fromversion: 5.0.0 outputs: - contextPath: DBotFindSimilarIncidents.isSimilarIncidentFound description: Indicates whether similar incidents have been found. @@ -93,20 +110,3 @@ outputs: - contextPath: DBotFindSimilarIncidents.similarIncident.details description: The details of the linked incident. type: string -comment: |- - Finds past similar incidents based on incident fields' similarity. Includes an option to also display indicators similarity. - Note: For the similarity calculation, at least one field must be provided in one of the "similarTextField", "similarCategoricalField", or "similarJsonField" arguments. -commonfields: - id: DBotFindSimilarIncidents - version: -1 -enabled: true -name: DBotFindSimilarIncidents -script: '-' -subtype: python3 -timeout: '0' -type: python -dockerimage: demisto/ml:1.0.0.101889 -runas: DBotWeakRole -tests: -- DBotFindSimilarIncidents-test -fromversion: 5.0.0 diff --git a/Packs/Base/Scripts/DBotPredictPhishingWords/DBotPredictPhishingWords.py b/Packs/Base/Scripts/DBotPredictPhishingWords/DBotPredictPhishingWords.py index 20d26a5df092..70401283f5eb 100644 --- a/Packs/Base/Scripts/DBotPredictPhishingWords/DBotPredictPhishingWords.py +++ b/Packs/Base/Scripts/DBotPredictPhishingWords/DBotPredictPhishingWords.py @@ -11,6 +11,7 @@ UNKNOWN_MODEL_TYPE = 'UNKNOWN_MODEL_TYPE' BERT_TOKENIZER_ERROR = "The tokenizer class you load from this checkpoint is not the same type as the class this function is called from. It may result in unexpected tokenization. \nThe tokenizer class you load from this checkpoint is 'BertTokenizer'. \nThe class this function is called from is 'DistilBertTokenizer'.\n" + class StderrRedirect: '''Context manager to redirect stderr.''' temp_stderr: Any @@ -27,7 +28,7 @@ def __enter__(self): def __exit__(self, exc_type, exc_value, exc_traceback): demisto.debug(f'exiting StderrRedirect: {exc_type=}, {exc_value=}, {exc_traceback=}') self.temp_stderr.seek(0) - self.error = self.temp_stderr.read().encode() + self.error = self.temp_stderr.read().decode() demisto.debug(f'stderr: {self.error}') os.dup2(self.old_stderr, sys.stderr.fileno()) # restore stderr os.close(self.old_stderr) @@ -37,8 +38,28 @@ def __exit__(self, exc_type, exc_value, exc_traceback): def OrderedSet(iterable): return list(dict.fromkeys(iterable)) +def new_get_model_data(model_name, store_type): + if store_type == "mlModel": + res_model = demisto.executeCommand("getMLModel", {"modelName": model_name}) + if is_error(res_model): + return_error(get_error(res_model)) + model_data = res_model[0]['Contents']['modelData'] + model_type = res_model[0]['Contents']['model']["type"]["type"] + return model_data, model_type + if store_type == "list": + res_model_list = demisto.executeCommand("getList", {"listName": model_name}) + if is_error(res_model_list): + return_error(get_error(res_model_list)) + return res_model_list[0]["Contents"], UNKNOWN_MODEL_TYPE + return None + + def get_model_data(model_name, store_type, is_return_error): + try: + return new_get_model_data(model_name, store_type) + except Exception as e: + demisto.debug(f'new_get_model_data() failed: {e}, {e.args}') res_model_list = demisto.executeCommand("getList", {"listName": model_name})[0] res_model = demisto.executeCommand("getMLModel", {"modelName": model_name})[0] if is_error(res_model_list) and not is_error(res_model): @@ -194,8 +215,8 @@ def predict_single_incident_full_output(email_subject, email_body, is_return_err negative_tokens = OrderedSet(explain_result['NegativeWords']) positive_words = find_words_contain_tokens(positive_tokens, words_to_token_maps) negative_words = find_words_contain_tokens(negative_tokens, words_to_token_maps) - positive_words = list(OrderedSet([s.strip(punctuation) for s in positive_words])) - negative_words = list(OrderedSet([s.strip(punctuation) for s in negative_words])) + positive_words = OrderedSet([s.strip(punctuation) for s in positive_words]) + negative_words = OrderedSet([s.strip(punctuation) for s in negative_words]) positive_words = [w for w in positive_words if w.isalnum()] negative_words = [w for w in negative_words if w.isalnum()] highlighted_text_markdown = text.strip() diff --git a/Packs/Base/Scripts/GetMLModelEvaluation/README.md b/Packs/Base/Scripts/GetMLModelEvaluation/README.md index 2a1938a4b2bc..395213a9d484 100644 --- a/Packs/Base/Scripts/GetMLModelEvaluation/README.md +++ b/Packs/Base/Scripts/GetMLModelEvaluation/README.md @@ -1,6 +1,7 @@ Finds a threshold for ML model, and performs an evaluation based on it ## Script Data + --- | **Name** | **Description** | @@ -10,6 +11,7 @@ Finds a threshold for ML model, and performs an evaluation based on it | Cortex XSOAR Version | 5.0.0 | ## Inputs + --- | **Argument Name** | **Description** | @@ -21,6 +23,7 @@ Finds a threshold for ML model, and performs an evaluation based on it | detailedOutput | if set to 'true', the output will include a full explanation of the confidence threshold meaning | ## Outputs + --- | **Path** | **Description** | **Type** | diff --git a/Packs/ML/Scripts/DBotPredictIncidentsBatch/DBotPredictIncidentsBatch.yml b/Packs/ML/Scripts/DBotPredictIncidentsBatch/DBotPredictIncidentsBatch.yml index b299319b82a0..f8e63a19b31d 100644 --- a/Packs/ML/Scripts/DBotPredictIncidentsBatch/DBotPredictIncidentsBatch.yml +++ b/Packs/ML/Scripts/DBotPredictIncidentsBatch/DBotPredictIncidentsBatch.yml @@ -4,9 +4,9 @@ args: - defaultValue: Phishing description: A comma-separated list of incident types by which to filter. name: incidentTypes -- description: 'The start date by which to filter incidents. Date format will be the same as in the incidents query page (valid strings exaple: "3 days ago", ""2019-01-01T00:00:00 +0200")' +- description: 'The start date by which to filter incidents. Date format will be the same as in the incidents query page (valid strings exaple: "3 days ago", ""2019-01-01T00:00:00 +0200").' name: fromDate -- description: 'The end date by which to filter incidents. Date format will be the same as in the incidents query page (valid strings exaple: "3 days ago", ""2019-01-01T00:00:00 +0200")' +- description: 'The end date by which to filter incidents. Date format will be the same as in the incidents query page (valid strings exaple: "3 days ago", ""2019-01-01T00:00:00 +0200").' name: toDate - defaultValue: '3000' description: The maximum number of incidents to fetch. @@ -17,7 +17,7 @@ args: - description: If non-empty, hash every word with this seed. name: hashSeed - defaultValue: '*' - description: 'A comma-separated list of email tags values and mapping. The script considers only the tags specified in this field. You can map a label to another value by using this format: LABEL:MAPPED_LABEL. For example, for 4 values in email tag: malicious, credentials harvesting, inner communitcation, external legit email, unclassified. While training, we want to ignore "unclassified" tag, and refer to "credentials harvesting" as "malicious" too. Also, we want to merge "inner communitcation" and "external legit email" to one tag called "non-malicious". The input will be: malicious, credentials harvesting:malicious, inner communitcation:non-malicious, external legit email:non-malicious' + description: 'A comma-separated list of email tags values and mapping. The script considers only the tags specified in this field. You can map a label to another value by using this format: