Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
One key benefit of PlexTrac is the ability to connect with various security assessment tools, templates, and applications. These connection points allow for the import of findings, assets, and other vulnerability data from popular tools, eliminating manual data entry, reducing human error, and saving time.
Below is a list of third-party tools, templates, API integrations, instructions, and field mappings that users can leverage to import data into PlexTrac.
The Tools & Integrations section of the Admin Dashboard allows for the configuration and setup of parsers, third-party tools, and APIs.
An API (Application Programming Interface) is a set of rules, protocols, and tools that allow different software applications to communicate and interact. It provides a standardized way for developers to access and manipulate the functionalities and data of a particular system or service.
PlexTrac offers several integrations, some of which are available for immediate use and others that may require a license. These APIs enable seamless communication between PlexTrac and external systems or applications, facilitating data exchange, automation, and extended functionality.
Visit the PlexTrac API section for information about leveraging the PlexTrac API.
Additional information for each integration can be accessed by clicking the logo within a card.
PlexTrac allows users to import data from a wide range of security assessment tools and CSV templates, making it easier for teams to aggregate and centralize their assessment findings, test results, and vulnerability data within the platform.
PlexTrac's integration capabilities support data ingestion from over 25 tools commonly used in the security industry. These parsers are built into the platform and are readily available to users without additional licensing requirements. The parsers extract the relevant information from the imported data and convert it into a unified format within PlexTrac, allowing for consistent representation, analysis, and reporting.
Parser actions are configured at the admin level on the Admin Dashboard.
Applications that can be imported into PlexTrac are listed below. Clicking the card below will open additional information, such as field mappings and configuration instructions.
PlexTrac offers a variety of CSV (Comma-Separated Values) templates. These templates serve as predefined structures that allow users to organize and format their data so it can be imported into PlexTrac easily.
CSV files are widely used because they are lightweight, easy to generate and parse, and can be opened with a simple text editor. The structure of a CSV file is straightforward. Each line in the file represents a row of data and a delimiter, typically a comma, which separates the values within each row.
Finding Imports: Visit the CSV Findings page for more information and guidance on which CSV template to use when importing findings.
Additional information (field mappings and instructions) can be accessed by clicking the CSV icon within a card.
Applications that export data into PlexTrac are listed below. Additional information can be accessed by clicking the card below.
PlexTrac supports importing XML files from Acunetix. Acunetix is an automated tool for auditing web applications to identify security vulnerabilities. It scans for issues such as SQL injection, cross-site scripting, and other security threats. Additionally, Acunetix evaluates service misconfigurations, outdated protocols, and network vulnerabilities.
Below are the field mappings from Acunetix to PlexTrac, broken up by findings and assets. If a field is not listed, PlexTrac does not currently import it.
Tables include the following columns:
Acunetix Field: the field name that appears in Acunetix
PlexTrac Field: the field name that appears in PlexTrac
Direction: displays the direction in the flow of data occurring for the integration (a value of "x" means that the value is not imported)
BlindSPOT by OnDefend is an automated breach and attack simulation (BAS) solution that helps organizations simulate cyber-attack activity, identify security blind spots, and remove security risks. It offers simulation services to test security controls and create stakeholder graphics and reports.
BlindSPOT integrates with PlexTrac via API to create or update runbooks within PlexTrac's Runbooks module. This integration allows security professionals to align tasks with the MITRE ATT&CK framework by automatically populating the runbooks with relevant details from BlindSPOT simulations.
The simulation outcomes are sent to PlexTrac, empowering users to scrutinize and administer their cybersecurity operations efficiently. This enables users to enjoy the benefits of "purple teaming" and better understand their security posture, track engagement progress, and make informed decisions to improve their cybersecurity defenses.
Currently, PlexTrac does not send data back to BlindSPOT.
Vulnerabilities of any Core Impact workspace can be exported to an XML-compatible format for import into PlexTrac as findings. Core Impact is penetration testing software developed by Fortra’s Core Security. It is used by security professionals and ethical hackers to uncover and exploit security weaknesses. It is designed to enable security teams to conduct advanced penetration tests and safely test environments using the same techniques as adversaries.
Step 1: From a Core Impact Workspace, open the Modules view, go to 11 - Reporting>Third Party, and launch the module Export IMPACT Workspace to XML file.
Step 2: Select the location to export the file and click OK.
The workspace vulnerabilities are downloaded in an XML format compatible with PlexTrac.
Each export file from Core Impact contains the following:
The list of assets tested by Core Impact within the scope of the particular workspace.
The list of vulnerabilities discovered during the test and the assets affected by each vulnerability. All the vulnerabilities discovered by Core Impact have demonstrated exploitability.
Below are the mappings of fields and any reference notes to provide context. If a field is not listed, PlexTrac does not currently import it.
PlexTrac supports importing XML files from Checkmarx. Checkmarx provides software security solutions for detecting and preventing security application vulnerabilities. The primary focus is static application security testing (SAST), which involves analyzing an application's source code to identify security vulnerabilities and coding errors before deployment.
