Account settings are accessed by clicking the user name in the upper right of the page.

For standard users (non-admins), the drop-down menu will provide options to select Profile, Help Center, and Logout:

For admins, the drop-down menu will provide options to select Profile, Account Admin, Help Center, and Logout:

The Personal Settings page allows users to upload a profile image, change the user display name, view the email on file, select a theme mode (light or dark), update the user password, configure how dates are displayed, and set up and manage multi-factor authentication (MFA).

The personal settings page is reached by clicking the user name in the upper right and then clicking Profile.

Overview

The Personal Settings page has three tabs:

Users can change their password in the Personal Settings section by navigating to the Change Password tab. This feature empowers users to maintain the security and integrity of their accounts by periodically updating their passwords.

Password Requirements

All of the listed requirements must be met to create an acceptable password.

• a minimum of 12 characters

• one lowercase character

• one uppercase character

• one number

• one special character

The General Authentication Settings page is used to turn on or off the settings that require Multi-factor Authentication for all users.

The Templates button under "Customizations" in the Admin Dashboard allows users to create and configure report templates, export templates, and create style guides.

• Report templates: Defines the report layout that may include narrative sections and custom fields.

• Export templates: Ability to manage templates for exporting reports from PlexTrac.

• : Defines the styles and presentation when exporting Jinja reports to Word.

The Profile tab allows users to customize and manage their accounts by adjusting their user names and profile pictures. They can also tailor the date format to their personal preference or regional settings. Plus, there's an option for a dark mode interface that's easy on the eyes in low-light conditions.

Changing User Profile Image

Step 1: From the Profile tab of the Personal Settings page, click the avatar circle under "Profile Image" to bring up a dialog box.

Step 2: Drag an image to the dialog box or click the box to navigate to the file on the computer. Click

The Admin Dashboard is reached by clicking the user name in the upper right of the page and then clicking Account Admin.

The Admin Dashboard includes the following sections:

In Tenant Settings, admins can manage different aspects of their tenant effectively. They can change the tenant name, activate dark mode for a personalized feel, view and add licenses, set default finding status, configure sub-status options, manage notification and server settings, create email templates, and set up short codes.

Tenant Settings contains the following sections:

In Customizations, admins can personalize various aspects of the PlexTrac platform to meet their needs. They can manage finding layouts, customize report templates, set dark mode, and configure theme colors, allowing them to create a customized experience within the platform.

Customizations include the following sections:

The Theme button under "Customizations" in the Admin Dashboard provides configuration of the UI for a tenant.

To change the colors used for the background, text, etc., click the color palette next to the topic to change, adjust the color accordingly with the color modal, click the "x" at the top right of the modal to close it, and click Update Theme.

Changes can be made for Light or Dark mode by using the toggle at the top to change modes before making a color change.

Clicking Logout will end the existing session and log the user out of PlexTrac, providing an easy and secure way to end their session and prevent unauthorized access to the account.

Individual session tokens last 15 minutes when accessing PlexTrac through an API. However, when accessing PlexTrac via the platform, the authentication token is automatically renewed before expiration. This automatic renewal ensures the user's session remains active without requiring manual re-authentication.

Licensing allows admins to manage software licenses and product keys to activate and authenticate PlexTrac modules and integrations. Admins can also configure priority and Plex AI settings at the tenant or client level.

Licensing contains the following sections:

The Licensing section allows an admin to enter a license key by entering a key into the provided box and clicking Add License.

Current Version

The version for a tenancy can be obtained at the bottom of any page in the Admin Dashboard.

This section allows admins to configure Plex AI access for the user and the client.

Client Access Tab

On this tab, admins can configure if added clients will get AI by default across the tenancy or manage existing client AI access.

In Automations, admins can configure a default or custom priority score equation for the Priorities module.

Automations include the following sections:

The Tags Settings button under "Tenant Settings" in the Admin Dashboard allows management of the tags. Tags are listed alphabetically in groups of 20.

Creating a Tag

Type the desired tag value in the "New tag name..." box and click Create Tag.

Finding a Tag

Insert the cursor in the "Type to search tags..." field and type the query. The list of tags will be filtered by the content in the search box.

Deleting a Tag

Search for and identify the tag to delete and click Delete under the "Actions" column of the row for that tag.

Viewing Tags

If more than 20 tags exist, click the Previous 20 and Next 20 buttons at the bottom of the page to navigate forward and backward and view tags on other pages.

The Account Information button under "Tenant Settings" in the Admin Dashboard provides configuration of tenant information, including changing the tenant theme (light or dark), uploading a tenant logo and icon, and changing tenant name.

Changing Tenant Light/Dark Mode

To change the mode of the tenancy from light to dark, click the desired mode. The change is immediate.

Any images loaded light mode will disappear. Images will need to be reloaded for dark mode.

Adding Tenant Images

Step 1: Click Upload Tenant Images.

Step 2: Click the box of the image to upload, and drag the file into the box or navigate to that image on the computer.

Step 3: Click Submit.

The logo will appear at the top of the left navigation bar.

Editing Tenant Name

Step 1: Click Edit Tenant Information.

Step 2: Enter the desired information and click Submit.

The new value appears on the Account Information page. After refreshing page, the new value appears as the Tenant Administration value.

In Integrations & Webhooks, admins can enable parser plugin actions and configure integrations with different platforms, enhancing its capabilities and facilitating seamless collaboration with other tools.

Integrations & Webhooks includes the following sections:

The integrations page provides the status of each API integration and the ability to connect new integrations (if licensed) or edit existing connections.

If an integration is available but not set up, the user will see a "Connect" button. A "License required" label will be displayed if an integration is not licensed.