LABEL:MAPPED_LABEL. For example, for 4 values in email tag: malicious, credentials harvesting, inner communitcation, external legit email, unclassified. While training, we want to ignore "unclassified" tag, and refer to "credentials harvesting" as "malicious" too. Also, we want to merge "inner communitcation" and "external legit email" to one tag called "non-malicious". The input will be: malicious, credentials harvesting:malicious, inner communitcation:non-malicious, external legit email:non-malicious.' name: phishingLabels - description: The model name to store in the system. name: modelName diff --git a/Packs/ML/Scripts/EvaluateMLModllAtProduction/EvaluateMLModllAtProduction.yml b/Packs/ML/Scripts/EvaluateMLModllAtProduction/EvaluateMLModllAtProduction.yml index 48168d89c79b..5b6500d56ba8 100644 --- a/Packs/ML/Scripts/EvaluateMLModllAtProduction/EvaluateMLModllAtProduction.yml +++ b/Packs/ML/Scripts/EvaluateMLModllAtProduction/EvaluateMLModllAtProduction.yml @@ -17,7 +17,7 @@ args: description: The model target accuracy, between 0 and 1. name: modelTargetAccuracy - defaultValue: '*' - description: 'A comma-separated list of email tags values and mapping. The script considers only the tags specified in this field. You can map label to another value by using this format: LABEL:MAPPED_LABEL. For example, for 4 values in email tag: malicious, credentials harvesting, inner communitcation, external legit email, unclassified. While training, we want to ignore "unclassified" tag, and refer to "credentials harvesting" as "malicious" too. Also, we want to merge "inner communitcation" and "external legit email" to one tag called "non-malicious". The input will be: malicious, credentials harvesting:malicious, inner communitcation:non-malicious, external legit email:non-malicious' + description: 'A comma-separated list of email tags values and mapping. The script considers only the tags specified in this field. You can map label to another value by using this format: LABEL:MAPPED_LABEL. For example, for 4 values in email tag: malicious, credentials harvesting, inner communitcation, external legit email, unclassified. While training, we want to ignore "unclassified" tag, and refer to "credentials harvesting" as "malicious" too. Also, we want to merge "inner communitcation" and "external legit email" to one tag called "non-malicious". The input will be: malicious, credentials harvesting:malicious, inner communitcation:non-malicious, external legit email:non-malicious.' name: phishingLabels - description: A comma-separated list of incident field names to include in the results file. name: additionalFields From ba1d862a8cd33f5968d8a6021c33138f5cfd73e8 Mon Sep 17 00:00:00 2001 From: jlevypaloalto Date: Tue, 9 Jul 2024 13:33:42 +0300 Subject: [PATCH 28/39] format --- .../DBotPredictPhishingWords/DBotPredictPhishingWords.py | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/Packs/Base/Scripts/DBotPredictPhishingWords/DBotPredictPhishingWords.py b/Packs/Base/Scripts/DBotPredictPhishingWords/DBotPredictPhishingWords.py index 70401283f5eb..99ccbe6dccaa 100644 --- a/Packs/Base/Scripts/DBotPredictPhishingWords/DBotPredictPhishingWords.py +++ b/Packs/Base/Scripts/DBotPredictPhishingWords/DBotPredictPhishingWords.py @@ -1,5 +1,4 @@ # pylint: disable=no-member - from CommonServerPython import * from string import punctuation import demisto_ml @@ -9,8 +8,11 @@ FASTTEXT_MODEL_TYPE = 'FASTTEXT_MODEL_TYPE' TORCH_TYPE = 'torch' UNKNOWN_MODEL_TYPE = 'UNKNOWN_MODEL_TYPE' -BERT_TOKENIZER_ERROR = "The tokenizer class you load from this checkpoint is not the same type as the class this function is called from. It may result in unexpected tokenization. \nThe tokenizer class you load from this checkpoint is 'BertTokenizer'. \nThe class this function is called from is 'DistilBertTokenizer'.\n" - +BERT_TOKENIZER_ERROR = ( + "The tokenizer class you load from this checkpoint is not the same type as the class this function is called from." + " It may result in unexpected tokenization. \nThe tokenizer class you load from this checkpoint is 'BertTokenizer'. " + "\nThe class this function is called from is 'DistilBertTokenizer'.\n" +) class StderrRedirect: '''Context manager to redirect stderr.''' From 556c5b3b7ae53457d899bf573d8e703c6c28a6d9 Mon Sep 17 00:00:00 2001 From: jlevypaloalto Date: Tue, 9 Jul 2024 15:19:36 +0300 Subject: [PATCH 29/39] RN --- Packs/Base/ReleaseNotes/1_34_28.md | 24 ++++++++++++++++++++++++ Packs/Base/pack_metadata.json | 2 +- 2 files changed, 25 insertions(+), 1 deletion(-) create mode 100644 Packs/Base/ReleaseNotes/1_34_28.md diff --git a/Packs/Base/ReleaseNotes/1_34_28.md b/Packs/Base/ReleaseNotes/1_34_28.md new file mode 100644 index 000000000000..df6462b6a691 --- /dev/null +++ b/Packs/Base/ReleaseNotes/1_34_28.md @@ -0,0 +1,24 @@ + +#### Scripts + +##### DBotTrainTextClassifierV2 + +- Updated the Docker image to: *demisto/ml:1.0.0.101889*. +##### DBotBuildPhishingClassifier + +- Changed the Docker image to: *demisto/python3:3.10.14.101217*. +##### DBotPreProcessTextData + +- Updated the Docker image to: *demisto/ml:1.0.0.101889*. +##### DBotPredictPhishingWords + +- Updated the Docker image to: *demisto/ml:1.0.0.101889*. +##### DBotFindSimilarIncidents + +- Updated the Docker image to: *demisto/ml:1.0.0.101889*. +##### GetMLModelEvaluation + +- Updated the Docker image to: *demisto/ml:1.0.0.101889*. +##### DBotFindSimilarIncidentsByIndicators + +- Updated the Docker image to: *demisto/ml:1.0.0.101889*. diff --git a/Packs/Base/pack_metadata.json b/Packs/Base/pack_metadata.json index 7809b945f12f..a775366f69e8 100644 --- a/Packs/Base/pack_metadata.json +++ b/Packs/Base/pack_metadata.json @@ -2,7 +2,7 @@ "name": "Base", "description": "The base pack for Cortex XSOAR.", "support": "xsoar", - "currentVersion": "1.34.27", + "currentVersion": "1.34.28", "author": "Cortex XSOAR", "serverMinVersion": "6.0.0", "url": "https://www.paloaltonetworks.com/cortex", From a0abaa83677482ca413b900ad3e73b44b2cc0cb3 Mon Sep 17 00:00:00 2001 From: jlevypaloalto Date: Tue, 9 Jul 2024 17:02:08 +0300 Subject: [PATCH 30/39] more stuff --- .../DBotPredictPhishingWords.py | 57 ++++++------------ ...playbook-DBotFindSimilarIncidents-test.yml | 60 +++++++++++++++---- .../DBotPredictOutOfTheBoxV2.py | 1 + 3 files changed, 69 insertions(+), 49 deletions(-) diff --git a/Packs/Base/Scripts/DBotPredictPhishingWords/DBotPredictPhishingWords.py b/Packs/Base/Scripts/DBotPredictPhishingWords/DBotPredictPhishingWords.py index 99ccbe6dccaa..12fbc28bb4df 100644 --- a/Packs/Base/Scripts/DBotPredictPhishingWords/DBotPredictPhishingWords.py +++ b/Packs/Base/Scripts/DBotPredictPhishingWords/DBotPredictPhishingWords.py @@ -40,49 +40,30 @@ def __exit__(self, exc_type, exc_value, exc_traceback): def OrderedSet(iterable): return list(dict.fromkeys(iterable)) -def new_get_model_data(model_name, store_type): - if store_type == "mlModel": +def get_model_data(model_name: str, store_type: str, is_return_error: bool) -> None | tuple[dict, str]: + + def load_from_models(model_name: str) -> None | tuple[dict, str]: res_model = demisto.executeCommand("getMLModel", {"modelName": model_name}) if is_error(res_model): - return_error(get_error(res_model)) + demisto.debug(get_error(res_model)) + return None model_data = res_model[0]['Contents']['modelData'] - model_type = res_model[0]['Contents']['model']["type"]["type"] + model_type = dict_safe_get(res_model, [0, 'Contents', 'model', "type", "type"], UNKNOWN_MODEL_TYPE) return model_data, model_type + + def load_from_list(model_name): + res_model = demisto.executeCommand("getList", {"listName": model_name}) + if is_error(res_model): + demisto.debug(get_error(res_model)) + return None + return res_model[0]["Contents"], UNKNOWN_MODEL_TYPE + + if store_type == "mlModel": + res = load_from_models(model_name) or load_from_list(model_name) if store_type == "list": - res_model_list = demisto.executeCommand("getList", {"listName": model_name}) - if is_error(res_model_list): - return_error(get_error(res_model_list)) - return res_model_list[0]["Contents"], UNKNOWN_MODEL_TYPE - return None - - - -def get_model_data(model_name, store_type, is_return_error): - try: - return new_get_model_data(model_name, store_type) - except Exception as e: - demisto.debug(f'new_get_model_data() failed: {e}, {e.args}') - res_model_list = demisto.executeCommand("getList", {"listName": model_name})[0] - res_model = demisto.executeCommand("getMLModel", {"modelName": model_name})[0] - if is_error(res_model_list) and not is_error(res_model): - model_data = res_model['Contents']['modelData'] - try: - model_type = res_model['Contents']['model']["type"]["type"] - return model_data, model_type - except Exception: - return model_data, UNKNOWN_MODEL_TYPE - elif not is_error(res_model_list) and is_error(res_model): - return res_model_list["Contents"], UNKNOWN_MODEL_TYPE - elif not is_error(res_model_list) and not is_error(res_model): - if store_type == "list": - return res_model_list["Contents"], UNKNOWN_MODEL_TYPE - elif store_type == "mlModel": - model_data = res_model['Contents']['modelData'] - model_type = res_model['Contents']['model']["type"]["type"] - return model_data, model_type - else: - handle_error("error reading model %s from Demisto" % model_name, is_return_error) - return None + res = load_from_list(model_name) or load_from_models(model_name) + + return res or handle_error(f"error reading model {model_name} from Demisto", is_return_error) def handle_error(message, is_return_error): diff --git a/Packs/Base/TestPlaybooks/playbook-DBotFindSimilarIncidents-test.yml b/Packs/Base/TestPlaybooks/playbook-DBotFindSimilarIncidents-test.yml index e1a78525a5f7..ace3806aea00 100644 --- a/Packs/Base/TestPlaybooks/playbook-DBotFindSimilarIncidents-test.yml +++ b/Packs/Base/TestPlaybooks/playbook-DBotFindSimilarIncidents-test.yml @@ -1,5 +1,7 @@ id: DBotFindSimilarIncidents-test version: -1 +contentitemexportablefields: + contentitemfields: {} name: DBotFindSimilarIncidents-test starttaskid: "0" tasks: @@ -18,6 +20,7 @@ tasks: '#none#': - "5" separatecontext: false + continueonerrortype: "" view: |- { "position": { @@ -30,7 +33,6 @@ tasks: ignoreworker: false skipunavailable: false quietmode: 0 - continueonerrortype: "" isoversize: false isautoswitchedtoquietmode: false "2": @@ -68,11 +70,12 @@ tasks: toDate: simple: tomorrow separatecontext: false + continueonerrortype: "" view: |- { "position": { "x": 265, - "y": 545 + "y": 720 } } note: false @@ -80,7 +83,6 @@ tasks: ignoreworker: false skipunavailable: false quietmode: 0 - continueonerrortype: "" isoversize: false isautoswitchedtoquietmode: false "3": @@ -122,11 +124,12 @@ tasks: value: simple: "1" iscontext: true + continueonerrortype: "" view: |- { "position": { "x": 265, - "y": 720 + "y": 895 } } note: false @@ -134,7 +137,6 @@ tasks: ignoreworker: false skipunavailable: false quietmode: 0 - continueonerrortype: "" isoversize: false isautoswitchedtoquietmode: false "4": @@ -150,11 +152,12 @@ tasks: brand: "" description: '' separatecontext: false + continueonerrortype: "" view: |- { "position": { "x": 265, - "y": 895 + "y": 1070 } } note: false @@ -162,7 +165,6 @@ tasks: ignoreworker: false skipunavailable: false quietmode: 0 - continueonerrortype: "" isoversize: false isautoswitchedtoquietmode: false "5": @@ -221,7 +223,7 @@ tasks: brand: Builtin nexttasks: '#none#': - - "2" + - "8" scriptarguments: accountname: simple: SimilarAccountName @@ -260,7 +262,7 @@ tasks: brand: Builtin nexttasks: '#none#': - - "2" + - "8" scriptarguments: accountname: simple: SimilarAccountName @@ -284,12 +286,48 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false + "8": + id: "8" + taskid: e4380779-44e3-4395-8e2d-51e6e44ce672 + type: regular + task: + id: e4380779-44e3-4395-8e2d-51e6e44ce672 + version: -1 + name: Sleep for ten seconds to let the incidents load + description: Sleep for X seconds. + scriptName: Sleep + type: regular + iscommand: false + brand: "" + nexttasks: + '#none#': + - "2" + scriptarguments: + seconds: + simple: "10" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 265, + "y": 545 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false +system: true view: |- { "linkLabelsPosition": {}, "paper": { "dimensions": { - "height": 910, + "height": 1085, "width": 810, "x": 50, "y": 50 @@ -298,5 +336,5 @@ view: |- } inputs: [] outputs: [] -fromversion: 5.0.0 +fromversion: 6.9.0 description: '' diff --git a/Packs/ML/Scripts/DBotPredictOutOfTheBoxV2/DBotPredictOutOfTheBoxV2.py b/Packs/ML/Scripts/DBotPredictOutOfTheBoxV2/DBotPredictOutOfTheBoxV2.py index 0e7d45042808..0c526a008b14 100644 --- a/Packs/ML/Scripts/DBotPredictOutOfTheBoxV2/DBotPredictOutOfTheBoxV2.py +++ b/Packs/ML/Scripts/DBotPredictOutOfTheBoxV2/DBotPredictOutOfTheBoxV2.py @@ -76,6 +76,7 @@ def predict_phishing_words(): load_oob_model() dargs = demisto.args() dargs['modelName'] = OUT_OF_THE_BOX_MODEL_NAME + dargs['modelStoreType'] = 'mlModel' res = demisto.executeCommand('DBotPredictPhishingWords', dargs) if is_error(res): return_error(get_error(res)) From c7498f79136d2abf882281582a62242916a89163 Mon Sep 17 00:00:00 2001 From: jlevypaloalto Date: Tue, 9 Jul 2024 17:07:40 +0300 Subject: [PATCH 31/39] build fixes --- .../Scripts/DBotPredictPhishingWords/DBotPredictPhishingWords.py | 1 + 1 file changed, 1 insertion(+) diff --git a/Packs/Base/Scripts/DBotPredictPhishingWords/DBotPredictPhishingWords.py b/Packs/Base/Scripts/DBotPredictPhishingWords/DBotPredictPhishingWords.py index 12fbc28bb4df..845d46e940ea 100644 --- a/Packs/Base/Scripts/DBotPredictPhishingWords/DBotPredictPhishingWords.py +++ b/Packs/Base/Scripts/DBotPredictPhishingWords/DBotPredictPhishingWords.py @@ -40,6 +40,7 @@ def __exit__(self, exc_type, exc_value, exc_traceback): def OrderedSet(iterable): return list(dict.fromkeys(iterable)) + def get_model_data(model_name: str, store_type: str, is_return_error: bool) -> None | tuple[dict, str]: def load_from_models(model_name: str) -> None | tuple[dict, str]: From df9038b29eb9012e3b90a9551cb80a642038398d Mon Sep 17 00:00:00 2001 From: jlevypaloalto Date: Tue, 9 Jul 2024 17:39:43 +0300 Subject: [PATCH 32/39] build fixes --- .../DBotBuildPhishingClassifier.yml | 2 +- .../DBotPredictPhishingWords/DBotPredictPhishingWords.py | 7 ++++--- ...hing_words_test.py => DBotPredictPhishingWords_test.py} | 0 .../EvaluateMLModllAtProduction.py | 4 +++- Tests/conf.json | 1 - 5 files changed, 8 insertions(+), 6 deletions(-) rename Packs/Base/Scripts/DBotPredictPhishingWords/{dbot_predict_phishing_words_test.py => DBotPredictPhishingWords_test.py} (100%) diff --git a/Packs/Base/Scripts/DBotBuildPhishingClassifier/DBotBuildPhishingClassifier.yml b/Packs/Base/Scripts/DBotBuildPhishingClassifier/DBotBuildPhishingClassifier.yml index 3cf8ef4133f3..82289f4eb072 100644 --- a/Packs/Base/Scripts/DBotBuildPhishingClassifier/DBotBuildPhishingClassifier.yml +++ b/Packs/Base/Scripts/DBotBuildPhishingClassifier/DBotBuildPhishingClassifier.yml @@ -83,7 +83,7 @@ tags: - ml timeout: 12µs type: python -dockerimage: demisto/python3:3.10.14.101217 +dockerimage: demisto/python3:3.11.9.101916 tests: - Create Phishing Classifier V2 ML Test - DBotCreatePhishingClassifierV2FromFile-Test diff --git a/Packs/Base/Scripts/DBotPredictPhishingWords/DBotPredictPhishingWords.py b/Packs/Base/Scripts/DBotPredictPhishingWords/DBotPredictPhishingWords.py index 845d46e940ea..997be5a267ba 100644 --- a/Packs/Base/Scripts/DBotPredictPhishingWords/DBotPredictPhishingWords.py +++ b/Packs/Base/Scripts/DBotPredictPhishingWords/DBotPredictPhishingWords.py @@ -14,6 +14,7 @@ "\nThe class this function is called from is 'DistilBertTokenizer'.