Below are the mappings of fields and any reference notes to provide context. If a field is not listed, PlexTrac does not currently import it.
| Acunetix Field | Direction | PlexTrac Field |
|---|---|---|
| Acunetix Field | Direction | PlexTrac Field |
|---|---|---|
| PlexTrac Field | Core Impact Path | Notes |
|---|---|---|
| PlexTrac Field | Core Impact Path | Notes |
|---|---|---|
| PlexTrac Field | Checkmarx Path | Notes |
|---|
| PlexTrac Field | Checkmarx Path | Notes |
|---|
Accunetix
-->
PlexTrac
Title
-->
Finding Title
Description
-->
Description
CVSS2
-->
CVSS Type
CVSS2
-->
Vector
CVSS2
-->
Score
CVSS3
-->
CVSS Type
CVSS3
-->
Vector
CVSS3
-->
Score
Recomendations
-->
Recomendations
Refrences
-->
Refrences
CWE
-->
CWE ID
Severity
-->
Severity
Host Name
-->
Parent Asset
Path
-->
Child Asset
Evidence
-->
Affected Asset Evidence
Request
-->
Affected Asset Evidence
title
<entity class="host"><property key="Vulnerabilities"><property key=(value)> or <entity class="host"><property key="Vulnerabilities"><property key="Modules><property key=(value)>
PlexTrac obtains the finding title from the property elements attribute "key" inside the vulnerability element.
If <entity class="host"><property key="Vulnerabilities"><property key=(value)> does not exist, then the tool looks at the Module element <entity class="host"><property key="Vulnerabilities"><property key="Modules"><property key=(value)>.
NOTE: PlexTrac only creates a finding if a Modules exists in the property key.
<entity class="host"><property key="Vulnerabilities"><property key="Modules">
severity
This value is hard-coded "Informational" by PlexTrac upon import, as it is a required value for PlexTrac but not provided by Core Impact.
references
<entity class="host"><property key="Vulnerabilities"><property key=(value)>
If no references exist, then the string is left empty: ""
recommendations
This value is hard-coded "Provide recommendations for resolution here." by PlexTrac upon import, as a value is not provided by Core Impact.
description
<entity class="host"><property key="Vulnerabilities"><property><property key="description>(value)</property>
common identifiers
<entity class="host"><property key="Vulnerabilities"><property key=(value)>
asset
<entity class="host" name=(value)>
PlexTrac receives an entity element that has a class of "host" and strips the leading '/' from the name attribute to use that as the asset name value.
title | <Query Name=(attribute value for title)> | If the |
severity | <Query Severity=(attribute value for severity)> |
references | <Query cweId=(attribute value for references)> |
recommendations | <Result DeepLink=(attribute value for recommendations)> | PlexTrac joins all items in the DeepLink element in the Result element |
description | Hard Coded w/ "This was identified via Checkmarx scanner, please view affected assets for more details." |
tags | <Query categories=(attribute value for tags)> and <Query group=(attribute value for tags)> | To convert categories into a list using ";" as a delimiter, and to append the group attribute to categories to create comprehensive tags, follow these steps:
|
source | Hard Coded "Checkmarx" |
asset | <Result name=(attribute to be used in asset name)> and Path> | Ensure that both the attribute name and the element filename are present and identical. |
PlexTrac supports importing HTML and XML files from Burp Suite Professional and Burp Suite Community product offerings. Burp Suite is a software tool for web application security testing that helps security professionals and developers identify and exploit security vulnerabilities.
Responses will be trimmed if HTML is used.
Below are the mappings of fields and any reference notes to provide context. If a field is not listed, PlexTrac does not currently import it.
If a field is not listed, PlexTrac does not currently import it.
PlexTrac supports importing XML files from HCL AppScan. HCL AppScan is a security testing tool used to identify and address security vulnerabilities in web applications before deployment. It uses a combination of dynamic application security testing (DAST) and static application security testing (SAST) techniques to identify vulnerabilities.
PlexTrac does not support the export format for older versions of HCL AppScan (export version <2.5).
Below are the mappings of fields and any reference notes to provide context. If a field is not listed, PlexTrac does not currently import it.
PlexTrac supports importing files from Nexpose in XML Export 2.0 format. Nexpose is vulnerability management software developed by Rapid7. It monitors exposures in real-time, adapts to new threats with fresh data, and provides features such as adaptive security, integrated policy scanning, and intuitive remediation reports.
Below are the field mappings from Nexpose to PlexTrac, broken up by findings and assets. If a field is not listed, PlexTrac does not currently import it.
Tables include the following columns:
Nexpose Field: the field name that appears in Nexpose
PlexTrac Field: the field name that appears in PlexTrac
Direction: displays the direction in the flow of data occurring for the integration
PlexTrac supports importing asset information into the Clients module from Nmap in XML. Nmap, short for "Network Mapper," is an open-source network scanning tool that allows network administrators and security professionals to discover devices on a network, identify open ports and services, gather information about those services, perform OS fingerprinting, and automate tasks using custom scripts.
All <host/> elements with a child <status/> containing the state="up" property will be parsed as an asset.
If a field is not listed, then PlexTrac does not currently import.
Hostname: Derived from the inner <hostname name="host"/> element’s name property.
<hostnames> <hostname name="<hostname>"/> </hostnames>
If no hostname is found from the elements above, the hostname is derived from the IP Address address addr element’s value.
IP Address (for hostname): <address addr="<hostname>"/>. This is also added to the Known IPs field on the asset.
Description: Defaults to "This asset was originally discovered via Nmap import."
All Ports data comes from the following element:
<ports> <port protocol="${port protocol}" portid="${port number}"> <state="open"/> </port> </ports>
If a <port/> element does not have a <state="open"/> child element, it will not get imported with the rest of the asset’s ports.
Port number: <port portid="PORT NUMBER" .../>
Port protocol: <port protocol="PORT PROTOCOL" .../>
Port service: The service information for a Port can be found inside the parent <ports/> element
<service name="" product="" version="" extrainfo="" />
The Port service name and Port version derive from a combination of product, version and extrainfo from the <service/> element.
Vulnerable parameters are similar to ports and derived from the parent <ports/> element within the <script/> element.
