Parser Actions
PlexTrac will learn about scanner findings as files are imported. This learning can be done either proactively by an admin through parser actions or during the process of a user importing a scanner result file when adding findings to a report.
PlexTrac learns about scanner findings as files are imported. This learning can be done either proactively by an admin through parser actions or when a user imports a scanner file when adding findings to a report. Either way, the learning begins after an admin imports a file via the parser actions page of the Admin Dashboard, and this process must occur for each tool that PlexTrac integrates with. Any files for a tool imported as findings to a report that have not been enabled by an admin on the parser actions page will have no impact on parser actions.
When importing a file, parser actions process the contents to extract relevant information and perform specific operations. The exact parser actions will depend on the file format, and business rules an admin configures.
The findings are matched to the parser action by plugin ID and include actions such as linking to a writeup, changing the finding severity, or ignoring the finding when parsed.
Currently, no other metadata of the finding, such as tags, can be mapped or manipulated by parser actions.
When new files are uploaded to parser actions, plugin IDs are only created for IDs not found and set to a "Default" action, meaning no changes will occur on import unless a parser action is created.
Parser action changes are applied to future imports and don't impact existing findings. For example, if a parser action for a finding severity value was created for a plugin, but moving forward, the source of truth for severity is the scanner tool, then change the parser action for that plugin to "Default." The next time that plugin is imported, the severity value from the source will be imported into the report.
Parser actions apply to all users.
Step 1: Click Parser Actions in the "Tools & Integrations" section of the Admin Dashboard.
Step 2: Check the Enable Parser Plugin Actions box.
Enabling parser plugin actions will allow ability to preset default actions, link writeups, and change severity of scanner findings when imported into a report.
Once parser import rules are set, do not check the "Enable Parser Plugin Actions" box if wanting to import scan results natively without existing rules applied.
Step 3: Click Import.
Step 4: Select the source of the file to import from the "Select Import Source" pulldown menu, then drag the file into the drop area on the modal or click Browse to navigate to the file on the computer.
Supported files for the tool selected in the pulldown menu as the import source will be displayed in the box, along with the maximum file size.
Step 5: Click Upload.
Upload progress is displayed and tracked in the modal.
A notification will confirm a successful import.
Step 6: The imported plugins are now available for configuration. Search or select the desired plug-in and configure it as desired by using the pulldown menus and options to configure the preferred course of action.
Parser plug-in actions include four options:
- 1.Default: This will pass a scanner result through with no action taken.
- 2.Severity: This will override a scanner result finding severity value with a new value selected by the parser action.
- 3.Link Writeup: This will replace a scanner result finding with a custom writeup from WriteupsDB.
- 4.Ignore: This will ignore a scanner result when parsed by PlexTrac.
Parser actions can take findings ingested from an external tool and map them to a custom finding in WriteupsDB. This action will override the description, title, references and recommendations when the finding is imported. Multiple plugins with the same writeup will be mapped to a single finding with merged affected assets.
Step 1: Click Parser Actions in the "Tools & Integrations" section of the Admin Dashboard.
Step 2: Check the Enable Parser Plugin Actions box.
Step 3: Select the parser to work with from the "Filter Plugins" pulldown menu.
Step 4: Select the findings to configure by clicking the checkbox of the finding row or selecting the box in the header column next to "Plugin Id."
Step 5: Select the writeup to link the findings to by selecting the value from the "Link Writeup" pulldown menu.
The linked writeup is now displayed for each finding under the "Write Up" column.
If a new report is created, and the same parser file is imported, only one finding will be imported into the report instead of three.
Once a parser action is created, it cannot be deleted.
Step 1: Click Parser Actions in the "Tools & Integrations" section of the Admin Dashboard.
Step 2: Check the Enable Parser Plugin Actions box.
Step 3: Select the parser to work with from the "Filter Plugins" pulldown menu.
Step 4: Click Add Parser Action.
Step 5: Enter a value for Plugin ID, Plugin Title, and Plugin Description.
All three fields must have a value entered to create a new parser action.
Step 6: Configure the plugin action or severity by selecting the desired values in the pulldown menu.
Step 7: Click Create.
A message confirming creation will appear, and the new parser action is displayed in the list below.
Last modified 4mo ago