PlexTrac supports importing CSV or JSON files from Scythe. Scythe is a cybersecurity company that provides a platform for simulating and testing cyber attacks against an organization's infrastructure, applications, and people. Scythe's platform allows security teams to create and run custom attack simulations, including phishing attacks, ransomware, and other types of malware.
Below are the mappings of fields and any reference notes to provide context. If a field is not listed, PlexTrac does not currently import it.
PlexTrac Field | Scythe Field or Path |
---|---|
finding.affected_assets.asset.hostname
Endpoint
finding.affected_assets.asset.asset
Endpoint
finding.affected_assets.asset.status
if Status == "True" then "Open" else "Closed"
finding.title
if Request is " " then use Module else use (Module + " " + Request)
finding.tags
Tags + Campaign Name
finding.status
if Status == "True" then "Open" else "Closed"
finding.severity
hard coded to "Medium"
finding.description
if a known scythe module then module.title + module.description. If not a known module then "They following Scythe module was conducted: + Module
finding.recommendations
if the module is not a known Scythe module then "You should review the security policies associated with this activity."
finding.references
hard coded to ""
finding.exhibit.exhibitID
if Module == "printscr" then data is concidered a finding.exhibit otherwise is a finding.code_sample
finding.exhibit.caption
"Timestamp: " + Timestamp
finding.exhibit.PID
Process ID
finding.exhibit.User
User
finding.exhibit.Module
Module
finding.exhibit.Request
Request
finding.exhibit.encoded
Response
finding.exhibit.type
hard coded to"image/png"
finding.code_sample.caption
hard coded to "Activity Data"
finding.code_sample.code
hard coded to ""
finding.code_sample.timestamp
Timestamp
finding.code_sample.PID
Process ID
finding.code_sample.User
User
finding.code_sample.Module
Module
finding.code_sample.Request
Request
finding.code_sample.Result
Response