Each <table/> element inside another <table/> element will be parsed as a vulnerable parameter.
For each of these vulnerable parameters, there will be multiple <elem /> elements containing the details for each parameter.
If the <elem .../> has the property key="id", this value will be added to the CVE information of the corresponding finding.
If the <elem .../> has the property key="cvss", this value will be added to the CVSS information of the corresponding finding and used to help set the severity.
PlexTrac supports importing XML files from Invicti. Invicti is a web application security scanner and scanner management platform that includes web vulnerability scanning and dynamic application security testing (DAST).
Below are the mappings of fields and any reference notes to provide context. If a field is not listed, then PlexTrac does not currently import.
PlexTrac supports importing files from Nessus in XML Export 2.0 or Nessus file formats. Nessus scans vulnerabilities on various assets, including servers, network devices, virtual machines, and endpoints. It identifies vulnerabilities and configuration issues that attackers could exploit and provides detailed reports on these findings.
Below are the field mappings from Nessus to PlexTrac, broken up by findings and assets.
Tables include the following columns:
Nessus Field: the field name in Nessus
Direction: displays the direction in the flow of data occurring for the integration
PlexTrac Field: the field name in PlexTrac
Notes: Additional information on the business rules
Below are the mappings of fields. If a field is not listed, PlexTrac does not currently import it.
Below are the mappings of fields and any notes to provide context. If a field is not listed, PlexTrac does not currently import it.
When importing a Nessus file for the second time, assets that were previously closed will remain closed, even if their associated findings are open. PlexTrac currently supports reopening findings upon re-import but does not support reopening assets.
PlexTrac supports importing XML files from Nipper. Nipper is a network security auditing tool used to assess the security of network devices and configurations. It scans network devices, such as routers, switches, and firewalls, and generates detailed reports on their vulnerabilities and compliance with various security standards.
The Nipper tool outputs its scan results in XML format. Users can then import these XML files into PlexTrac to review security findings, generate reports, and perform further analysis using various tools or custom scripts.
The security audit section from the Nipper export is optional for import.
PlexTrac supports importing JSON files from Nodeware. Nodeware helps identify and address vulnerabilities in IT infrastructure, including servers, workstations, network devices, and IoT devices. It scans for vulnerabilities such as outdated software versions, weak passwords, and misconfigurations and provides reports on these findings.
Below are the mappings of fields and any reference notes to provide context. If a field is not listed, PlexTrac does not currently import it.
PlexTrac supports importing XML files from OpenVAS. OpenVAS (Open Vulnerability Assessment System) is a network security scanner and vulnerability management solution designed to identify and assess vulnerabilities in network infrastructure and web applications. It performs scans of networks and hosts to identify open ports, running services, and potential vulnerabilities.
Below are the mappings of fields and any reference notes to provide context. If a field is not listed, PlexTrac does not currently import it.
PlexTrac supports importing the weaknesses.csv from NodeZero. NodeZero includes a wide range of penetration testing and security auditing tools, such as network scanners, vulnerability scanners, password cracking tools, and exploit frameworks.
Below are the mappings of fields and any reference notes to provide context. All data flows from NodeZero to PlexTrac. If a field is not listed, PlexTrac does not currently import it.
Below are the mappings of fields and any reference notes to provide context. All data flows from NodeZero to PlexTrac. If a field is not listed, PlexTrac does not currently import it.
PlexTrac supports importing XML from Nmap. Nmap, short for "Network Mapper," is an open-source network scanning tool that allows network administrators and security professionals to discover devices on a network, identify open ports and services, gather information about those services, perform OS fingerprinting, and automate tasks using custom scripts.
Nmap Scripting Engine (NSE) enables users to write and execute custom scripts to perform specific tasks during network scanning. NSE scripts are classified into predefined categories. Nmap vulners files use a database to detect potential vulnerabilities in services and systems found during a network scan.
It's important to note that vulners scripts are distinct from vulscan and vuln scripts. The main difference is the vulnerability database used.
PlexTrac supports importing XML files from OWASP ZAP (Zed Attack Proxy), a web application penetration testing tool. It can automatically detect security vulnerabilities while developing and testing web applications.
Below are the mappings of fields and any reference notes to provide context. If a field is not listed, PlexTrac does not currently import it.
Below are the mappings of fields and any reference notes to provide context. If a field is not listed, PlexTrac does not currently import it.
PlexTrac supports importing XML files from Qualys. Qualys VM Parser is a tool developed by Qualys to help customers import vulnerability data from various sources. The Qualys VM Parser can read and import scan data in multiple formats.
When importing a file from Qualys, whether for the VM parser or Web parser, select "Qualys" from the import pulldown menu, and PlexTrac will decide which mapping to use based on the fields in the imported file.
Below are the mappings of fields and any reference notes to provide context. If a field is not listed, then PlexTrac does not currently import.
PlexTrac supports importing XSLT files from RapidFire. RapidFire Tools offers solutions that help MSPs identify and remediate security vulnerabilities, assess IT compliance, and monitor network performance.
For the spreadsheet to successfully import, the worksheet name must be "Scan Details."
