Scythe

PlexTrac supports importing CSV or JSON files from Scythe. Scythe is a cybersecurity company that provides a platform for simulating and testing cyber attacks against an organization's infrastructure, applications, and people. Scythe's platform allows security teams to create and run custom attack simulations, including phishing attacks, ransomware, and other types of malware.

Below are the mappings of fields and any reference notes to provide context. If a field is not listed, PlexTrac does not currently import it.

Finding Field Mappings

PlexTrac Field	Scythe Field or Path
finding.affected_assets.asset.hostname	Endpoint
finding.affected_assets.asset.asset	Endpoint
finding.affected_assets.asset.status	if Status == "True" then "Open" else "Closed"
finding.title	if Request is " " then use Module else use (Module + " " + Request)
finding.tags	Tags + Campaign Name
finding.status	if Status == "True" then "Open" else "Closed"
finding.severity	hard coded to "Medium"
finding.description	if a known scythe module then module.title + module.description. If not a known module then "They following Scythe module was conducted: + Module
finding.recommendations	if the module is not a known Scythe module then "You should review the security policies associated with this activity."
finding.references	hard coded to ""
finding.exhibit.exhibitID	if Module == "printscr" then data is concidered a finding.exhibit otherwise is a finding.code_sample
finding.exhibit.caption	"Timestamp: " + Timestamp
finding.exhibit.PID	Process ID
finding.exhibit.User	User
finding.exhibit.Module	Module
finding.exhibit.Request	Request
finding.exhibit.encoded	Response
finding.exhibit.type	hard coded to"image/png"
finding.code_sample.caption	hard coded to "Activity Data"
finding.code_sample.code	hard coded to ""
finding.code_sample.timestamp	Timestamp
finding.code_sample.PID	Process ID
finding.code_sample.User	User
finding.code_sample.Module	Module
finding.code_sample.Request	Request
finding.code_sample.Result	Response

PlexTrac Field

Scythe Field or Path

finding.affected_assets.asset.hostname

Endpoint

finding.affected_assets.asset.asset

Endpoint

finding.affected_assets.asset.status

if Status == "True" then "Open" else "Closed"

finding.title

if Request is " " then use Module else use (Module + " " + Request)

finding.tags

Tags + Campaign Name

finding.status

if Status == "True" then "Open" else "Closed"

finding.severity

hard coded to "Medium"

finding.description

if a known scythe module then module.title + module.description. If not a known module then "They following Scythe module was conducted: + Module

finding.recommendations

if the module is not a known Scythe module then "You should review the security policies associated with this activity."

finding.references

hard coded to ""

finding.exhibit.exhibitID

if Module == "printscr" then data is concidered a finding.exhibit otherwise is a finding.code_sample

finding.exhibit.caption

"Timestamp: " + Timestamp

finding.exhibit.PID

Process ID

finding.exhibit.User

User

finding.exhibit.Module

Module

finding.exhibit.Request

Request

finding.exhibit.encoded

Response

finding.exhibit.type

hard coded to"image/png"

finding.code_sample.caption

hard coded to "Activity Data"

finding.code_sample.code

hard coded to ""

finding.code_sample.timestamp

Timestamp

finding.code_sample.PID

Process ID

finding.code_sample.User

User

finding.code_sample.Module

Module

finding.code_sample.Request

Request

finding.code_sample.Result

Response

PreviousRapidFire NextVeracode

Last updated 1 month ago