parse_output¶
Parse raw output from common offensive tools into structured graph data.
Read-only: No
Description¶
Deterministically parses tool output into structured findings and (optionally) ingests them into the graph. This reduces LLM token cost by handling structured parsing without LLM involvement.
Supported Parsers¶
| Parser | Aliases | Input Format | Produces |
|---|---|---|---|
| Nmap | nmap, nmap-xml |
Nmap XML output | Host + service nodes, RUNS edges, OS detection |
| NXC/NetExec | nxc, netexec |
NXC text output | Host + SMB service nodes, share nodes, user nodes, access edges, NULL_SESSION edges, SAM hashes (--sam), LSA secrets (--lsa), file listings (spider_plus) |
| Certipy | certipy |
Certipy JSON output | CA + cert_template nodes, enrollment edges, ESC edges |
| Secretsdump | secretsdump, impacket-secretsdump |
SAM/NTDS hashes | Credential + user nodes, OWNS_CRED + DUMPED_FROM + MEMBER_OF_DOMAIN edges |
| Kerbrute | kerbrute |
User enum + spray output | User + domain + credential nodes |
| Hashcat | hashcat |
Cracked hashes (NTLM, Kerberoast, AS-REP, NTLMv2) | Credential nodes |
| Responder | responder |
Captured NTLMv2 hashes | Credential + user + host nodes |
| Ldapsearch | ldapsearch, ldapdomaindump, ldap |
LDIF or ldapdomaindump JSON | User + group + host + domain nodes, UAC flags, group memberships |
| Enum4linux | enum4linux, enum4linux-ng |
JSON (-oJ) or text |
Host + SMB service + user + group + share nodes, null session detection |
| Rubeus | rubeus |
Kerberoast/AS-REP/monitor output | User + credential nodes, OWNS_CRED edges (TGT/TGS detection) |
| Web Dir Enum | gobuster, feroxbuster, ffuf, dirbuster |
Text or JSON | Service node enrichment with discovered_paths, login form detection |
| Linpeas | linpeas, linenum, linpeas.sh |
Text output | Host enrichment: kernel version, SUID binaries, docker socket, capabilities, cron jobs |
| Nuclei | nuclei |
JSON, JSONL, or text output | Vulnerability + webapp nodes, VULNERABLE_TO edges. Text format: [template-id] [protocol] [severity] url |
| Nikto | nikto |
Text or JSON output | Per-path web vulnerability findings with affected_path metadata |
| TestSSL | testssl, testssl.sh, sslscan |
Text or JSON output | TLS enrichment: version, cipher suites, certificate details |
| Pacu | pacu |
JSON output | Cloud identity + resource + policy nodes, HAS_POLICY / ASSUMES_ROLE edges |
| Prowler | prowler |
OCSF JSON-lines output | Cloud resource nodes, all FAIL findings as vulnerability nodes (any severity) |
| Impacket GetNPUsers | getnpusers, impacket-getnpusers |
GetNPUsers text output | User + credential nodes (AS-REP hashes), AS_REP_ROASTABLE edges |
| Impacket GetUserSPNs | getuserspns, impacket-getuserspns |
GetUserSPNs text output | User + credential nodes (TGS hashes), KERBEROASTABLE edges |
| Impacket GetTGT | gettgt, impacket-gettgt |
GetTGT text output | Credential nodes (TGT .ccache files), domain membership |
| Impacket GetST | getst, impacket-getst |
GetST text output | Credential nodes (service ticket .ccache files), CAN_DELEGATE_TO edges |
| Impacket smbclient | smbclient, impacket-smbclient |
smbclient.py text output | Host + share nodes, file listings, readable/writable share properties |
| Impacket wmiexec | wmiexec, impacket-wmiexec |
wmiexec.py text output | Host nodes with ADMIN_TO/HAS_SESSION edges (confirmed execution) |
| Impacket psexec | psexec, impacket-psexec |
psexec.py text output | Host nodes with ADMIN_TO/HAS_SESSION edges (confirmed execution) |
Parameters¶
| Parameter | Type | Required | Description |
|---|---|---|---|
tool_name |
string |
Yes | Name of the tool (e.g., nmap, nxc, certipy) |
output |
string |
Yes | Raw tool output to parse |
agent_id |
string |
No | Agent ID to attribute findings to |
action_id |
string |
No | Stable action ID for linkage |
frontier_item_id |
string |
No | Frontier item this parse came from |
context |
object |
No | Parser context: { domain?: string, source_host?: string } |
ingest |
boolean |
No | Auto-ingest into graph (default: true) |
list_parsers |
boolean |
No | List all supported parser names (default: false) |
Parser Context¶
The context parameter provides ambient information that parsers use as fallback when the raw output doesn't contain it:
domain— Used bysecretsdumpandhashcatto setcred_domainwhen the output doesn't include domain prefixes. Only used as a soft hint forcred_domain; not used to construct user IDs (prevents false merges).source_host— Used bysecretsdumpto createDUMPED_FROMedges linking credentials back to the host they were extracted from.
Returns¶
All successful responses share a stable schema, including zero-artifact parses:
| Field | Type | Description |
|---|---|---|
parsed |
boolean |
Whether parsing succeeded |
tool |
string |
Tool name |
action_id |
string |
Action ID |
finding_id |
string |
Finding identifier |
parsed_from |
string |
"output" or "file_path" |
nodes_parsed |
number |
Nodes extracted (0 if nothing found) |
edges_parsed |
number |
Edges extracted (0 if nothing found) |
ingested |
object? |
Ingestion results (present only when ingest: true and nodes > 0) |
warnings |
string[]? |
Instrumentation warnings (e.g. missing action context) |
message |
string |
Summary |
Usage Notes¶
- Prefer this over
report_findingwhen you have raw output from a supported tool - Set
ingest: falseto preview what would be parsed without modifying the graph - Set
list_parsers: trueto get the current list of supported parser names (50 aliases across 28 parsers) - Pass
contextwithdomainandsource_hostwhen available — improves credential domain attribution and provenance - See parse_output vs report_finding for detailed guidance