Below are the mappings of fields and any reference notes to provide context. If a field is not listed, PlexTrac does not currently import it.
| PlexTrac Field | Burp Path | Notes |
|---|---|---|
| PlexTrac Field | Burp Path |
|---|---|
| PlexTrac Field | Burp Path |
|---|---|
| Plextrac Field | HCL Path |
|---|---|
| PlexTrac Field | HCL Path |
|---|---|
| Nexpose Field | Direction | PlexTrac Field | Notes |
|---|---|---|---|
| Nexpose Field | Direction | PlexTrac Field | Notes |
|---|---|---|---|
| Plextrac Field | Invicti Path |
|---|---|
| PlexTrac Field | Invicti Path |
|---|---|
| Nessus Field | Direction | PlexTrac Field |
|---|---|---|
| Nessus Field | Direction | PlexTrac Field | Notes |
|---|---|---|---|
| PlexTrac Field | Nodeware Path |
|---|
| PlexTrac Field | Nodeware Path |
|---|
| PlexTrac Field | OpenVAS Path | Notes |
|---|
| PlexTrac Field | OpenVAS Path |
|---|
| NodeZero Field | Direction | PlexTrac Field |
|---|
| NodeZero Field | Direction | PlexTrac Field |
|---|
| OWASP Field | Direction | PlexTrac Field |
|---|
| OWASP Field | Direction | PlexTrac Field |
|---|
| PlexTrac Field | Qualys Path | Notes |
|---|
| PlexTrac Field | Qualys Path | Notes |
|---|
| PlexTrac Field | Worksheet Name | RapidFire Field | Notes |
|---|
| PlexTrac Field | Worksheet Name | RapidFire Field |
|---|
Finding Title
issue/name
Severity
issue/severity
maps "Information" to "Informational"
References
issue/vulnerabilityClassifications
removes the chars
References
references
Finding Description
issue/issueBackground
Evidence
issue/issueDetail
Finding Status
"Open"
Recommendations
remediationBackground
CWE ID
vulnerabilityClassifications
Asset
issue/path
Hostname
issue/path
Known IP Addresses
issue/host@ip
Evidence
issue/requestresponse/request
issue/requestresponse/response
Asset
issue/host
Hostname
issue/path
Known IP Addresses
issue/host@ip
title
Get the issue types: issue-group/item/advisory/ref
Get the data being imported: advisory-group/item/advisory/name
severity
issue-group/item/severity
references
Get the issue types: issue-group/item/advisory/ref
Get the data being imported: advisory-group/item/advisory/references
recommendations
Get the issue types: issue-group/item/remediation/ref
Get the data being imported: remediation-group/item/name
description
Get the issue types: issue-group/item/advisory/ref
Get the actual data being imported. All items are a concatenation of mulitple fields: advisory-group/item/advisory/testDescription plus advisory-group/item/advisory/testTechnicalDescription/text
evidence
issue-group/item/variant-group/item/issue-information/testReportChunk
field: <cwe>
label: cwe
value
issue-group/item/cwe
scores: <cvss>
label: cvss
value
issue-group/item/cvss-score
calculation
issue-group/item/cvss-vector/base-vector
asset
Get the entity id: issue-group/item/entity/ref
Get the data being imported: entity-group/item id=(match from above)/name
Title
->
Finding Title
Description
->
Description
Solution
->
Recommendation
Numerical Severity Sore Mapping
Finding Severity
10 or 9
->
Critical
8 or 7
->
High
6 or 5
->
Medium
4 or 3
->
Low
2 or 1
->
Informational
CVSS Score
->
Score Type
CVSS Score
->
Label
CVSS Score
->
Score Value
CVSS Vector
->
Calculation
CVE ID
->
CVE
Reference Source
->
References
Any hyperlinked URLs will be retained.
Exploit ID
->
Custom Field: Nexpose Exploit Available
PCI Severity
->
Custom Field: Nexpose PCI Compliance Status
Risk Score
->
Custom FIeld: Nexpose Risk Score
Vulnerability Id
->
Custom Field: Nexpose Vulnerability Id
Node Address
->
Asset Name
Device-Type
->
Asset Type
Family
->
Operating System
PCI Severity
->
PCI Compliance
Node Address
->
Known Ip Addresses
Endpoint Port
->
Port
Endpoint Service
->
Service
Endpoint Protocol
->
Protocol
Services
->
Known Hostnames
Detailed results included in affected asset evidence.
title
invicti-enterprise/vulnerabilities/vulnerability/name || invicti-enterprise/vulnerabilities/vulnerability/type
severity
invicti-enterprise/vulnerabilities/vulnerability/severity
references
invicti-enterprise/vulnerabilities/vulnerability/external-references, invicti-enterprise/vulnerabilities/vulnerability/remedy-references
recommendations
invicti-enterprise/vulnerabilities/vulnerability/remedial-procedure, invicti-enterprise/vulnerabilities/vulnerability/remedial-actions
description
invicti-enterprise/vulnerabilities/vulnerability/description, invicti-enterprise/vulnerabilities/vulnerability/impact, invicti-enterprise/vulnerabilities/vulnerability/exploitation-skills
evidence
invicti-enterprise/vulnerabilities/vulnerability/http-request/content , invicti-enterprise/vulnerabilities/vulnerability/http-response/content
field: http_request
"HTTP Request"
label
invicti-enterprise/vulnerabilities/vulnerability/http-request/content
value
issue-group/item/cwe
field: http_response
label
"HTTP Response"
value
invicti-enterprise/vulnerabilities/vulnerability/http-response/content
field: extra_information
label
"Additional Information"
value
invicti-enterprise/vulnerabilities/vulnerability/extra-information/info[name], invicti-enterprise/vulnerabilities/vulnerability/extra-information/info[value]
field: scores: cvss3
label
"CVSSv3 Base Score"
value
invicti-enterprise/vulnerabilities/vulnerability/classification/score/value
calculation
invicti-enterprise/vulnerabilities/vulnerability/classification/vector
asset
invicti-enterprise/vulnerabilities/vulnerability/url
knownlps
invicti-enterprise/target/url
Plugin Id Name
-->
Finding Title
Plugin Id Description
-->
Finding Description
CVSS2
-->
CVSS Type
CVSS2 Base Score
-->
CVSS Score
CVSS2
-->
CVSS Vector
CVSS3
-->
CVSS Type
CVSS3 Base Score
-->
CVSS Score
CVSS3
-->
CVSS Vector
Synopsis
-->
Custom Field "Synopsis"
See Also
-->
Refrences
Solution
-->
Recomendations
Exploitable With
-->
Exploitable With
Known IP or FQDN
-->
Asset Name
If a FQDN value exists in Nessus, this populates both the asset and host_fqdn fields in PlexTrac.