Included API Integrations

The following integrations are included with every PlexTrac instance:

Licensed API Integrations

The following integrations require an additional cost/license to access (one license covers all tools):

PlexTrac allows the uploading of templates to provide flexibility in exporting reports in a custom format and style.

Template Types

PlexTrac allows export templates to be uploaded in .doc (for Word documents) or .j2 (for PDF documents) format.

Jinja is a template engine that dynamically generates text-based documents by defining Word templates with placeholders for dynamic content. PlexTrac provides Jinja Word templates to match the branding and styling of an export organization.

PlexTrac provides default templates for exporting to PDF and Word.

Creating an Export Template

Step 1: From the Admin Dashboard, click Templates under "Customizations."

Step 2: Click the Export templates tab.

Step 3: Click Create export template.

Step 4: Drag a .docx or .j2 file to the box provided or click the box in the model to find the file to upload to the computer.

Step 5: Select a style guide to associate with the export template if applicable.

Step 5: Click Upload.

The new template appears in the table.

Downloading an Export Template

Export templates can be downloaded by clicking Download under the "Actions" column.

The file will download to your local system.

Deleting an Export Template

Export templates can be deleted by clicking Delete under the "Actions" column.

A dialog box will appear confirming the action. Click Delete to complete the task.

Plex AI streamlines finding development and authoring, reducing the time spent on manual proactive security report development while ensuring data integrity and quality.

Architecture and Security

All interactions among system components, including AI, are secured through encrypted channels utilizing TLS 1.2. Within a PlexTrac instance, all AI components utilize PlexTrac’s RBA system to guarantee appropriate access controls. This ensures that client, reports, and classification requests adhere to configured access controls, maintaining security and integrity when utilizing generative components. No customer data is used to train the AI model.

For more information, view the Security FAQ.

Features of Plex AI

• Content Generation: AI intelligently generates content specific to the finding being edited. To learn more, click the info icon within the side drawer that appears when content is generated.
• Dynamic Content Selection: Once the AI generates content, users can replace the existing text with the newly generated content if it meets their standards. Should the initial output not suffice, content can be regenerated.

• Historical Navigation: Users are not limited to accepting the first piece of generated content. Through simple "previous" and "next" navigation, they can browse different versions of the generated text, ensuring the selection of the most fitting content for their report.

Using AI

Areas of the platform using AI are identified with a "Use AI" button at the bottom right of a text box, such as the description and recommendations fields of a finding on the Finding Details tab or the Narrative tab of a report.

It is important to ensure that all relevant fields contain content to generate the most effective output. AI draws on values from other fields to produce high-quality output. For instance, when generating a recommendation for a finding, AI uses information from the finding name and any existing content in the recommendations field.

Creating Content

Step 1: Where available, click Use AI.

Step 2: A side drawer will open with the suggested text provided by AI. Click Insert & Replace to use the generated text and override the existing text.

Or click Regenerate to see a different response.

Step 3: The content is inserted into the text field. Make further edits as needed.

Disclaimer

Although PlexTrac has taken great care to ensure the accuracy and quality of the text generated, AI systems can occasionally produce content that includes hallucinations, inaccuracies, or unreliable statements. AI-generated text cannot replace professional advice, information, or services. It is recommended that users exercise their judgment, conduct additional research, and verify any critical details before relying on or acting upon the information presented.

An audit log records events or activities within PlexTrac. Its primary purpose is to provide a chronological and detailed account of actions taken by users and processes, along with relevant information such as timestamps, user IDs, and specific event details.

The audit log is found under the Audit log button of the Admin Dashboard under "Security & User Management."

Actions Recorded

The following key actions are recorded in the audit log:

• Logins (successful, failed, lockouts, etc.)

• Password changes

• User creation/deletion/updates

• RBAC changes (e.g., a user is assigned to a client)

The audit log displays events for 120 days, updating on the first day of each month.

Using the Audit Log

The page defaults to the most recent events and lists the user, event, and time of the action. Use the filters above to narrow the dates of the events or search for a specific event.

For example, to find users who changed their password in the past month, click the box for "Start date" and select the past 30 days, then type "password" into the search box.

The list of events presented on the page dynamically updates.

Existing users can be managed via bulk action or by editing individually.

Editing Users

Step 1: From the Users page of the Admin Dashboard, under "Security & User Management," click Edit under the "Actions" menu of the user to manage or click the row of the user within the table.

Step 2: On the Details tab, you can edit your first and last name and the authentication provider. Additional options exist to reset the password and disable or delete the user. Depending on the user's status, additional options are provided.

Click Save if editing the user name. All other changes are done dynamically.

Step 2: Client access can be modified on the Authorization tab. Use the filters to narrow the list of clients displayed.

Using Actions Menu

Additional options to manage a user within the table can be found by clicking the three dots under the "Actions" menu in the user's row to edit. Some options may not appear if the use case does not apply to the user.

Using Bulk Actions

Bulk action options appear after one or more findings are selected by clicking the checkbox to the far left of the finding row or by clicking the box next to the column header. Some options may not appear if the use case does not apply to a current user status.

In Security, admins can manage authentication methods, configure MFA, authorize users for specific roles, and create classification tiers to enforce additional layers of access to reports.

The Security section contains the following sections:

In Security & User Management, admins manage authentication, multi-factor prompts, user groups, access permissions, report access, and user account settings.

Security & User Management contains the following sections:

OAuth and SAML are protocols in identity and access management. OAuth is used for authorization, allowing third-party apps to access user resources securely. SAML is designed for authentication and single sign-on, facilitating user identity data exchange. OAuth is common in consumer and enterprise apps, while SAML is often used in government and enterprise environments. Both protocols can be used together for a comprehensive authentication and authorization solution.

