Scythe

PlexTrac supports importing CSV or JSON files from Scythe. Scythe is a cybersecurity company that provides a platform for simulating and testing cyber attacks against an organization's infrastructure, applications, and people. Scythe's platform allows security teams to create and run custom attack simulations, including phishing attacks, ransomware, and other types of malware. 
Below are the mappings of fields and any reference notes to provide context. If a field is not listed, then PlexTrac does not currently import.
Finding Field Mappings
PlexTrac Field
Scythe Field or Path
finding.affected_assets.asset.hostname 
Endpoint
finding.affected_assets.asset.asset
Endpoint
finding.affected_assets.asset.status
if Status == "True" then "Open" else "Closed"
finding.title
if Request is " " then use Module else use (Module + " " + Request)
finding.tags
Tags + Campaign Name
finding.status
if Status == "True" then "Open" else "Closed"
finding.severity
hard coded to "Medium"
finding.description
if a known scythe module then module.title + module.description. If not a known module then "They following Scythe module was conducted: + Module
finding.recommendations
if the module is not a known Scythe module then "You should review the security policies associated with this activity."
finding.references
hard coded to ""
finding.exhibit.exhibitID
if Module == "printscr" then data is concidered a finding.exhibit otherwise is a finding.code_sample
finding.exhibit.caption
"Timestamp: " + Timestamp
finding.exhibit.PID
Process ID
finding.exhibit.User
User
finding.exhibit.Module
Module
finding.exhibit.Request
Request
finding.exhibit.encoded
Response
finding.exhibit.type
hard coded to"image/png"
finding.code_sample.caption
hard coded to "Activity Data"
finding.code_sample.code
hard coded to ""
finding.code_sample.timestamp
Timestamp
finding.code_sample.PID
Process ID
finding.code_sample.User
User
finding.code_sample.Module
Module
finding.code_sample.Request
Request
finding.code_sample.Result
Response
​
​
​

PlexTrac Field	Scythe Field or Path
finding.affected_assets.asset.hostname	Endpoint
finding.affected_assets.asset.asset	Endpoint
finding.affected_assets.asset.status	if Status == "True" then "Open" else "Closed"
finding.title	if Request is " " then use Module else use (Module + " " + Request)
finding.tags	Tags + Campaign Name
finding.status	if Status == "True" then "Open" else "Closed"
finding.severity	hard coded to "Medium"
finding.description	if a known scythe module then module.title + module.description. If not a known module then "They following Scythe module was conducted: + Module
finding.recommendations	if the module is not a known Scythe module then "You should review the security policies associated with this activity."
finding.references	hard coded to ""
finding.exhibit.exhibitID	if Module == "printscr" then data is concidered a finding.exhibit otherwise is a finding.code_sample
finding.exhibit.caption	"Timestamp: " + Timestamp
finding.exhibit.PID	Process ID
finding.exhibit.User	User
finding.exhibit.Module	Module
finding.exhibit.Request	Request
finding.exhibit.encoded	Response
finding.exhibit.type	hard coded to"image/png"
finding.code_sample.caption	hard coded to "Activity Data"
finding.code_sample.code	hard coded to ""
finding.code_sample.timestamp	Timestamp
finding.code_sample.PID	Process ID
finding.code_sample.User	User
finding.code_sample.Module	Module
finding.code_sample.Request	Request
finding.code_sample.Result	Response

Last modified 1mo ago