If there is no FQDN value, the IP address from Nessus populates the asset and knownips fields.
If FQDN and IP address values exist in Nessus, the FQDN value populates both the asset and host_fqdn fields, and the IP address populates the knownips field.
Plugin Output
-->
Asset Evidence
Known Ip Addresses
-->
Known IP Addresses
NetBIOS Name
-->
NetBIOS Name
Operating System
-->
Operating System
Host RDNS
-->
Host RDNS
Total CVEs
-->
Total CVEs
Host FQDN
-->
Host FQDN
MAC Address
-->
MAC Address
Ports
-->
Affected Ports
Service
-->
Affected Ports
Protocol
-->
Affected Ports
ID | (added on import) |
Title | title |
Severity | severity |
Status | open |
Description | description |
Start Date | (added on import) |
Recommendation | recommendation |
References | urls |
Code Samples | test_results |
CVSSv3 | severity |
CVSS | - |
Custom Fields (Synopsis) | isummary |
Customer Field (Solution) | Solution |
Name (finding asset) | hostname if present; if not ip_addr |
MAC Address | mac_addr |
OS | os |
title | <result><nvt><name> |
severity | <result><threat> |
references | <result><nvt><xref> <result><nvt><certs><cert_ref id=(parse out this id) type=(parse out this type)> <result><nvt><cve> <result><nvt><bid> | A combination of: <xref>: we ignore "NOXREF" if populated in the <xref> element and <cert_ref>: we take the id and type from all cert_ref tags in the <certs> element and <cve>: we ignore "NOCVE" if populated in the <cve> element and <bid>: we ignore "NOBID" if populated in the <bid> element |
recommendations | <result><nvt><tags> | PlexTrac parses the element into separate items based on the | delimiter that creates an array of key value pairs. Then we evaluate the array to compose description. Description is composed of the following values, if the key exists:
|
description | <result><nvt><tags> | PlexTrac parses the <tags> element into separate items based on the | delimiter that is used to create an array of key value pairs. Then we evaluate the array and compose recommendations from the following values, if the key exists:
If solution is not in the array, we populate the solution with the phrase: "A solution was not provided by the scan source" |
score: <cvss> |
label: cvss |
value | <result><nvt><cvss_base> |
calculation | <result><nvt><tags> | PlexTrac parses the element into separate items based on the | delimiter that creates an array of key value pairs. Then we evaluate the array and compose cvss calculation: Calculation is composed of the following values, if the key exists:
|
asset | <result><host> |
NodeZero | --> | Finding Source |
Title | --> | Finding Title |
Description | --> | Finding Description |
Score | Finding Severity |
1 - 3.9 | --> | Low |
4 - 6.9 | --> | Medium |
7 - 8.9 | --> | High |
9 - 10 | --> | Critical |
Finding Status | --> | Open |
ProvenEntityEid | --> | Finding Tags |
Root Cause | --> | Finding Tags |
Confirmed/Unconfirmed | Custom Field |
Potential | --> | Custom Field Value |
Confirmed | --> | Custom Field Value |
Root Cause or Type | Custom Field: "Root Cause" |
Security Misconfiguration | --> | Custom Field Value |
Vulnerability | --> | Custom Field Value |
Context Score | Custom Field: "Context Score" |
Context Score Number | --> | Custom Field Value Numeric |
IP or Host Name | -> | Child Asset Name |
IP or Host Name | -> | Affected Asset - Child Asset Name |
Hostname | -> | Hostname |
IP | -> | Known Ips (Array) |
OS | -> | Operating System (Common Delimited) |
Port | -> | Number |
Protocol | -> | Protocol |
Service | -> | Service |
Service Type | -> | Version |
First Seen | -> | First Found |
Plugin ID Name | ---> | Finding Title |
Description | ---> | Description |
Other Info | ---> | Custom Field "Other Info" |
Solution | ---> | Recomendation |
Refrences | ---> | Refrences |
CWE ID | ---> | CWE ID |
Risk Description | ---> | Severity |
Path | ---> | Asset Name |
Method | ---> | Asset Evidence |
Parameter | ---> | Asset Evidence |
Payload | ---> | Asset Evidence |
URI | ---> | Hostname |
Port | ---> | Port |
Protocol | ---> | Protocol |
asset | <HOST_LIST><HOST><DNS> or <HOST_LIST><HOST><IP> | If DNS is NOT present, then it falls back to the IP element. |
title | Scan Details | NVT Description |
severity | Scan Details | High | Medium | Low | Hierarchy logic: If High column > 0 return High, Else if Medium column > 0 return Medium, Else if Low column > 0 return Low, else don't return anything |
references | Scan Details | References |
recommendations | Scan Details | Solution |
description | Scan Details | Summary + Vulnerability Detection Insight + Vulnerability Detection Method |
asset | Scan Details | Host |
title | <GLOSSARY><VULN_DETAILS_LIST><VULN_DETAILS><TITLE> | Any data surrounded by <![CDATA[some stuff]]> tag is removed before storing the data. |
severity | <GLOSSARY><VULN_DETAILS_LIST><VULN_DETAILS><SEVERITY> | We are passed a number, which gets evaluated as following: "0": "Informational", "1": "Informational", "2": "Low", "3": "Medium", "4": "High", "5": "Critical", |
references | Any data surrounded by <![CDATA[some stuff]]> tag is removed before storing the data. All the data from the tags are stored into a list that is saved as reference links. |