PlexTrac supports multiple authentication methods for single-sign-on (SSO):

• OAuth: OAuth is an open standard for authorization that grants access via access tokens. OAuth authorizes an application to access your data without giving it access to your credentials.

• OpenID: OpenID Connect provides an authentication layer on top of OAuth 2.0. It addresses the lack of an authentication mechanism in OAuth and is thus a more secure solution.

• SAML: Security Assertion Markup Language (SAML) is an open standard that attempts to bridge the divide between authentication and authorization.

OAuth is used in access authorization, while SAML and OpenID Connect are used in user authentication.

Requirements

Users need an account with PlexTrac before being authorized to use an alternative sign-on method. The users' email in PlexTrac must be identical to the email address used to authenticate through the third-party tool.

Configuration Instructions

PlexTrac enables two-factor authentication at the account level and is managed on the Two-Factor Authentication tab of the Personal Settings page. Two-factor authentication is a security measure that requires users to provide two forms of identification to access an account or system.

Two-factor authentication (2FA) is a security measure that significantly protects against unauthorized access to sensitive information and accounts. It works by adding an extra layer of verification to the traditional password or PIN login process. When users log in, they must provide their regular credentials, such as a username and password, and a second form of authentication.

The second authentication factor can take various forms, such as a unique code sent to the user's mobile device via SMS or generated by an authentication app, a fingerprint or facial recognition scan, a hardware token, or even a one-time password sent to an email address. The significance of 2FA lies in its ability to counteract the vulnerabilities of using passwords alone.

The Risk scoring section under "Automations” in the Admin Dashboard allows admins to create formulas for producing dynamic risk and likelihood scores for findings and priorities.

A report template is a pre-defined structure and format for creating reports. It may include narrative sections and custom fields, as well as the ability to select an export template.

Report templates save time and ensure consistency in the formatting and presentation of reports within an organization. They save time by pre-populating report sections, such as the introduction, methodology, or threat model. Linking to a custom export template ensures an exported file is branded and structured in the desired reporting methodology.

Creating a Report Template

Step 1: Click New report template.

OAuth (Open Authorization) is a standard token-based authorization framework. OAuth enables account information to be used by a third party without exposing the user's account credentials to the third party.

It provides the third-party service with an access token that authorizes the sharing of specific account information.

OpenID Connect is an identity layer built on the OAuth 2.0 protocol that permits a third-party application to obtain a user's identity information managed by a service. This functionality makes it easier for developers to authenticate users.

Clicking the card below will open further documentation for integrating PlexTrac with the following OAuth/OpenID solutions.

In White Labeling, admins can manage brand identity, provide a consistent user experience, and reinforce their unique business context throughout the platform.

Overview

White labeling allows both Managed Security Service Providers (MSSPs) with multiple clients and Enterprise customers managing various internal business units or groups to customize the labels that appear throughout the platform. This customization lets administrators personalize and align the platform with their business needs and branding.

An administrator can substitute the generic term "clients" with the company's name, resulting in a more personalized and professional user experience.

Likewise, an Enterprise customer using PlexTrac to manage different internal business units or groups can customize the labels to match the specific terminologies used within their organization. This ensures the platform integrates seamlessly with existing processes and naming conventions, making it more user-friendly for their teams.

This option determines if a priority applies to a tenant or is specific to a client and whether it appears to end users after creation. The default value is Tenant-level priorities.

The Authorization button under "Security" in the Admin Dashboard allows user group membership and roles to be managed.

This page lists all users (first and last name), email/username, role, classification level, and if they belong to the default group.

Users in the list can be found via search, filtered by client, or sorted by first name, last name, or email/username.

Default Group

The Default Group is the collection of users granted access to all clients by default. Adding users to this group automatically grants them access to all existing and new clients as they are created.

Adding Users to a Client

Step 1: From the Authorization page in the Admin Dashboard, select a client from the pulldown menu.

Step 2: A new button for adding users appears. Click Add/Authorize User.

Step 3: Select the user from the "User" pulldown menu or begin typing to filter the provided list.

Step 4: Assign the appropriate role from the "Role" pulldown menu, and, if applicable, assign a classification level.

Repeat as needed by clicking Add User.

Step 4: Click Save.

Managing Roles

Roles can also be managed directly from the Authorization page.

Step 1: From the Authorization page in the Admin Dashboard, select a client from the pulldown menu.

Step 2: Click the pulldown menu under the "Role" column for the user to be changed and select the new role.

Classification Level

When classification tiers have been enabled (configured in Admin Dashboard>Security>), a column will appear on the Authorization page, allowing further security restriction configuration for each user by the client.

If not enabled, the column will not appear.

The Role Based Access (RBAC) button under "Security" in the Admin Dashboard gives administrators granular control over permissions within PlexTrac, such as actions allowed for a specific user, permissions for customers, access to client data, and report access that restricts viewing sensitive data.

PlexTrac applies roles that consider the tenant (instance) and client. This enables teams to grant users the privileges required to accomplish tasks for specific clients.

A user’s tenant role governs what portions of the platform they can access, including the modules, tools, and UI elements presented for use. A user’s permissions can be further scoped in the context of individual clients. Users must have a role in the context of each client.

PlexTrac has three default roles: Administrator, Standard User, and Analyst.

Licensed Permissions

An icon within the RBAC list identifies permissions that require a license.

For a tenancy, a license can be in different states:

1. A valid key: In this scenario, no banner message will appear.

2. An invalid license key: In this scenario, a banner appears (when adding users or viewing a role within the Admin Dashboard), and the admin needs to contact [email protected].
3. More licenses needed: This scenario applies to situations where the number of licenses remaining is three or fewer, and the admin should contact [email protected]. A banner appears when adding users or viewing a role within the Admin Dashboard.

