PlexTrac learns about scanner findings as files are imported. This learning can be done proactively by an admin through parser actions or when a user imports a scanner file when adding findings to a report. Either way, the learning begins after an admin imports a file via the parser actions page of the Admin Dashboard, and this process must occur for each tool that PlexTrac integrates with. Any files for a tool imported as findings to a report that have not been enabled by an admin on the parser actions page will have no impact on parser actions.
When importing a file, parser actions process the contents to extract relevant information and perform specific operations. The exact parser actions depend on the file format and business rules an admin configures.
The findings are matched to the parser action by plugin ID and include actions such as linking to a writeup, changing the finding severity, or ignoring the finding when parsed.
Currently, no other metadata of the finding, such as tags, can be mapped or manipulated by parser actions.
When new files are uploaded to parser actions, plugin IDs are only created for IDs not found and set to a "Default" action, meaning no changes will occur on import unless a parser action is created.
Parser action changes are applied to future imports and don't impact existing findings. For example, suppose a parser action for a finding severity value was created for a plugin, but moving forward. In that case, the source of truth for severity is the scanner tool, then change the parser action for that plugin to "Default." The next time that plugin is imported, the severity value from the source will be imported into the report.
Parser actions apply to all users.
The description of a parser action can be obtained by placing the cursor over the parser action title in the table.
Step 1: Click Parser Actions in the "Tools & Integrations" section of the Admin Dashboard.
Step 2: Check the Enable Parser Plugin Actions box.
Enabling parser plugin actions will allow the ability to preset default actions, link writeups, and change the severity of scanner findings when imported into a report.
Once parser import rules are set, do not check the "Enable Parser Plugin Actions" box if wanting to import scan results natively without existing rules applied.
Step 3: Click Import.
Step 4: Select the source of the file to import from the "Import Source" pulldown menu, then drag the file into the drop area on the modal or click Browse to navigate to the file on the computer.
The box will display the supported files for the tool selected in the pulldown menu as the import source, along with the maximum file size.
Step 5: Click Upload.
A notification will confirm a successful import.
Step 6: The imported plugins are now available for configuration. Search or select the desired plugin and configure it using the pulldown menus and options to configure the preferred course of action.
Parser plug-in actions include four options:
DEFAULT: Passes the scanner result through with no action taken.
LINK: Replaces a scanner result finding with a custom writeup from WriteupsDB.
IGNORE: Ignores a scanner result when parsed by PlexTrac.
SEVERITY: Overrides a scanner result, finding severity value with a new value selected by the parser action.
Parser actions can take findings ingested from an external tool and map them to a custom finding in WriteupsDB. When the finding is imported, this action will override the description, title, references, custom fields, common identifiers, risk score, and recommendations. Multiple plugins with the same writeup will be mapped to a single finding with merged affected assets.
Step 1: Click Parser Actions in the "Tools & Integrations" section of the Admin Dashboard.
Step 2: Check the Enable Parser Plugin Actions box.
Step 3: Select the parser to work with from the "Filter Plugins" pulldown menu.
Step 4: Select the findings by clicking the checkbox of the finding row or selecting the box in the header column next to "Plugin Id."
Step 5: Select the writeup to link the findings by selecting the value from the "Link Writeup" pulldown menu.
The linked writeup is now displayed for each finding under the "Write Up" column.
If a new report is created, and the same parser file is imported, only one finding will be imported into the report.
Once a parser action is created, it cannot be deleted.
Step 1: Click Parser Actions in the "Tools & Integrations" section of the Admin Dashboard.
Step 2: Check the Enable Parser Plugin Actions box.
Step 3: Select the parser to work with from the "Filter Plugins" pulldown menu.
Step 4: Click Add Parser Action.
Step 5: Enter a Plugin ID, Title, and Plugin Description value.
All three fields must contain a value to continue.
Step 6: If the plugin action is "Default," continue to Step 8. Otherwise, select the desired plugin action from the pulldown menu.
Step 7: If "Ignore" was chosen, go to Step 8. Otherwise, select the value to associate with the action determined in the previous step.
Step 8: Click Create.
A message confirming creation will appear, and the new parser action will be displayed in the list.