recommendations | <GLOSSARY><VULN_DETAILS_LIST><VULN_DETAILS><SOLUTION> | Any data surrounded by <![CDATA[some stuff]]> tag is removed before storing the data. |
description | Any data surrounded by <![CDATA[some stuff]]> tag is removed before storing the data. Data is combined. |
risk_score |
tags | <GLOSSARY><VULN_DETAILS_LIST><VULN_DETAILS><SEVERITY> | If severity is 1, then we give it a tag of "minimal". |
common_identifiers |
evidence | <HOST_LIST><HOST><VULN_INFO_LIST><VULN_INFO><RESULT> | Any data surrounded by <![CDATA[some stuff]]> tag is removed before storing the data. |
field: ["scores"]["cvss"] |
label | Hardcoded "CVSS Base Score" |
value | <GLOSSARY><VULN_DETAILS_LIST><VULN_DETAILS><CVSS_SCORE><CVSS_BASE> |
field: ["cvss_temporal"] |
label | Hardcoded "CVSS Temporal Score" |
value | <GLOSSARY><VULN_DETAILS_LIST><VULN_DETAILS><CVSS_SCORE><CVSS_TEMPORAL> |
field: ["scores"]["cvss3"] |
label | Hardcoded "CVSSv3 Base Score" |
value | <GLOSSARY><VULN_DETAILS_LIST><VULN_DETAILS><CVSS3_SCORE><CVSS3_BASE> |
field: ["cvss3_temporal"] |
label | Hardcoded "CVSSv3 Temporal Score" |
value | <GLOSSARY><VULN_DETAILS_LIST><VULN_DETAILS><CVSS3_SCORE><CVSS3_TEMPORAL> |
field: ["scores"]["pci_flag"] |
label | Hardcoded "PCI_FLAG" |
value | <GLOSSARY><VULN_DETAILS_LIST><VULN_DETAILS><PCI_FLAG> |
field: ["cwe"] |
label | Hardcoded "CWE" |
value | <GLOSSARY><VULN_DETAILS_LIST><VULN_DETAILS><CWE> |
field: ["wasc"] |
label | Hardcoded "WASC" |
value | <GLOSSARY><VULN_DETAILS_LIST><VULN_DETAILS><WASC> |
field: ["category"] |
label | Hardcoded "Category" |
value | <GLOSSARY><VULN_DETAILS_LIST><VULN_DETAILS><CATEGORY> |
field: ["owasp"] |
label | Hardcoded "OWASP" |
value | <GLOSSARY><VULN_DETAILS_LIST><VULN_DETAILS><OWASP> |
PlexTrac supports importing CSV or JSON files from Scythe. Scythe is a cybersecurity company that provides a platform for simulating and testing cyber attacks against an organization's infrastructure, applications, and people. Scythe's platform allows security teams to create and run custom attack simulations, including phishing attacks, ransomware, and other types of malware.
Below are the mappings of fields and any reference notes to provide context. If a field is not listed, PlexTrac does not currently import it.
PlexTrac supports importing XML files from Qualys. The Qualys web parser is a component of the Qualys WAS solution responsible for crawling the web application, collecting data, and identifying potential vulnerabilities. The web parser can be customized to scan specific web applications and detect vulnerabilities in various web applications, including static and dynamic web applications.
When importing a file from Qualys, whether for the VM parser or Web parser, select "Qualys" from the import pulldown menu, and PlexTrac will decide which mapping to use based on the fields provided in the import file.
Below are the mappings of fields and any reference notes to provide context. If a field is not listed, PlexTrac does not currently import it.
PlexTrac supports importing Static Application Security Testing (SAST), Dynamic Application Security Testing (DAST), and Software Composition Analysis (SCA) findings from Veracode. Veracode is an application security company offering various security analysis technologies on a single platform, such as static, dynamic, and software composition analysis.
Below are the field mappings from Veracode to PlexTrac, broken up by findings and assets. If a field is not listed, PlexTrac does not currently import it.
Tables include the following columns:
Veracode Field: the field name that appears in Veracode
PlexTrac Field: the field name that appears in PlexTrac
Direction: displays the direction in the flow of data occurring for the integration (a value of "x" means that the value is not imported)
PlexTrac supports importing JSON files from Pentera, but only JSON files exported specifically for PlexTrac will be accepted. Pentera is an automated security validation platform designed to identify and remediate security vulnerabilities continuously.
Findings of any Pentera task can be exported to a JSON-compatible format to be imported into PlexTrac.
Step 1: Click Testing History from the left menu.
Step 2: Select a test from the list to open.
Choose a test that has finished and is no longer in progress.
Step 3: Click the Export icon.
Step 4: From the modal under "Export to other tools," click PlexTrac.
The test findings are downloaded in a JSON format compatible with PlexTrac.
Each export file from Pentera contains the following:
The list of assets tested by Pentera within the scope of the particular test.
The list of vulnerabilities discovered during the test and the assets affected by each vulnerability. Discovery time is included in the dataset.
The list of Pentera achievements during the test and the assets affected by each achievement. Discovery time is included in the dataset. In Pentera, an achievement is Pentera’s ethical exploitation of a vulnerability or exposure intended to demonstrate its exploitability.