\n" ) + class StderrRedirect: '''Context manager to redirect stderr.''' temp_stderr: Any @@ -41,7 +42,7 @@ def OrderedSet(iterable): return list(dict.fromkeys(iterable)) -def get_model_data(model_name: str, store_type: str, is_return_error: bool) -> None | tuple[dict, str]: +def get_model_data(model_name: str, store_type: str, is_return_error: bool) -> tuple[dict, str]: def load_from_models(model_name: str) -> None | tuple[dict, str]: res_model = demisto.executeCommand("getMLModel", {"modelName": model_name}) @@ -61,10 +62,10 @@ def load_from_list(model_name): if store_type == "mlModel": res = load_from_models(model_name) or load_from_list(model_name) - if store_type == "list": + elif store_type == "list": res = load_from_list(model_name) or load_from_models(model_name) - return res or handle_error(f"error reading model {model_name} from Demisto", is_return_error) + return res or handle_error(f"error reading model {model_name} from Demisto", is_return_error) # type: ignore def handle_error(message, is_return_error): diff --git a/Packs/Base/Scripts/DBotPredictPhishingWords/dbot_predict_phishing_words_test.py b/Packs/Base/Scripts/DBotPredictPhishingWords/DBotPredictPhishingWords_test.py similarity index 100% rename from Packs/Base/Scripts/DBotPredictPhishingWords/dbot_predict_phishing_words_test.py rename to Packs/Base/Scripts/DBotPredictPhishingWords/DBotPredictPhishingWords_test.py diff --git a/Packs/ML/Scripts/EvaluateMLModllAtProduction/EvaluateMLModllAtProduction.py b/Packs/ML/Scripts/EvaluateMLModllAtProduction/EvaluateMLModllAtProduction.py index 5842c352b451..8621fef38b9e 100644 --- a/Packs/ML/Scripts/EvaluateMLModllAtProduction/EvaluateMLModllAtProduction.py +++ b/Packs/ML/Scripts/EvaluateMLModllAtProduction/EvaluateMLModllAtProduction.py @@ -107,8 +107,8 @@ def main(incident_types, incident_query, y_true_field, y_pred_field, y_pred_prob if is_error(incidents_query_res): return_error(get_error(incidents_query_res)) incidents = json.loads(incidents_query_res[0]['Contents']) - demisto.results(f'Found {len(incidents)} incidents') if incidents: + demisto.results(f'Found {len(incidents)} incident(s)') y_true = [] y_pred = [] y_pred_prob = [] @@ -143,6 +143,8 @@ def main(incident_types, incident_query, y_true_field, y_pred_field, y_pred_prob context_field='EvaluateMLModllAtProductionNoThresh', human_readable_title=human_readable) return_file_result_with_predictions_on_test_set(incidents, y_true, y_pred, y_pred_prob, additional_fields) + else: + return_results('No incidents found.') model_target_accuracy = demisto.args().get('modelTargetAccuracy', 0) diff --git a/Tests/conf.json b/Tests/conf.json index 92d5c884da88..8e25afc5f2b9 100644 --- a/Tests/conf.json +++ b/Tests/conf.json @@ -5933,7 +5933,6 @@ "ThreatGrid_v2_Test": "No instance, developed by Qmasters", "Test-Detonate URL - ThreatGrid": "No instance, developed by Qmasters", "awake_security_test_pb": "No instance, CRTX-77572", - "Create Phishing Classifier V2 ML Test": "Updated docker image lacks data for the ml model. Once data issue is solved for ml module can un skip. ", "SumoLogic-Test": "401 unauthorized, CIAC-6334", "EWS_O365_test": "Issue CIAC-6753", "Microsoft Defender Advanced Threat Protection - Test dev": "Issue CIAC-7514", From 6731a4e9ea63df49732ac7da5c0d9ba6555ff55f Mon Sep 17 00:00:00 2001 From: jlevypaloalto Date: Tue, 9 Jul 2024 18:13:53 +0300 Subject: [PATCH 33/39] fix unit-tests --- .../DBotPredictPhishingWords_test.py | 31 ++++++++++++------- 1 file changed, 19 insertions(+), 12 deletions(-) diff --git a/Packs/Base/Scripts/DBotPredictPhishingWords/DBotPredictPhishingWords_test.py b/Packs/Base/Scripts/DBotPredictPhishingWords/DBotPredictPhishingWords_test.py index cdebbd11c754..98dd986c1ef7 100644 --- a/Packs/Base/Scripts/DBotPredictPhishingWords/DBotPredictPhishingWords_test.py +++ b/Packs/Base/Scripts/DBotPredictPhishingWords/DBotPredictPhishingWords_test.py @@ -1,9 +1,9 @@ from collections import defaultdict import pytest - +import sys from CommonServerPython import * -from DBotPredictPhishingWords import get_model_data, predict_phishing_words, main +from DBotPredictPhishingWords import get_model_data, predict_phishing_words, main, BERT_TOKENIZER_ERROR TOKENIZATION_RESULT = None @@ -21,6 +21,13 @@ def explain_model_words(self, a, b, c, d): return self.explain_model_words_res +def phishing_model_func(return_value): + def phishing_model_loads_handler(*_): + sys.stderr.write(BERT_TOKENIZER_ERROR) + return return_value + return phishing_model_loads_handler + + def get_args(): args = defaultdict(lambda: "yes") args['encoding'] = 'utf8' @@ -58,8 +65,8 @@ def executeCommand(command, args=None): def test_get_model_data(mocker): mocker.patch.object(demisto, 'executeCommand', side_effect=executeCommand) - assert "ModelDataList" == get_model_data("test", "list", True)[0] - assert "ModelDataML" == get_model_data("test", "mlModel", True)[0] + assert get_model_data("test", "list", True)[0] == "ModelDataList" + assert get_model_data("test", "mlModel", True)[0] == "ModelDataML" def test_predict_phishing_words(mocker): @@ -71,7 +78,7 @@ def test_predict_phishing_words(mocker): phishing_mock = PhishingModelMock() mocker.patch.object(demisto, 'executeCommand', side_effect=executeCommand) mocker.patch.object(demisto, 'args', return_value={'topWordsLimit': 10}) - mocker.patch('demisto_ml.phishing_model_loads_handler', return_value=phishing_mock, create=True) + mocker.patch('demisto_ml.phishing_model_loads_handler', side_effect=phishing_model_func(phishing_mock), create=True) mocker.patch.object(demisto, 'incidents', return_value=[{'isPlayground': True}]) mocker.patch.object(phishing_mock, 'filter_model_words', return_value=("text", 2), create=True) mocker.patch.object(phishing_mock, 'explain_model_words', return_value=d, @@ -106,7 +113,7 @@ def test_predict_phishing_words_low_threshold(mocker): phishing_mock = PhishingModelMock() mocker.patch.object(demisto, 'executeCommand', side_effect=executeCommand) mocker.patch.object(demisto, 'args', return_value={'topWordsLimit': 10}) - mocker.patch('demisto_ml.phishing_model_loads_handler', return_value=phishing_mock, create=True) + mocker.patch('demisto_ml.phishing_model_loads_handler', side_effect=phishing_model_func(phishing_mock), create=True) mocker.patch.object(phishing_mock, 'filter_model_words', return_value=("text", 2), create=True) mocker.patch.object(phishing_mock, 'explain_model_words', return_value=d, create=True) @@ -125,7 +132,7 @@ def test_predict_phishing_words_no_words(mocker): phishing_mock = PhishingModelMock() mocker.patch.object(demisto, 'executeCommand', side_effect=executeCommand) mocker.patch.object(demisto, 'args', return_value={'topWordsLimit': 10}) - mocker.patch('demisto_ml.phishing_model_loads_handler', return_value=phishing_mock, create=True) + mocker.patch('demisto_ml.phishing_model_loads_handler', side_effect=phishing_model_func(phishing_mock), create=True) mocker.patch.object(phishing_mock, 'filter_model_words', return_value=("", 0), create=True) TOKENIZATION_RESULT = {'originalText': 'word1 word2 word3', 'tokenizedText': "word1 word2 word3", @@ -151,7 +158,7 @@ def test_predict_phishing_words_hashed(mocker): mocker.patch.object(demisto, 'executeCommand', side_effect=executeCommand) mocker.patch.object(demisto, 'args', return_value={'topWordsLimit': 10, 'hashSeed': 10}) - mocker.patch('demisto_ml.phishing_model_loads_handler', return_value=phishing_mock, create=True) + mocker.patch('demisto_ml.phishing_model_loads_handler', side_effect=phishing_model_func(phishing_mock), create=True) mocker.patch.object(phishing_mock, 'filter_model_words', return_value=("text", 2), create=True) mocker.patch.object(phishing_mock, 'explain_model_words', return_value=d, create=True) @@ -176,7 +183,7 @@ def test_predict_phishing_words_tokenization_by_character(mocker): phishing_mock = PhishingModelMock() mocker.patch.object(demisto, 'executeCommand', side_effect=executeCommand) mocker.patch.object(demisto, 'args', return_value={'topWordsLimit': 10, 'hashSeed': 10}) - mocker.patch('demisto_ml.phishing_model_loads_handler', return_value=phishing_mock, create=True) + mocker.patch('demisto_ml.phishing_model_loads_handler', side_effect=phishing_model_func(phishing_mock), create=True) mocker.patch.object(phishing_mock, 'filter_model_words', return_value=("text", 2), create=True) mocker.patch.object(demisto, 'incidents', return_value=[{'isPlayground': True}]) original_text = 'this is a test' @@ -217,7 +224,7 @@ def unhash_token(t): phishing_mock = PhishingModelMock() mocker.patch.object(demisto, 'executeCommand', side_effect=executeCommand) mocker.patch.object(demisto, 'args', return_value={'topWordsLimit': 10, 'hashSeed': 10}) - mocker.patch('demisto_ml.phishing_model_loads_handler', return_value=phishing_mock, create=True) + mocker.patch('demisto_ml.phishing_model_loads_handler', side_effect=phishing_model_func(phishing_mock), create=True) mocker.patch.object(phishing_mock, 'filter_model_words', return_value=("text", 2), create=True) mocker.patch.object(demisto, 'incidents', return_value=[{'isPlayground': True}]) original_text = 'this is a test' @@ -263,7 +270,7 @@ def test_main(mocker): mocker.patch.object(demisto, 'args', return_value=args) mocker.patch.object(demisto, 'incidents', return_value=[{'isPlayground': True}]) mocker.patch.object(demisto, 'executeCommand', side_effect=executeCommand) - mocker.patch('demisto_ml.phishing_model_loads_handler', return_value=phishing_mock, create=True) + mocker.patch('demisto_ml.phishing_model_loads_handler', side_effect=phishing_model_func(phishing_mock), create=True) mocker.patch.object(phishing_mock, 'filter_model_words', return_value=("text", 2), create=True) mocker.patch.object(phishing_mock, 'explain_model_words', return_value=d, create=True) @@ -303,7 +310,7 @@ def test_no_positive_words(mocker): mocker.patch.object(demisto, 'args', return_value=args) mocker.patch.object(demisto, 'executeCommand', side_effect=executeCommand) phishing_mock = PhishingModelMock(("text", 2)) - mocker.patch('demisto_ml.phishing_model_loads_handler', return_value=phishing_mock, create=True) + mocker.patch('demisto_ml.phishing_model_loads_handler', side_effect=phishing_model_func(phishing_mock), create=True) mocker.patch.object(demisto, 'incidents', return_value=[{'isPlayground': True}]) mocker.patch.object(phishing_mock, 'filter_model_words', return_value=("text", 2), create=True) mocker.patch.object(phishing_mock, 'explain_model_words', return_value=d, From 5defa87e0db4ad946eae6123998a795c9d7b9c23 Mon Sep 17 00:00:00 2001 From: jlevypaloalto Date: Tue, 9 Jul 2024 21:39:51 +0300 Subject: [PATCH 34/39] more docker changes --- Packs/Base/ReleaseNotes/1_34_28.md | 2 +- .../DBotPredictPhishingWords/DBotPredictPhishingWords.py | 2 +- Packs/ML/ReleaseNotes/1_4_11.md | 4 ++-- .../DBotPredictIncidentsBatch/DBotPredictIncidentsBatch.yml | 2 +- .../EvaluateMLModllAtProduction.yml | 2 +- 5 files changed, 6 insertions(+), 6 deletions(-) diff --git a/Packs/Base/ReleaseNotes/1_34_28.md b/Packs/Base/ReleaseNotes/1_34_28.md index df6462b6a691..b601d697befc 100644 --- a/Packs/Base/ReleaseNotes/1_34_28.md +++ b/Packs/Base/ReleaseNotes/1_34_28.md @@ -6,7 +6,7 @@ - Updated the Docker image to: *demisto/ml:1.0.0.101889*. ##### DBotBuildPhishingClassifier -- Changed the Docker image to: *demisto/python3:3.10.14.101217*. +- Changed the Docker image to: *demisto/python3:3.11.9.101916*. ##### DBotPreProcessTextData - Updated the Docker image to: *demisto/ml:1.0.0.101889*. diff --git a/Packs/Base/Scripts/DBotPredictPhishingWords/DBotPredictPhishingWords.py b/Packs/Base/Scripts/DBotPredictPhishingWords/DBotPredictPhishingWords.py index 997be5a267ba..714c7ffbe164 100644 --- a/Packs/Base/Scripts/DBotPredictPhishingWords/DBotPredictPhishingWords.py +++ b/Packs/Base/Scripts/DBotPredictPhishingWords/DBotPredictPhishingWords.py @@ -132,7 +132,7 @@ def predict_phishing_words(model_name, model_store_type, email_subject, email_bo with StderrRedirect() as s: phishing_model = demisto_ml.phishing_model_loads_handler(model_data, model_type) - if s.error != BERT_TOKENIZER_ERROR: + if s.error and s.error != BERT_TOKENIZER_ERROR: raise DemistoException(s.error) is_model_applied_on_a_single_incidents = isinstance(email_subject, str) and isinstance(email_body, str) diff --git a/Packs/ML/ReleaseNotes/1_4_11.md b/Packs/ML/ReleaseNotes/1_4_11.md index 67cf5e246719..62f3201f10f9 100644 --- a/Packs/ML/ReleaseNotes/1_4_11.md +++ b/Packs/ML/ReleaseNotes/1_4_11.md @@ -3,7 +3,7 @@ ##### EvaluateMLModllAtProduction -- Updated the Docker image to: *demisto/ml:1.0.0.101889*. +- Changed the Docker image to: *demisto/python3:3.11.9.101916*. ##### DBotPredictOutOfTheBoxV2 @@ -11,4 +11,4 @@ ##### DBotPredictIncidentsBatch -- Updated the Docker image to: *demisto/ml:1.0.0.101889*. +- Changed the Docker image to: *demisto/python3:3.11.9.101916*. diff --git a/Packs/ML/Scripts/DBotPredictIncidentsBatch/DBotPredictIncidentsBatch.yml b/Packs/ML/Scripts/DBotPredictIncidentsBatch/DBotPredictIncidentsBatch.yml index f8e63a19b31d..f993f481e391 100644 --- a/Packs/ML/Scripts/DBotPredictIncidentsBatch/DBotPredictIncidentsBatch.yml +++ b/Packs/ML/Scripts/DBotPredictIncidentsBatch/DBotPredictIncidentsBatch.yml @@ -46,7 +46,7 @@ tags: - ml timeout: '0' type: python -dockerimage: demisto/ml:1.0.0.101889 +dockerimage: demisto/python3:3.11.9.101916 fromversion: 5.0.0 tests: - VerifyOOBV2Predictions-Test diff --git a/Packs/ML/Scripts/EvaluateMLModllAtProduction/EvaluateMLModllAtProduction.yml b/Packs/ML/Scripts/EvaluateMLModllAtProduction/EvaluateMLModllAtProduction.yml index 5b6500d56ba8..d2c7936bb854 100644 --- a/Packs/ML/Scripts/EvaluateMLModllAtProduction/EvaluateMLModllAtProduction.yml +++ b/Packs/ML/Scripts/EvaluateMLModllAtProduction/EvaluateMLModllAtProduction.yml @@ -42,7 +42,7 @@ outputs: script: '-' subtype: python3 type: python -dockerimage: demisto/ml:1.0.0.101889 +dockerimage: demisto/python3:3.11.9.101916 