Tenant Permissions

Platform-wide permissions include access to specific modules (WriteupsDB, Assessments, etc.), the Account Admin section, platform settings, and user management. These permissions are specific to platform access and assigned in the Role Based Access area of the Admin Dashboard.

Within a tenancy, the following business rules apply:

• Administrator: A tenant administrator can access all tools, modules, and UI elements on the platform (all aspects of the Admin Dashboard).

• Standard User: A standard user can access all modules and UI elements outside the Admin Dashboard.

• Analyst: An analyst user cannot access the Content Library or Runbooks modules. Additionally, most UI elements that provide create or edit capabilities are unavailable.

Administrator

Admin user permissions can be viewed by clicking the Administrator box on the Security: Role Based Access page.

An administrator is PlexTrac's highest permission role, and admins have complete control and access over every application part.

Standard User

Click the Standard User box on the Security: Role Based Access page to view standard user permissions.

Analyst User

Analyst user permissions can be viewed by clicking the Analyst box on the Security: Role Based Access page.

Client Permissions

Client-based permissions are specific to using and accessing Clients, Reports, and Findings. These permissions are assigned on a client level, and more information can be found by visiting the .

The role assigned to a user at the client level sets the client, reports, and findings permissions for that client.

In the context of a client, the following business rules apply:

• Administrator: A client administrator can edit any data associated with the client, such as the client record, assets, and reports, and manage access of client users.

• Standard User: A standard user can edit any data associated with the client, such as the client record, assets and reports.

• Analyst: An analyst user can view client assets and related data, reports in published status, upload and delete artifacts in reports, and change the remediation status of findings.

The Service-Level Agreements (SLAs) button under "Tenant Settings" in the Admin Dashboard allows management of SLA settings, such as severity, days to close, notifications, and tags.

SLAs are designed to ensure that cybersecurity measures meet specific standards and expectations and are critical to managing and enhancing an organization's overall security posture.

Configuring Views

The table view can be customized by clicking the column view icon to the right of the search bar.

Once clicked, a modal appears that lists all fields. To remove a column, click X within the bar.

When fields are removed, an "Add Column" pulldown menu is added at the bottom left of the modal to store the field. Any removed fields can be added later by clicking Add Column and selecting the field to add.

This modal represents the sequence of fields provided in the table, meaning the bar on top will be the column on the table's far left.

The order of columns can be adjusted within this modal by clicking the six dots on the left of the bar for a field and dragging the bar to the desired sequence place.

Click Save when finished.

Creating a SLA

Step 1: Click New Service-Level Agreement.

Step 2: A modal will appear. Enter an SLA name, define how many days should exist to close the SLA and the finding severity that the SLA applies to. All other fields are optional.

1. SLA Name: This is a required field. Duplicate SLA names can exist.

2. Days to Closed: This is a required field. Enter a numeric value representing how many days are allowed to close a finding. For example, a value of "2" means that if a finding for the defined severity has not been closed within two days of being opened, it exceeds the SLA.

3. Finding Severity: This is a required field. Select the finding(s) severity to be tracked as part of the SLA. More than one severity can be selected.

Step 3: Click Save at the bottom of the modal.

Webhooks are a real-time, event-driven communication method that allows PlexTrac to send data automatically when a specific event occurs. Using HTTP POST requests, webhooks enable immediate data transfer without constant pulling, making them efficient and lightweight. By providing a unique URL for event notifications, webhooks facilitate automation and real-time updates between applications while ensuring security through authentication methods and encryption.

Webhooks vs. APIs

APIs use a pull model where clients request data from servers, while webhooks employ a push model, automatically sending data to clients when specific events occur. APIs often require polling for updates, which can introduce latency and consume resources, whereas webhooks provide real-time notifications, making them more efficient for immediate actions. While APIs are suited for complex data manipulation and retrieval, webhooks excel in automating workflows with simple event-driven notifications. Additionally, APIs necessitate client-initiated requests, while webhooks require clients to set up a URL endpoint to receive data.

List of Webhooks

Webhooks offered at this time that run on the following PlexTrac trigger event:

• On report publish

• On assessment submission

• On scheduler engagement submission

• On finding publish

Creating a Webhook

Step 1: From the Admin Dashboard, click the Webhooks button under "Integrations & webhooks."

Step 2: Click New webhook.

Step 3: Select the webhook type. PlexTrac provides configured solutions for standard solutions, such as Slack and Microsoft Teams.

Step 4: Click Continue.

Step 5: Enter the desired information on the page.

1. Provide a webhook name.

2. Confirm if this applies to all clients or a specific one(s).

3. Select the PlexTrac trigger event from the provided options. More than one can be selected.

4. Insert the url of the application receiving the webhook data.

When activated, this test initiates a series of checks to ensure everything functions correctly. First, the button verifies that the provided URL is valid and accessible and no redirect occurred. It checks that the domain resolves correctly and that the endpoint responds with a 200 OK status code, indicating that it is operational. In addition to these validations, the endpoint must respond within five seconds, although the response time should be under one second for optimal efficiency.

For security purposes, if a secret is used, the button generates an HMAC-256 signature and includes it in the X-Authorization-HMAC-256 header of the POST request. This ensures that any communication with the endpoint remains secure.

Step 6: Click Save.

The webhook is enabled by default but can be turned off by toggling the bar under the "Enabled" column.

Managing Webhooks

Existing configurations can be modified by clicking Edit under the "Actions" menu of the webhook.

Webhooks can be deleted, or event logs can be viewed by clicking the three dots under the "Actions" menu of the webhook.

The Users button under "Security & User Management" in the Admin Dashboard allows an admin to view, edit, add, or delete users.