Pentera identifies two main types of findings:
Achievement: In the context of Pentera, a positive outcome that demonstrates ethical exploitation of a vulnerability or exposure. This means that Pentera has successfully taken advantage of vulnerability or security exposure in a controlled and ethical manner. The purpose of achieving such exploits is to showcase the exploitability of a security issue without causing harm or damage to the system. Achievements illustrate the potential impact of a vulnerability when exploited by malicious actors.
Vulnerability: In the context of Pentera, a vulnerability finding represents a specific security issue or weakness that has been identified during the testing or scanning process. These findings are typically undesirable because they indicate a potential risk to the system's security.
Only JSON files exported from Pentera specifically for PlexTrac are accepted.
Pentera uses a numerical range of 1 to 10 to capture a finding severity, while PlexTrac uses five qualitative values: Informational, Low, Medium, High, and Critical.
| PlexTrac Field | Scythe Field or Path |
|---|---|
| PlexTrac Field | Qualys Path | Notes |
|---|---|---|
| PlexTrac Field | Qualys Path | Notes |
|---|---|---|
| Veracode Field | Direction | PlexTrac Field |
|---|---|---|
| Veracode Field | Direction | PlexTrac Field |
|---|---|---|
| Veracode Field | Direction | PlexTrac Field |
|---|---|---|
| Veracode Field | Direction | PlexTrac Field |
|---|---|---|
| Veracode Field | Direction | PlexTrac Field |
|---|---|---|
| Veracode Field | Direction | PlexTrac Field |
|---|---|---|
| PlexTrac record | PlexTrac field | Pentera file | Pentera field | Comments |
|---|---|---|---|---|
| PlexTrac record | PlexTrac field | Pentera file | Pentera field | Comments |
|---|---|---|---|---|
| PlexTrac | Pentera |
|---|---|
finding.affected_assets.asset.hostname
Endpoint
finding.affected_assets.asset.asset
Endpoint
finding.affected_assets.asset.status
if Status == "True" then "Open" else "Closed"
finding.title
if Request is " " then use Module else use (Module + " " + Request)
finding.tags
Tags + Campaign Name
finding.status
if Status == "True" then "Open" else "Closed"
finding.severity
hard coded to "Medium"
finding.description
if a known scythe module then module.title + module.description. If not a known module then "They following Scythe module was conducted: + Module
finding.recommendations
if the module is not a known Scythe module then "You should review the security policies associated with this activity."
finding.references
hard coded to ""
finding.exhibit.exhibitID
if Module == "printscr" then data is concidered a finding.exhibit otherwise is a finding.code_sample
finding.exhibit.caption
"Timestamp: " + Timestamp
finding.exhibit.PID
Process ID
finding.exhibit.User
User
finding.exhibit.Module
Module
finding.exhibit.Request
Request
finding.exhibit.encoded
Response
finding.exhibit.type
hard coded to"image/png"
finding.code_sample.caption
hard coded to "Activity Data"
finding.code_sample.code
hard coded to ""
finding.code_sample.timestamp
Timestamp
finding.code_sample.PID
Process ID
finding.code_sample.User
User
finding.code_sample.Module
Module
finding.code_sample.Request
Request
finding.code_sample.Result
Response
asset
<WAS_SCAN_REPORT><RESULTS><VULNERABILITY_LIST><VULNERABILITY><URL>
There is some logic here for parent/child relationship.
Vulnerability Name
-->
Finding Title
Description
-->
Description
Background
-->
Description
Delivery Consultant
-->
Custom Field
Exploitation Difficulty
-->
Custom Field
Remediation Effort
-->
Custom Field
Recommendations
-->
Recommendations
References
-->
References
CWE ID
-->
CWE ID
Flaw Severity
-->
Severity
Remediation Effort
-->
Finding Tag
Category
-->
Finding Tag
Exploit Difficulty
-->
Finding Tag
Finding Status
-->
Finding Tag
File Path
-->
Asset Name
Application
-->
Parent Asset
Instance Details
-->
Asset Name
Line Number
-->
Asset Evidence
Function Prototype
-->
Asset Evidence
First Occurence
-->
Asset Evidence
Remediation Status
-->
Asset Evidence
Migration Status
-->
Asset Evidence
Veracode
-->
PlexTrac
Dynamic Flaw
-->
Finding Title
Description
-->
Description
Background
-->
Description
Delivery Consultant
-->
Custom Field
Exploitation Difficulty
-->
Custom Field
Remediation Effort
-->
Finding Tag
Recommendations
-->
Recommendations
References
-->
References
CWE ID
-->
CWE ID
Flaw Severity
-->
Severity
Remediation Effort
-->
Finding Tag
Remediation
-->
Custom Field
Category
-->
Finding Tag
Category
-->
Custom Field
Exploit Difficulty
-->
Finding Tag
Exploit Difficulty
-->
Custom Tag
Finding Status
-->
Finding Tag
Finding Status
-->
Custom Tag
File Path
-->
Asset Name
Application
-->
Parent Asset
Instance Details
-->
Asset Name
Line Number
-->
Asset Evidence
Function Prototype