runas: DBotWeakRole fromversion: 5.0.0 tags: From b5cc9dd6198934df46f1e0904a1c733d188c911d Mon Sep 17 00:00:00 2001 From: jlevypaloalto Date: Tue, 9 Jul 2024 22:06:16 +0300 Subject: [PATCH 35/39] more docker changes --- .../DBotTrainTextClassifierV2/DBotTrainTextClassifierV2.py | 5 ++--- Packs/ML/ReleaseNotes/1_4_11.md | 4 ++-- .../DBotPredictIncidentsBatch/DBotPredictIncidentsBatch.yml | 2 +- .../EvaluateMLModllAtProduction.yml | 2 +- 4 files changed, 6 insertions(+), 7 deletions(-) diff --git a/Packs/Base/Scripts/DBotTrainTextClassifierV2/DBotTrainTextClassifierV2.py b/Packs/Base/Scripts/DBotTrainTextClassifierV2/DBotTrainTextClassifierV2.py index 407124e3031a..0408487579bb 100644 --- a/Packs/Base/Scripts/DBotTrainTextClassifierV2/DBotTrainTextClassifierV2.py +++ b/Packs/Base/Scripts/DBotTrainTextClassifierV2/DBotTrainTextClassifierV2.py @@ -1,11 +1,10 @@ +from CommonServerPython import * # pylint: disable=no-member import gc - +import demisto_ml import pandas as pd from collections import defaultdict, Counter from sklearn.model_selection import StratifiedKFold -from CommonServerPython import * -import demisto_ml ALL_LABELS = "*" GENERAL_SCORES = { diff --git a/Packs/ML/ReleaseNotes/1_4_11.md b/Packs/ML/ReleaseNotes/1_4_11.md index 62f3201f10f9..c10696c9c530 100644 --- a/Packs/ML/ReleaseNotes/1_4_11.md +++ b/Packs/ML/ReleaseNotes/1_4_11.md @@ -3,7 +3,7 @@ ##### EvaluateMLModllAtProduction -- Changed the Docker image to: *demisto/python3:3.11.9.101916*. +- Changed the Docker image to: *demisto/pandas:1.0.0.102566*. ##### DBotPredictOutOfTheBoxV2 @@ -11,4 +11,4 @@ ##### DBotPredictIncidentsBatch -- Changed the Docker image to: *demisto/python3:3.11.9.101916*. +- Changed the Docker image to: *demisto/pandas:1.0.0.102566*. diff --git a/Packs/ML/Scripts/DBotPredictIncidentsBatch/DBotPredictIncidentsBatch.yml b/Packs/ML/Scripts/DBotPredictIncidentsBatch/DBotPredictIncidentsBatch.yml index f993f481e391..d7fdd4f6854f 100644 --- a/Packs/ML/Scripts/DBotPredictIncidentsBatch/DBotPredictIncidentsBatch.yml +++ b/Packs/ML/Scripts/DBotPredictIncidentsBatch/DBotPredictIncidentsBatch.yml @@ -46,7 +46,7 @@ tags: - ml timeout: '0' type: python -dockerimage: demisto/python3:3.11.9.101916 +dockerimage: demisto/pandas:1.0.0.102566 fromversion: 5.0.0 tests: - VerifyOOBV2Predictions-Test diff --git a/Packs/ML/Scripts/EvaluateMLModllAtProduction/EvaluateMLModllAtProduction.yml b/Packs/ML/Scripts/EvaluateMLModllAtProduction/EvaluateMLModllAtProduction.yml index d2c7936bb854..fccba729dba6 100644 --- a/Packs/ML/Scripts/EvaluateMLModllAtProduction/EvaluateMLModllAtProduction.yml +++ b/Packs/ML/Scripts/EvaluateMLModllAtProduction/EvaluateMLModllAtProduction.yml @@ -42,7 +42,7 @@ outputs: script: '-' subtype: python3 type: python -dockerimage: demisto/python3:3.11.9.101916 +dockerimage: demisto/pandas:1.0.0.102566 runas: DBotWeakRole fromversion: 5.0.0 tags: From 4ea2ccc18c58200505cdc506eaa6e00455bfdeef Mon Sep 17 00:00:00 2001 From: jlevypaloalto Date: Wed, 10 Jul 2024 00:10:33 +0300 Subject: [PATCH 36/39] build fixes --- .../DBotPredictPhishingWords.py | 14 ++++++++++---- .../DBotPredictIncidentsBatch_test.py | 0 ...-CompareEnvPredictionsToExpectedPredictions.yml | 2 +- Tests/conf.json | 1 - 4 files changed, 11 insertions(+), 6 deletions(-) create mode 100644 Packs/ML/Scripts/DBotPredictIncidentsBatch/DBotPredictIncidentsBatch_test.py diff --git a/Packs/Base/Scripts/DBotPredictPhishingWords/DBotPredictPhishingWords.py b/Packs/Base/Scripts/DBotPredictPhishingWords/DBotPredictPhishingWords.py index 714c7ffbe164..f5b7742a2485 100644 --- a/Packs/Base/Scripts/DBotPredictPhishingWords/DBotPredictPhishingWords.py +++ b/Packs/Base/Scripts/DBotPredictPhishingWords/DBotPredictPhishingWords.py @@ -130,10 +130,16 @@ def predict_phishing_words(model_name, model_store_type, email_subject, email_bo if model_type not in [FASTTEXT_MODEL_TYPE, TORCH_TYPE, UNKNOWN_MODEL_TYPE]: model_type = UNKNOWN_MODEL_TYPE - with StderrRedirect() as s: - phishing_model = demisto_ml.phishing_model_loads_handler(model_data, model_type) - if s.error and s.error != BERT_TOKENIZER_ERROR: - raise DemistoException(s.error) + # suppress loading error + old_loader = demisto_ml.DistilBertTokenizer.from_pretrained + def new_loader(*args): + with StderrRedirect() as s: + res = old_loader(*args) + if s.error and s.error != BERT_TOKENIZER_ERROR: + raise DemistoException(f"Error while loading DistilBertTokenizer: {s.error}") + return res + demisto_ml.DistilBertTokenizer.from_pretrained = new_loader + phishing_model = demisto_ml.phishing_model_loads_handler(model_data, model_type) is_model_applied_on_a_single_incidents = isinstance(email_subject, str) and isinstance(email_body, str) if is_model_applied_on_a_single_incidents: diff --git a/Packs/ML/Scripts/DBotPredictIncidentsBatch/DBotPredictIncidentsBatch_test.py b/Packs/ML/Scripts/DBotPredictIncidentsBatch/DBotPredictIncidentsBatch_test.py new file mode 100644 index 000000000000..e69de29bb2d1 diff --git a/Packs/ML/TestPlaybooks/script-CompareEnvPredictionsToExpectedPredictions.yml b/Packs/ML/TestPlaybooks/script-CompareEnvPredictionsToExpectedPredictions.yml index 72ae780aa8b2..4a14ec137abc 100644 --- a/Packs/ML/TestPlaybooks/script-CompareEnvPredictionsToExpectedPredictions.yml +++ b/Packs/ML/TestPlaybooks/script-CompareEnvPredictionsToExpectedPredictions.yml @@ -31,6 +31,6 @@ outputs: scripttarget: 0 subtype: python3 pswd: "" -dockerimage: demisto/ml:1.0.0.101889 +dockerimage: demisto/pandas:1.0.0.102566 runas: DBotWeakRole fromversion: 5.5.0 \ No newline at end of file diff --git a/Tests/conf.json b/Tests/conf.json index 8e25afc5f2b9..c9e4078e285f 100644 --- a/Tests/conf.json +++ b/Tests/conf.json @@ -5853,7 +5853,6 @@ "Detonate URL - WildFire v2.1 - Test": "Issue 40834", "Domain Enrichment - Generic v2 - Test": "Issue 40862", "TestIPQualityScorePlaybook": "Issue 40915", - "VerifyOOBV2Predictions-Test": "Issue 37947", "Infoblox Test": "Issue 25651", "AutoFocusTagsFeed-test": "shares API quota with the other test", "Carbon Black Edr - Test": "Jira ticket XDR-43185", From c0e14c302ceb54c1a357a54454cb854fba44e826 Mon Sep 17 00:00:00 2001 From: jlevypaloalto Date: Wed, 10 Jul 2024 10:12:36 +0300 Subject: [PATCH 37/39] suppress logger --- .../DBotPredictPhishingWords.py | 43 +++---------------- 1 file changed, 5 insertions(+), 38 deletions(-) diff --git a/Packs/Base/Scripts/DBotPredictPhishingWords/DBotPredictPhishingWords.py b/Packs/Base/Scripts/DBotPredictPhishingWords/DBotPredictPhishingWords.py index f5b7742a2485..30de0aea94d0 100644 --- a/Packs/Base/Scripts/DBotPredictPhishingWords/DBotPredictPhishingWords.py +++ b/Packs/Base/Scripts/DBotPredictPhishingWords/DBotPredictPhishingWords.py @@ -3,39 +3,15 @@ from string import punctuation import demisto_ml import numpy as np -import tempfile +import logging + +# Suppress logging for a specific library +logging.getLogger('transformers').setLevel(logging.ERROR) FASTTEXT_MODEL_TYPE = 'FASTTEXT_MODEL_TYPE' TORCH_TYPE = 'torch' UNKNOWN_MODEL_TYPE = 'UNKNOWN_MODEL_TYPE' -BERT_TOKENIZER_ERROR = ( - "The tokenizer class you load from this checkpoint is not the same type as the class this function is called from." - " It may result in unexpected tokenization. \nThe tokenizer class you load from this checkpoint is 'BertTokenizer'. " - "\nThe class this function is called from is 'DistilBertTokenizer'.