Scythe
PlexTrac supports file imports from Scythe in .csv or .json format. Below are the mappings of fields.
PlexTrac finding field
Scythe field
finding.affected_assets.asset.hostname
Endpoint
finding.affected_assets.asset.asset
Endpoint
finding.affected_assets.asset.status
if Status == "True" then "Open" else "Closed"
finding.title
if Request is " " then use Module else use (Module + " " + Request)
finding.tags
Tags + Campaign Name
finding.status
if Status == "True" then "Open" else "Closed"
finding.severity
hard coded to "Medium"
finding.description
if a known scythe module then module.title + module.description. If not a known module then "They following Scythe module was conducted: + Module
finding.recommendations
if the module is not a known Scythe module then "You should review the security policies associated with this activity."
finding.references
hard coded to ""
finding.exhibit.exhibitID
if Module == "printscr" then data is concidered a finding.exhibit otherwise is a finding.code_sample
finding.exhibit.caption
"Timestamp: " + Timestamp
finding.exhibit.PID
Process ID
finding.exhibit.User
User
finding.exhibit.Module
Module
finding.exhibit.Request
Request
finding.exhibit.encoded
Response
finding.exhibit.type
hard coded to"image/png"
finding.code_sample.caption
hard coded to "Activity Data"
finding.code_sample.code
hard coded to ""
Copy link