-->
Asset Evidence
First Occurence
-->
Asset Evidence
Remediation Status
-->
Asset Evidence
Migration Status
-->
Asset Evidence
CVE_Summary
-->
Finding Title
CVSS Data
-->
Score Type
CVSS Data
-->
Score Value
CVSS Data
-->
Vector
CVE ID
-->
CVE ID
Library
-->
Asset Parent
App Name
-->
Asset Name
Finding
ID
Achievements
ID
Finding
Title
Achievements
Name
Finding
Severity
Achievements
Severity
Finding
Status
Default Value
Default Value
set to value 'Open', so customer can manage in PlexTrac
Finding
Description
Achievements
Insight
Finding
Start Date
Achievements
Creation Time
set when achievement is created
Finding
Custom Fields (Severity Score)
Achievements
Severity
captures original Pentera score
Affected Assets
Name
Achievements
target: target ID
Affected Assets
Ports
Achievements
results: Port
Affected Assets
Protocol
Achievements
results: Protocol
Affected Assets
Scan Evidence - Title
set to value 'Results'
Affected Assets
Scan Evidence - Description
Achievements
results - all data
Affected Assets
Scan Evidence - Title
set to value 'Parameters'
Affected Assets
Scan Evidence - Description
Achievements
parameters - all data
captures data in parameters as a section piece of scanner evidence PlexTrac auto-populates based on affected asset data
Asset
Ports
Calculated Value
Calculated Value
PlexTrac auto-populates based on affected asset data
Asset
Service
Calculated Value
Calculated Value
PlexTrac auto-populates based on affected asset data
Asset
Protocol
Calculated Value
Calculated Value
PlexTrac auto-populates based on affected asset data
Asset
Parent Asset
n/a
n/a
Asset
Known IPs
Achievements
results:"Hosts"
Asset
Evidence
Calculated Value
Calculated Value
PlexTrac auto-populates based on affected asset data
Asset
First Found
Achievements
n/a
Finding
ID
Vulnerabilities
ID
Finding
Title
Vulnerabilities
Name
Finding
Severity
Vulnerabilities
Severity
Finding
Status
Default Value
Default Value
Set status to 'Open'
Finding
Description
Vulnerabilities
Insight
Finding
Start Date
Vulnerabilities
Creation Time
Finding
Recommendation
Vulnerabilities
Remediation
Finding
Custom Fields (Severity Score)
Vulnerabilities
Severity
Finding
Custom Fields (Priority)
Vulnerabilities
Priority
Affected Asset
Name
Vulnerabilities
target: target_id
Affected Asset
Ports
Vulnerabilities
port
Affected Asset
Protocol
Vulnerabilities
protocol
Asset
Name
Vulnerabilities
target: target_id
Asset
Ports
Calculated Value
Calculated Value
PlexTrac auto-populates based on affected asset data
Asset
Protocol
Calculated Value
Calculated Value
PlexTrac auto-populates based on affected asset data
Asset
Known IPs
Calculated Value
Calculated Value
PlexTrac auto-populates based on affected asset data
Asset
Evidence
Calculated Value
Calculated Value
PlexTrac auto-populates based on affected asset data
Informational
0
Low
0.01 to 2.49
Medium
2.5 to 4.99
High
5 to 7.49
Critical
7.5 to 10
title
<WAS_SCAN_REPORT><GLOSSARY><QID_LIST><QID><TITLE>
severity
<WAS_SCAN_REPORT><GLOSSARY><QID_LIST><QID><SEVERITY>
We are passed a number, which gets evaluated as following: "0": "Informational", "1": "Informational", "2": "Low", "3": "Medium", "4": "High", "5": "Critical",
references
Any data surrounded by <![CDATA[some stuff]]> tag is removed before storing the data. All the data from the tags are stored into a list that is saved as reference links.
recommendations
<WAS_SCAN_REPORT><GLOSSARY><QID_LIST><QID><SOLUTION>
description
Any data surrounded by <![CDATA[some stuff]]> tag is removed before storing the data. Data is combined.
evidence
risk_score
tags
<WAS_SCAN_REPORT><GLOSSARY><QID_LIST><QID><SEVERITY>
If severity is 1, then we give it a tag of "minimal".
common_identifiers
field: ["scores"]["cvss"]
label
Hardcoded "CVSS Base Score"
value
<WAS_SCAN_REPORT><GLOSSARY><QID_LIST><QID><CVSS_SCORE><CVSS_BASE>
field: ["cvss_temporal"]
label
Hardcoded "CVSS Temporal Score"
value
<WAS_SCAN_REPORT><GLOSSARY><QID_LIST><QID><CVSS_SCORE><CVSS_TEMPORAL>
field: ["scores"]["cvss3"]
label
Hardcoded "CVSSv3 Base Score"
value
<WAS_SCAN_REPORT><GLOSSARY><QID_LIST><QID><CVSS3_SCORE><CVSS3_BASE>
field: ["cvss3_temporal"]
label
Hardcoded "CVSSv3 Temporal Score"
value
<WAS_SCAN_REPORT><GLOSSARY><QID_LIST><QID><CVSS3_SCORE><CVSS3_TEMPORAL>
field: ["scores"]["pci_flag"]
label
Hardcoded "PCI_FLAG"
value
<WAS_SCAN_REPORT><GLOSSARY><QID_LIST><QID><PCI_FLAG>
field: ["cwe"]
label
Hardcoded "CWE"
value
<GLOSSARY><QID_LIST><QID><CWE>
field: ["wasc"]
label
Hardcoded "WASC"
value
<GLOSSARY><QID_LIST><QID><WASC>
field: ["category"]
label
Hardcoded "Category"
value
<GLOSSARY><QID_LIST><QID><CATEGORY>
field: ["owasp"]
label
Hardcoded "OWASP"
value
<GLOSSARY><QID_LIST><QID><OWASP>
Mitre Engenuity
Runbooks
YAML
Netsparker (Desktop)
Reports
XML
Python General Template
findings, assets, report and client information
CSV