Overview

PlexTrac's user management page provides a range of features to streamline user administration. Administrators can add users, assign roles, select authentication providers and classification tiers, reset passwords, enable or disable accounts, and permanently delete users. Additionally, there is functionality to authorize users by client.

The functionality for managing users is contextual, depending on their status. For example, if no users are locked, no option is provided to unlock them.

Types of Users

Users are either enabled, disabled, or locked. This status can be filtered through the pulldown menu at the top of the table or sorted by clicking the flag next to the name field in the table header column.

Locked Users

PlexTrac will lock a user out after multiple failed attempts to protect against brute force attacks. Locked users are identified with a lock icon next to their name, a highlighted row background, and the words "User locked" listed under their email address.

Disabled Users

Disabled users are identified with an icon next to their name, a row with a grey background, and the words "User disabled" under their email address.

Licensed Users

Each user added to a licensed role is considered a paid user. When a role is licensed, an icon will appear at the end of the role title (regardless of the number of licenses available).

Roles that use a license are also identified on the RBAC page.

Click the "All Roles" pulldown menu to filter users by role. Standard roles are at the top of the list.

If a user is added to a role that requires a license but no more seats exist, an error message appears.

Configuring Table View

The table view can be customized by clicking the column view icon to the right of the search bar.

Once clicked, a modal appears that lists all fields. To remove a column, click X within the bar.

When fields are removed, an "Add Column" pulldown menu is added at the bottom left of the modal to store the field. Any removed fields can be added later by clicking Add Column and selecting the field to add.

This modal represents the sequence of fields provided in the table, meaning the bar on top will be the column on the table's far left. The order of columns can be adjusted within this modal by clicking the six dots on the left of the bar for a field and dragging the bar to the desired sequence place.

Email settings are located under the "Tenant Settings" section in the Admin Dashboard. This section provides administrators with options to manage and configure various aspects related to email setup and notifications. The Email Settings page displays three tabs, enabling admins to adjust and personalize the email settings based on their preferences. These tabs facilitate access and control over notification settings, email servers, and email templates.

Notification Settings Tab

The Notification Settings tab is used to manage when email notifications are sent to users. Notifications can be configured by the report, finding, substatus, or assignment by clicking the toggle bar on or off.

OpenID is a decentralized authentication protocol allowing users to authenticate with multiple websites using a single login credentials. It enables users to create a single digital identity that can be used across different websites and services without creating a new account or remembering multiple usernames and passwords.

OpenID provides users with an OpenID URL, a unique identifier for their digital identity. When users log in, they are redirected to their OpenID provider's website to authenticate themselves. Once established, the OpenID provider sends a token back to the website, verifying the user's identity and allowing them to access the site.

OpenID is an open standard. It is supported by many websites and services and designed to be interoperable with other authentication protocols like OAuth.

Configuring OpenID

Okta OAuth is a secure authorization protocol that Okta, a cloud-based identity and access management service, allows users to grant third-party applications access to their Okta resources without sharing their username and password.

OAuth provides a token-based authentication system where users can grant access to their Okta resources without disclosing their credentials to that service. The user first logs in to their Okta account and then permits the third-party application to access specific resources using an access token. The application then uses this token to access the authorized resources on the user's behalf without needing the user to provide their login credentials again.

The Classification Tiers button under "Security" in the Admin Dashboard is where the functionality for classification tiers is turned on or off.

Overview

Classification tiers enable control for specific users to view and modify particular reports for a specific client. For example, most users may have access to a client and most reports, but a few users may require a higher classification tier to work on a report with more sensitive data.

Once turned on, PlexTrac provides three tiers by default (Tier 1, Tier 2, and Tier 3). The higher the classification level, the more restrictive it is (i.e., Tier 1 is the lowest). For example, everyone in Tier 2 has access to Tier 1, but Tier 2 users do not have access to Tier 3 reports.

Once enabled by toggling on, the default classification tier values and descriptions can be edited, and new ones can be created and managed.

Creating a Classification Tier

Step 1: After enabling classification tiers, click Create Classification.

Step 2: Enter a classification tier name and description in the provided boxes. If ready to implement, toggle on the "Enabled" button.

Step 3: Click Save.

A message will appear briefly confirming the addition of the new tier, and it will appear on the list at the top of the list by default as the most restrictive.

Step 4: If the new value's default placement at the top is inaccurate and needs adjustment, select and move the value's bar on the page to reflect its appropriate classification level in the existing tier structure.

Once a row is moved, the tiers dynamically reorder and display their new classification level (the bottom of the list will always be the least restrictive Level 1).

Step 5: Exit this page by clicking the breadcrumb Admin Dashboard.

Step 6: Click Security under "Security & User Management."

Step 7: Click Authorization.

Step 8: Select the desired client from the "Client" pulldown menu.

Step 9: Identify the user to configure, click the pulldown menu of the column "Classification Level," and select the appropriate value.

Step 10: Click the Reports module, select a report, and click the Details tab.

Step 11: Click the pulldown menu of "Report Classification" and select the appropriate tier value. Click Save.

Editing a Classification Tier

Step 1: From the Classification Tiers page, click the value to edit.

Step 2: Make any edits and click Update Classification.

Disabling a Tier

Classification tiers cannot be deleted. This is to protect against existing protected reports being unintentionally exposed. If a specific tier is no longer needed, however, it can be disabled (if to be used again in the future) or edited to reflect a new tier classification.

To disable the value from appearing as an option elsewhere in PlexTrac, toggle off the "Enabled" button and click Update Classification.

Users can be added using PlexTrac or by uploading a CSV file template.

Adding Users

Step 1: From the Users page of the Admin Dashboard, under "Security & User Management," click Add Users.

Step 2: Enter the user's email, first name, last name, role, authentication provider, and classification tier (if applicable). If the user requires the ability to bypass your global MFA setting, select PlexTrac Service Account from the Authentication Provider dropdown.