\n" -) - - -class StderrRedirect: - '''Context manager to redirect stderr.''' - temp_stderr: Any - old_stderr: int - error: str - - def __enter__(self): - demisto.debug('entering StderrRedirect') - self.temp_stderr = tempfile.TemporaryFile() - self.old_stderr = os.dup(sys.stderr.fileno()) # make a copy of stderr - os.dup2(self.temp_stderr.fileno(), sys.stderr.fileno()) # redirect stderr to the temporary file - return self - - def __exit__(self, exc_type, exc_value, exc_traceback): - demisto.debug(f'exiting StderrRedirect: {exc_type=}, {exc_value=}, {exc_traceback=}') - self.temp_stderr.seek(0) - self.error = self.temp_stderr.read().decode() - demisto.debug(f'stderr: {self.error}') - os.dup2(self.old_stderr, sys.stderr.fileno()) # restore stderr - os.close(self.old_stderr) - self.temp_stderr.close() + def OrderedSet(iterable): @@ -130,15 +106,6 @@ def predict_phishing_words(model_name, model_store_type, email_subject, email_bo if model_type not in [FASTTEXT_MODEL_TYPE, TORCH_TYPE, UNKNOWN_MODEL_TYPE]: model_type = UNKNOWN_MODEL_TYPE - # suppress loading error - old_loader = demisto_ml.DistilBertTokenizer.from_pretrained - def new_loader(*args): - with StderrRedirect() as s: - res = old_loader(*args) - if s.error and s.error != BERT_TOKENIZER_ERROR: - raise DemistoException(f"Error while loading DistilBertTokenizer: {s.error}") - return res - demisto_ml.DistilBertTokenizer.from_pretrained = new_loader phishing_model = demisto_ml.phishing_model_loads_handler(model_data, model_type) is_model_applied_on_a_single_incidents = isinstance(email_subject, str) and isinstance(email_body, str) From bce8abeba5b8659c8ea4feab56706001ca2e9d54 Mon Sep 17 00:00:00 2001 From: jlevypaloalto Date: Wed, 10 Jul 2024 11:56:40 +0300 Subject: [PATCH 38/39] build fixes --- ...script-TestCreateIncidentsForPhishingClassifier.yml | 10 +++++----- Tests/conf.json | 1 + 2 files changed, 6 insertions(+), 5 deletions(-) diff --git a/Packs/DeveloperTools/TestPlaybooks/script-TestCreateIncidentsForPhishingClassifier.yml b/Packs/DeveloperTools/TestPlaybooks/script-TestCreateIncidentsForPhishingClassifier.yml index 46efe09ed8d2..2dd896044433 100644 --- a/Packs/DeveloperTools/TestPlaybooks/script-TestCreateIncidentsForPhishingClassifier.yml +++ b/Packs/DeveloperTools/TestPlaybooks/script-TestCreateIncidentsForPhishingClassifier.yml @@ -16,13 +16,13 @@ script: >+ incident1_template = { 'type': 'Simulation', - 'emailclassification': 'Tag1', + 'tags': 'Tag1', } incident2_template = { 'type': 'Simulation', - 'emailclassification': 'Tag2', + 'tags': 'Tag2', } @@ -38,7 +38,7 @@ script: >+ for i in range(0, NUMBER_OF_INCIDENTS): incidents.append({ 'type': 'Simulation', - 'emailclassification': 'Tag3', + 'tags': 'Tag3', 'dbot_processed_text': " ".join([words_tag3[i] for i in [random.randint(0, len(words_tag3)-1) for i in range(30)]]) }) @@ -53,9 +53,9 @@ script: >+ 'Contents': 'Done crete incidents', 'ContentsFormat': formats['text'], 'EntryContext': { - 'EmailSujbectKey': 'emailclassification', + 'EmailSujbectKey': 'tags', 'EmailBodyKey': 'details', - 'EmailTagKey': 'emailclassification', + 'EmailTagKey': 'tags', 'IncidentsQuery': 'type:Simulation' } }) diff --git a/Tests/conf.json b/Tests/conf.json index c9e4078e285f..8e25afc5f2b9 100644 --- a/Tests/conf.json +++ b/Tests/conf.json @@ -5853,6 +5853,7 @@ "Detonate URL - WildFire v2.1 - Test": "Issue 40834", "Domain Enrichment - Generic v2 - Test": "Issue 40862", "TestIPQualityScorePlaybook": "Issue 40915", + "VerifyOOBV2Predictions-Test": "Issue 37947", "Infoblox Test": "Issue 25651", "AutoFocusTagsFeed-test": "shares API quota with the other test", "Carbon Black Edr - Test": "Jira ticket XDR-43185", From 3d2238ab132d9bef7ded3fe690d5d5f80763c49b Mon Sep 17 00:00:00 2001 From: jlevypaloalto Date: Wed, 10 Jul 2024 13:33:40 +0300 Subject: [PATCH 39/39] build fixes --- .../DBotPredictPhishingWords.py | 1 - .../DBotPredictPhishingWords_test.py | 47 ++++++++----------- .../script-TestCreateIncidentsFile.yml | 4 +- 3 files changed, 22 insertions(+), 30 deletions(-) diff --git a/Packs/Base/Scripts/DBotPredictPhishingWords/DBotPredictPhishingWords.py b/Packs/Base/Scripts/DBotPredictPhishingWords/DBotPredictPhishingWords.py index 30de0aea94d0..a86b1dea6cf6 100644 --- a/Packs/Base/Scripts/DBotPredictPhishingWords/DBotPredictPhishingWords.py +++ b/Packs/Base/Scripts/DBotPredictPhishingWords/DBotPredictPhishingWords.py @@ -13,7 +13,6 @@ UNKNOWN_MODEL_TYPE = 'UNKNOWN_MODEL_TYPE' - def OrderedSet(iterable): return list(dict.fromkeys(iterable)) diff --git a/Packs/Base/Scripts/DBotPredictPhishingWords/DBotPredictPhishingWords_test.py b/Packs/Base/Scripts/DBotPredictPhishingWords/DBotPredictPhishingWords_test.py index 98dd986c1ef7..2c2b0500cb30 100644 --- a/Packs/Base/Scripts/DBotPredictPhishingWords/DBotPredictPhishingWords_test.py +++ b/Packs/Base/Scripts/DBotPredictPhishingWords/DBotPredictPhishingWords_test.py @@ -1,9 +1,8 @@ from collections import defaultdict import pytest -import sys from CommonServerPython import * -from DBotPredictPhishingWords import get_model_data, predict_phishing_words, main, BERT_TOKENIZER_ERROR +from DBotPredictPhishingWords import get_model_data, predict_phishing_words, main TOKENIZATION_RESULT = None @@ -21,13 +20,6 @@ def explain_model_words(self, a, b, c, d): return self.explain_model_words_res -def phishing_model_func(return_value): - def phishing_model_loads_handler(*_): - sys.stderr.write(BERT_TOKENIZER_ERROR) - return return_value - return phishing_model_loads_handler - - def get_args(): args = defaultdict(lambda: "yes") args['encoding'] = 'utf8' @@ -37,7 +29,7 @@ def get_args(): def bold(word): - return '**{}**'.format(word) + return f'**{word}**' def executeCommand(command, args=None): @@ -61,6 +53,7 @@ def executeCommand(command, args=None): if w in terms: words[i] = bold(w) return [{'Contents': ' '.join(words), 'Type': 'note'}] + return None def test_get_model_data(mocker): @@ -78,7 +71,7 @@ def test_predict_phishing_words(mocker): phishing_mock = PhishingModelMock() mocker.patch.object(demisto, 'executeCommand', side_effect=executeCommand) mocker.patch.object(demisto, 'args', return_value={'topWordsLimit': 10}) - mocker.patch('demisto_ml.phishing_model_loads_handler', side_effect=phishing_model_func(phishing_mock), create=True) + mocker.patch('demisto_ml.phishing_model_loads_handler', return_value=phishing_mock, create=True) mocker.patch.object(demisto, 'incidents', return_value=[{'isPlayground': True}]) mocker.patch.object(phishing_mock, 'filter_model_words', return_value=("text", 2), create=True) mocker.patch.object(phishing_mock, 'explain_model_words', return_value=d, @@ -94,14 +87,14 @@ def test_predict_phishing_words(mocker): res = predict_phishing_words("modelName", "list", email_subject, email_body, 0, 0, 0, 10, True) correct_res = {'OriginalText': concatenate_subject_body(email_subject, email_body), 'Probability': 0.7, 'NegativeWords': ['word2'], - 'TextTokensHighlighted': concatenate_subject_body('**{}**'.format(email_subject), email_body), + 'TextTokensHighlighted': concatenate_subject_body(f'**{email_subject}**', email_body), 'PositiveWords': ['word1'], 'Label': 'Valid'} assert res['Contents'] == correct_res def concatenate_subject_body(email_subject, email_body): - return '{} \n{}'.format(email_subject, email_body) + return f'{email_subject} \n{email_body}' def test_predict_phishing_words_low_threshold(mocker): @@ -113,7 +106,7 @@ def