Scythe
PlexTrac supports importing CSV or JSON files from Scythe.
Below are the mappings of fields and any reference notes to provide context. If a field is not listed, then PlexTrac does not currently import.
PlexTrac finding field | Scythe field |
|---|---|
finding.affected_assets.asset.hostname | Endpoint |
finding.affected_assets.asset.asset | Endpoint |
finding.affected_assets.asset.status | if Status == "True" then "Open" else "Closed" |
finding.title | if Request is " " then use Module else use (Module + " " + Request) |
finding.tags | Tags + Campaign Name |
finding.status | if Status == "True" then "Open" else "Closed" |
finding.severity | hard coded to "Medium" |
finding.description | if a known scythe module then module.title + module.description. If not a known module then "They following Scythe module was conducted: + Module |
finding.recommendations | if the module is not a known Scythe module then "You should review the security policies associated with this activity." |
finding.references | hard coded to "" |
finding.exhibit.exhibitID | if Module == "printscr" then data is concidered a finding.exhibit otherwise is a finding.code_sample |
finding.exhibit.caption | "Timestamp: " + Timestamp |
finding.exhibit.PID | Process ID |
finding.exhibit.User | User |
finding.exhibit.Module | Module |
finding.exhibit.Request | Request |
finding.exhibit.encoded | Response |
finding.exhibit.type | hard coded to"image/png" |
finding.code_sample.caption | hard coded to "Activity Data" |
finding.code_sample.code | hard coded to "" |
finding.code_sample.timestamp | Timestamp |
finding.code_sample.PID | Process ID |
finding.code_sample.User | User |
finding.code_sample.Module | Module |
finding.code_sample.Request | Request |
finding.code_sample.Result | Response |
Last modified 3mo ago