Step 3: Click the check box to identify if the user should belong to the Default Group.

Step 4: Click New user to repeat the process and add more users.

Step 5: When finished, validate whether an email link should be sent to all newly created users to set their password (the default option is to send the email).

Step 6: Click Save.

A message will appear confirming the addition, and the new user will appear on the Users page.

Adding Users via CSV

Users can be created in bulk using a CSV template, which can be found on the Add New Users page after clicking Add Users.

The CSV file has five fields to collect user information to be imported:

Importing the CSV Template

Step 1: Download the file, delete the sample values, and enter the user information to import.

Step 2: From the Users page of the Admin Dashboard, under "Security & User Management," click Add Users.

Step 3: Click Import from CSV.

Step 4: A window opens to select the CSV file from the computer. Select the file to import.

Step 5: The information in the CSV file is imported for review.

Step 6 (optional): No changes are needed if standard roles were used. If a custom role was assigned to an imported user, manually select it by clicking the "Role" pulldown menu for the impacted user and selecting the desired custom role value.

Step 7: Click Save.

A message will appear confirming users were added.

SAML stands for Security Assertion Markup Language. It is an XML-based standard for exchanging authentication and authorization data between parties, particularly between an identity provider (IdP) and a service provider (SP).

SAML enables single sign-on (SSO) by allowing users to authenticate themselves once and access multiple services without the need to log in again for each one. SAML achieves this by exchanging digitally signed XML documents, called SAML assertions, between the IdP and SP.

When a user tries to access a resource on a service provider, the SP redirects the user to the identity provider for authentication. The IdP then verifies the user's identity and generates a SAML assertion that includes information about the user's identity and attributes. The IdP signs the assertion using its private key to ensure its authenticity and sends it back to the SP. The SP then verifies the signature using the IdP's public key and grants access to the requested resource.

Plextrac allows any SAML Identity Provider to log into the application. Multiple providers can be configured for each tenant and managed per user. For example, one user could log in with Google while another uses Okta.

Requirements

SAML requires the following environment variables to be set in the PlexTrac Docker:

• PROVIDER_CODE_KEY: A secure signing key set by default in the latest version.

• CLIENT_DOMAIN_NAME: The hosting domain name, such as app.plextrac.com. Do not include HTTP(s)://.

PROVIDER_CODE_KEY is an environment variable that acts as a secure signing key. It is used in the SAML configuration within PlexTrac to facilitate secure communication between the identity provider (IdP) and PlexTrac. This key ensures that the SAML assertions exchanged during the authentication process are signed and can be trusted.

When setting up SAML for PlexTrac, the PROVIDER_CODE_KEY must be set to a secure value in the Docker compose file for the PlexTrac instance.

Configuring SAML

Step 1: From the Admin Dashboard, click Security and then Authentication Methods.

Step 2: Click the SAML Providers tab.

Step 3: Click Create New SAML Provider.

Step 4: Enter the information obtained through the provider setup in the appropriate fields.

1. Provider Name: Identifies the service provider used, such as Okta. This entity acts as an identity or service provider within the SAML authentication and authorization framework.

2. Allow IDP Initiated SSO: Identifies if a user can initiate SSO with the provider first without visiting PlexTrac. This is an authentication process in which the user's interaction begins with the identity provider rather than the service provider.

3. Identity Provider Single Sign-On URL: Identifies the specific endpoint provided by the IdP to initiate the SAML authentication process during SSO. When users attempt to access a service provider application, they are redirected to the IdP SSO URL to authenticate themselves.

Step 5: Click Create when finished.

The new setup is listed on the SAML Providers tab.

Allowing IDP Initiated SSO

Step 1: Toggle “Allow IDP Initiated SSO.”

Step 2: Enter the identity provider origin URL.

Step 3: Toggle on “JIT User Provisioning.”

Step 4: Select the desired default role for newly created users, the default classification level (if applicable), and if any users provisioned via this SAML Provider are assigned to the Default Group.

Step 5: Click Save (if updating an existing configuration) or Create when finished.

Administrators can tailor roles and permissions within the PlexTrac platform according to their specific requirements. This customization allows for efficient management of user access and privileges, ensuring a secure and organized environment.

When creating custom roles, PlexTrac provides the following recommendations:

• Create a role without any permissions to assign unused or intermittent access users. By implementing this practice, administrators can prevent unnecessary access to sensitive information or critical functionalities, mitigating potential risks of granting unnecessary permissions.

• Use the Principle of Least Privilege when assessing role permissions. This principle advocates granting users the minimum access required to perform their designated tasks effectively. By adhering to this principle, administrators can significantly reduce the attack surface and the potential impact of security breaches, enhancing the overall security posture of the system.

• Conduct periodic user and role audits for an accurate user access posture. Regular user and role audits are essential to maintaining a secure user access environment. Periodic audits allow administrators to review and verify the permissions assigned to each user, ensuring that access rights align with individuals' current roles and responsibilities. This process helps identify deviations or discrepancies, providing the user access posture remains accurate and up-to-date.

When assigning roles to a user, giving each role a unique name is essential. Although PlexTrac generates a unique ID for each role in the backend, the user interface may display seemingly identical values, leading to confusion, as shown below.

Creating a Custom Role

Step 1: From the Role Based Access page under "Security" in the Admin Dashboard, click Create Role.

Step 2: Enter the fields provided on the page. Role Name and Role Description are required.

1. Templates as Baseline: Select the desired baseline template from the drop-down menu when creating a new role.

2. Role Name: This required field is the role's name and will appear on the Role Based Access page.

3. Enabled: This feature displays if the role is activated and provides a simple way to disable access temporarily.

Step 3: Scroll down the page to select/deselect permissions for the role by clicking the provided tasks to define permissions. A purple button means permission has been given for the role, while a grey button means no permission has been enabled. Clicking a purple button again greys it out and disables authorization.