test_predict_phishing_words_low_threshold(mocker): phishing_mock = PhishingModelMock() mocker.patch.object(demisto, 'executeCommand', side_effect=executeCommand) mocker.patch.object(demisto, 'args', return_value={'topWordsLimit': 10}) - mocker.patch('demisto_ml.phishing_model_loads_handler', side_effect=phishing_model_func(phishing_mock), create=True) + mocker.patch('demisto_ml.phishing_model_loads_handler', return_value=phishing_mock, create=True) mocker.patch.object(phishing_mock, 'filter_model_words', return_value=("text", 2), create=True) mocker.patch.object(phishing_mock, 'explain_model_words', return_value=d, create=True) @@ -132,7 +125,7 @@ def test_predict_phishing_words_no_words(mocker): phishing_mock = PhishingModelMock() mocker.patch.object(demisto, 'executeCommand', side_effect=executeCommand) mocker.patch.object(demisto, 'args', return_value={'topWordsLimit': 10}) - mocker.patch('demisto_ml.phishing_model_loads_handler', side_effect=phishing_model_func(phishing_mock), create=True) + mocker.patch('demisto_ml.phishing_model_loads_handler', return_value=phishing_mock, create=True) mocker.patch.object(phishing_mock, 'filter_model_words', return_value=("", 0), create=True) TOKENIZATION_RESULT = {'originalText': 'word1 word2 word3', 'tokenizedText': "word1 word2 word3", @@ -158,7 +151,7 @@ def test_predict_phishing_words_hashed(mocker): mocker.patch.object(demisto, 'executeCommand', side_effect=executeCommand) mocker.patch.object(demisto, 'args', return_value={'topWordsLimit': 10, 'hashSeed': 10}) - mocker.patch('demisto_ml.phishing_model_loads_handler', side_effect=phishing_model_func(phishing_mock), create=True) + mocker.patch('demisto_ml.phishing_model_loads_handler', return_value=phishing_mock, create=True) mocker.patch.object(phishing_mock, 'filter_model_words', return_value=("text", 2), create=True) mocker.patch.object(phishing_mock, 'explain_model_words', return_value=d, create=True) @@ -173,7 +166,7 @@ def test_predict_phishing_words_hashed(mocker): res = predict_phishing_words("modelName", "list", email_subject, email_body, 0, 0, 0, 10, True) assert res['Contents'] == {'OriginalText': concatenate_subject_body(email_subject, email_body), 'Probability': 0.7, 'NegativeWords': ['word2'], - 'TextTokensHighlighted': concatenate_subject_body('**{}**'.format(email_subject), + 'TextTokensHighlighted': concatenate_subject_body(f'**{email_subject}**', email_body), 'PositiveWords': ['word1'], 'Label': 'Valid'} @@ -183,12 +176,12 @@ def test_predict_phishing_words_tokenization_by_character(mocker): phishing_mock = PhishingModelMock() mocker.patch.object(demisto, 'executeCommand', side_effect=executeCommand) mocker.patch.object(demisto, 'args', return_value={'topWordsLimit': 10, 'hashSeed': 10}) - mocker.patch('demisto_ml.phishing_model_loads_handler', side_effect=phishing_model_func(phishing_mock), create=True) + mocker.patch('demisto_ml.phishing_model_loads_handler', return_value=phishing_mock, create=True) mocker.patch.object(phishing_mock, 'filter_model_words', return_value=("text", 2), create=True) mocker.patch.object(demisto, 'incidents', return_value=[{'isPlayground': True}]) original_text = 'this is a test' tokenized_text = ' '.join(c for c in original_text if c != ' ') - original_words_to_tokes = {w: [c for c in w] for w in original_text.split()} + original_words_to_tokes = {w: list(w) for w in original_text.split()} TOKENIZATION_RESULT = {'originalText': original_text, 'tokenizedText': tokenized_text, 'originalWordsToTokens': original_words_to_tokes, @@ -224,12 +217,12 @@ def unhash_token(t): phishing_mock = PhishingModelMock() mocker.patch.object(demisto, 'executeCommand', side_effect=executeCommand) mocker.patch.object(demisto, 'args', return_value={'topWordsLimit': 10, 'hashSeed': 10}) - mocker.patch('demisto_ml.phishing_model_loads_handler', side_effect=phishing_model_func(phishing_mock), create=True) + mocker.patch('demisto_ml.phishing_model_loads_handler', return_value=phishing_mock, create=True) mocker.patch.object(phishing_mock, 'filter_model_words', return_value=("text", 2), create=True) mocker.patch.object(demisto, 'incidents', return_value=[{'isPlayground': True}]) original_text = 'this is a test' tokenized_text = ' '.join(c for c in original_text if c != ' ') - original_words_to_tokes = {w: [c for c in w] for w in original_text.split()} + original_words_to_tokes = {w: list(w) for w in original_text.split()} TOKENIZATION_RESULT = {'originalText': original_text, 'tokenizedText': tokenized_text, 'originalWordsToTokens': original_words_to_tokes, @@ -270,13 +263,13 @@ def test_main(mocker): mocker.patch.object(demisto, 'args', return_value=args) mocker.patch.object(demisto, 'incidents', return_value=[{'isPlayground': True}]) mocker.patch.object(demisto, 'executeCommand', side_effect=executeCommand) - mocker.patch('demisto_ml.phishing_model_loads_handler', side_effect=phishing_model_func(phishing_mock), create=True) + mocker.patch('demisto_ml.phishing_model_loads_handler', return_value=phishing_mock, create=True) mocker.patch.object(phishing_mock, 'filter_model_words', return_value=("text", 2), create=True) mocker.patch.object(phishing_mock, 'explain_model_words', return_value=d, create=True) - TOKENIZATION_RESULT = {'originalText': '%s %s' % (args['emailSubject'], args['emailBody']), - 'tokenizedText': '%s %s' % (args['emailSubject'], args['emailBody']), + TOKENIZATION_RESULT = {'originalText': '{} {}'.format(args['emailSubject'], args['emailBody']), + 'tokenizedText': '{} {}'.format(args['emailSubject'], args['emailBody']), 'originalWordsToTokens': {'word1': ['word1'], 'word2': ['word2'], 'word3': ['word3']}, } @@ -310,14 +303,14 @@ def test_no_positive_words(mocker): mocker.patch.object(demisto, 'args', return_value=args) mocker.patch.object(demisto, 'executeCommand', side_effect=executeCommand) phishing_mock = PhishingModelMock(("text", 2)) - mocker.patch('demisto_ml.phishing_model_loads_handler', side_effect=phishing_model_func(phishing_mock), create=True) + mocker.patch('demisto_ml.phishing_model_loads_handler', return_value=phishing_mock, create=True) mocker.patch.object(demisto, 'incidents', return_value=[{'isPlayground': True}]) mocker.patch.object(phishing_mock, 'filter_model_words', return_value=("text", 2), create=True) mocker.patch.object(phishing_mock, 'explain_model_words', return_value=d, create=True) - TOKENIZATION_RESULT = {'originalText': '%s %s' % (args['emailSubject'], args['emailBody']), - 'tokenizedText': '%s %s' % (args['emailSubject'], args['emailBody']), + TOKENIZATION_RESULT = {'originalText': '{} {}'.format(args['emailSubject'], args['emailBody']), + 'tokenizedText': '{} {}'.format(args['emailSubject'], args['emailBody']), 'originalWordsToTokens': {'word1': ['word1'], 'word2': ['word2'], 'word3': ['word3']}, } diff --git a/Packs/DeveloperTools/TestPlaybooks/script-TestCreateIncidentsFile.yml b/Packs/DeveloperTools/TestPlaybooks/script-TestCreateIncidentsFile.yml index e086cef5d8bf..1513b26d3780 100644 --- a/Packs/DeveloperTools/TestPlaybooks/script-TestCreateIncidentsFile.yml +++ b/Packs/DeveloperTools/TestPlaybooks/script-TestCreateIncidentsFile.yml @@ -3409,9 +3409,9 @@ args: defaultValue: encodedIncidentsFile description: '' scripttarget: 0 -subtype: python2 +subtype: python3 runonce: false -dockerimage: demisto/python:2.7.18.9326 +dockerimage: demisto/python3:3.11.9.101916 runas: DBotWeakRole comment: '' fromversion: 5.0.0