In this example, all permissions except the ability to manage style guides and access to the admin dashboard where the style guides are managed were removed.

Step 4: Click Save.

A summary page appears to review the list of users and permissions. Click Edit to adjust.

The new role is listed, along with the number of users assigned and configured permissions.

The Short Codes button under "Tenant Settings" in the Admin Dashboard provides the ability to replace predefined strings or variables in a report with new values, reducing the need to edit each report. Using short codes makes report creation more efficient and reduces maintenance, as it reduces the time to edit.

Short codes can pull data from a report custom field or a client custom field, depending if the short code applies to all reports for a client or one specific report.

Default Short Codes

PlexTrac provides six short codes that pull data from non-custom fields and are listed on the Default tab. These variables cannot be modified or deleted.

Creating a Short Code

Step 1: From the Custom tab of the Short Codes page within the Admin Dashboard, click Create Short Code.

Step 2: Enter the appropriate values in the provided fields.

1. Short Code field: The string inserted in reusable rich text fields that will be replaced after activation. Short Codes must follow the following rules:

   • Be a single string with no spaces

   • Begin and end with two percent symbols

Step 3: Click Save.

The new short code is inserted at the bottom of the list on the Custom tab.

Step 4: Use the for use in all reports for a client, or use the .

Editing Short Codes

Custom Short codes can be modified by clicking Edit in the "Actions" column of the applicable short code.

Deleting Short Codes

Custom short codes can be removed by clicking Delete in the "Actions" column of the applicable short code.

A modal will appear, confirming the action. Click Confirm Delete.

This page includes the business rules and instructions for enabling and disabling priority equations when multiple ones exist.

Equation Business Rules

The impact of an equation on a priority depends on multiple variables, such as whether equations are set in General Settings to apply to all tenants or a client, if the default equation is enabled, if a custom equation is enabled, and if the custom equation applies the entire tenancy or specific clients.

Tenant Level Equations

When priorities are enabled at the tenant level, only one equation can be used at a time. When enabled, equations created for specific clients are no longer accessible from the contextual scoring page. Existing equations are not deleted, but they can no longer be viewed or modified from the page.

Tenant-level priorities have the following business rules for equations:

• Tenant-level priorities is selected under "General Settings" of the Admin Dashboard

• If all equations are disabled: All priorities will be calculated by multiplying the likelihood and impact manually entered on the priority.

• If the default equation is enabled: The default equation is enabled for all clients.

Client Level Equations

When priorities are enabled at the client level, only one tenant-level equation can be used at a time. However, custom equations for specific clients may be enabled and, when executed, take precedence. Any equations created for specific clients will be accessible from the contextual scoring page along with tenant-wide equations.

Whether the equation is client-specific or a tenant is identified under the "Associated with" column.

Client-level priorities have the following business rules for equations:

• Client-level priorities is selected under "General Settings" of the Admin Dashboard

• If all equations are disabled: All priorities will be calculated by multiplying the likelihood and impact manually entered on the priority.

• If only the default equation is enabled: The default equation is used for any new priorities, but any existing clients with an associated custom equation will take precedence.

Enabling an Equation

To enable an equation, toggle the button under the "Enable" column.

If the user's action impacts existing priorities and business rules, PlexTrac will display a message to inform of the consequence. If approved, the system will enable or disable other related equations accordingly.

A style guide helps content creators and publishers maintain consistency in their content presentation. It provides guidelines on spelling, grammar, punctuation, capitalization, formatting, and other elements of written communication.

The purpose of the style guides is to provide the ability to overwrite the default PlexTrac formatting during the report export process. The style guides only apply to Jinja templates exported to Word (.doc). Style guides do not impact rich-text fields.

PlexTrac provides a default template that can be configured, leveraged, or cloned to create other style guides. There is no limit to the number of style guides.

Microsoft Entra ID (formerly Azure AD) is a cloud-based identity and access management service that enables employees to access external resources.

OAuth operates through a token-based authentication system, allowing users to authorize access to Microsoft Entra ID resources without sharing credentials. The user logs in to their Microsoft Entra ID account and grants permission to a third-party application to access specific resources using an access token. Subsequently, the application utilizes this token to access the authorized resources on behalf of the user, eliminating the need for the user to re-enter their login credentials.

Configuring Microsoft Entra ID

Step 1: Log in at .

The Layouts section under "Customizations” in the Admin Dashboard provides the ability to configure and customize the experience of creating a finding.

Multiple layouts allow admins to tailor the finding creation process according to their needs and requirements. Each layout can be designed to capture different findings or accommodate different workflows. For example, a tenant might have different layouts for web application vulnerabilities, network vulnerabilities, or compliance-related issues.

By customizing the layouts, admins can ensure that teams provide consistent and relevant information while creating findings. This can improve report creation by ensuring a standardized approach to documenting security issues.

The General Settings button under "Tenant Settings" in the Admin Dashboard allows management of answer types, the default behavior of findings status for published reports, managing finding sub-status and enabling rapid templating.

Google OAuth (Open Authorization) is a secure authorization protocol that allows users to grant third-party applications access to their Google accounts without sharing their usernames and passwords. It is a standard authentication mechanism used by Google to provide secure, delegated access to resources on its platform, including Google Drive, Gmail, Google Calendar, and other services.

OAuth provides a token-based authentication system where users can grant access to their account data without disclosing their credentials to that service. The user first logs in to their Google account and then permits the third-party application to access specific resources using an access token. The application then uses this token to access the authorized resources on the user's behalf without needing the user to provide their login credentials again.

Configuring Google OAuth

Step 1: Log into the

PlexTrac integrates with HackerOne, a platform that facilitates vulnerability coordination and bug bounty programs. It connects organizations that want to improve the security of their software and systems with a community of ethical hackers, also known as white-hat hackers, who are skilled in finding and reporting security vulnerabilities.

Integration Overview

An integration with HackerOne and PlexTrac consists of three parts:

1. Enabling the feature via the license key.

2. Obtaining the HackerOne API Key Identifier and HackerOne API Key values.

3. Configuring PlexTrac to complete the setup.

Enabling HackerOne

If the license is needed within a tenant, the phrase “License Required” with a link to the Support Portal will display within the HackerOne card on the of the Admin Dashboard.

When a license is obtained, insert the license key into PlexTrac via the Admin Dashboard>Licensing page.

When the integration is available, a “Connect” button will display within the HackerOne card on the of the Admin Dashboard.

Creating an API Token

Once the feature has been enabled, the next step is to obtain the HackerOne API Key Identifier and HackerOne API Key values.

Step 1: Log in to .

Step 2: Click Create API Token.

Step 3: Enter an identifier value into the provided box. Click Create.

Step 4: Copy the API key to a secure place (it will not be accessible after this point). Click I have stored the API Token.

Step 5: The API token just created appears at the top of the API page (an email will also be sent confirming the action). Click Manage groups in the row of the token.

Step 6: Check the desired boxes to define the user's permissions for this group. Click Apply changes.

Configuring PlexTrac

Step 1: From the Admin Dashboard, click Integrations under "Tools & Integrations."

Step 2: Click Connect in the HackerOne card.

Step 3: A modal appears with three tabs. On the first tab, enter the following information:

1. Integration Name: This value is seen by users when selecting which tool to import findings from into a report, so pick a value that quickly identifies the integration.

2. HackerOne API Key identifier: This was the value entered when creating the API token within HackerOne.

3. API Key: This key was provided by HackerOne and saved for future use.

Step 4: Click Save.

Step 5: In the "Mapping" tab, select which fields to import from HackerOne to PlexTrac.

Required fields are grayed out in the "Synch" column. The other fields are optional and can be removed from import by clicking the checkbox to remove the checkmark. Click Save.

Step 6: A message will validate that the synch was successful. Click Got It.

HackerOne now appears as "connected" on the Integrations page.

Findings from HackerOne can now be.

Disabling Integration

The integration can be temporarily turned off and on via the toggle button under "Enabled."

Editing Integration

Click Edit under the "Actions" column to adjust existing settings.

Viewing Logs

Step 1: Click Edit under the "Actions" column.

Step 2: Click the Sync Log tab.

Step 3: Click View of the desired log to read.

PlexTrac learns about scanner findings as files are imported. This learning can be done proactively by an admin through parser actions or when a user imports a scanner file when adding findings to a report. Either way, the learning begins after an admin imports a file via the parser actions page of the Admin Dashboard, and this process must occur for each tool that PlexTrac integrates with. Any files for a tool imported as findings to a report that have not been enabled by an admin on the parser actions page will have no impact on parser actions.

When importing a file, parser actions process the contents to extract relevant information and perform specific operations. The exact parser actions depend on the file format and business rules an admin configures.

The findings are matched to the parser action by plugin ID and include actions such as linking to a writeup, changing the finding severity, or ignoring the finding when parsed.

Admins can create an equation to produce a custom score. The process for creating an equation for a priority and findings is the same and consists of two steps:

1. Equation Properties: The tab in which the name, description, and (when applicable) what clients the equation applies to are entered.

2. Equation Builder: The tab where the user selects and configures the variables of the equation that determines the contextual score.

PlexTrac offers an integration with ServiceNow's ITSM and GRC platform modules to allow red and blue teams to collaborate without switching between workflow tools.

ServiceNow GRC (Governance, Risk, and Compliance) is a module of the ServiceNow platform that helps organizations manage their governance, risk, and compliance processes. ServiceNow ITSM (IT Service Management) is a module of the ServiceNow platform that enables organizations to manage their IT services and operations.

Overview

Data flows from PlexTrac to ServiceNow when a finding is used to create a ticket but only from ServiceNow to PlexTrac after setup. The synchronization between PlexTrac and ServiceNow occurs every 30 minutes.

Creating a Ticket

Step 1: On the row of the finding used to create a ticket, click the three dots under the "Actions" column and click Link ServiceNow ticket.

Step 2: A modal appears. Select the ServiceNow module, the ticket type, and the priority.

Step 3: Click Save.

The finding now shows the ServiceNow ticket ID and a hyperlink to access the ticket on ServiceNow.

Field Mappings

When a PlexTrac finding is used to create a ticket in ServiceNow, it defaults to a status of New with the following information populated:

When the ticket is created, the priority and issue rating values are stored within ServiceNow.

Existing Ticket Updates

After the ticket is created in ServiceNow, that ticket can only be modified from ServiceNow.

The following fields are then sent from ServiceNow to PlexTrac:

Status Mappings

Below are the mappings of status from ServiceNow to PlexTrac for the various scenarios:

For a task and ticket:

For an incident:

For an sn_grc_issue:

Timestamp Logic

Timestamps are captured in two scenarios for this integration:

• When the issue type is created in ServiceNow

• When a work note is created or updated in ServiceNow

Issue Type Timestamps

The timestamp is derived from the time zone set for the ServiceNow instance. PlexTrac has no influence on this time zone.

Scenario: A user in PlexTrac links a finding with ServiceNow. An issue type is created in ServiceNow, and a time stamp is applied to the creation date based on how that ServiceNow instance was configured.

Work Note Timestamps