Documentation | Support

Go to the table of contents Go to the previous page Go to the next page View or print as PDF
Creating Remediation Scripts for Forcepoint DLP > Sample DLP incident XML
Sample DLP incident XML
Creating Remediation Scripts | Forcepoint DLP | v8.4.x, v8.5.x, v8.6.x
The following XML example is for a DLP incident:
<?xml version="1.0" encoding="UTF-8"?>
<ns1:pa-xml-rpc xmlns:ns1="http://www.portauthoritytech.com/schmea/xml-rpc/1.0" xmlns:evt="http://www.portauthoritytech.com/schmea/incident/1.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<ns1:request>
<ns1:service-name>insertEventService</ns1:service-name>
<ns1:params>
<evt:incident>
<evt:dataInMotion>
<evt:incidentInfo>
<evt:incidentId>5352285115603247792</evt:incidentId>
<evt:serviceId isSecured="false">486169846</evt:serviceId>
<evt:analyzedBy>nlcv10k-c-esg.nolosscorp.com</evt:analyzedBy>
<evt:subject>test inbound 3</evt:subject>
 
* 
Note 
The value of the <evt:subject> container is channel dependent. For example, for email, it is the email subject. This same value appears in the subject field in incident reports.
<evt:localDetectedTime>2017-07-21T12:33:35+10:00</evt:localDetectedTime>
<evt:installVersion>8.4</evt:installVersion>
<evt:resourceType>NETWORK</evt:resourceType>
 
* 
Note 
The <evt:resourceType> container has a value of either NETWORK or ENDPOINT, depending on the type of DLP incident.
<evt:totalSize>1740</evt:totalSize>
</evt:incidentInfo>
<evt:rules>
 
* 
Note 
The <evt:rules> container holds a list of the rules violated by the incident.
<evt:rule id="171601" type="1" policyID="170899">
<evt:severity>2</evt:severity>
<evt:actionSettings id="172004"/>
<evt:numOfMatches>1</evt:numOfMatches>
<evt:classifierMatches>
 
* 
Note 
The <evt:classifierMatches> container includes a list of matched classifiers within a specific rule.
<evt:classifierMatch id="171094">
<evt:numberOfMatches>1</evt:numberOfMatches>
<evt:isTruncated>false</evt:isTruncated>
<evt:breachContent>
<evt:contentInfo>
<evt:pathPartInfo order="0">
<evt:path>/var/spool/postfix/tmp//887C7850695.eml</evt:path>
<evt:partType>1</evt:partType>
<evt:fileType>233</evt:fileType>
</evt:pathPartInfo>
<evt:pathPartInfo order="1">
<evt:path>Transaction Body.txt</evt:path>
<evt:partType>1</evt:partType>
<evt:fileType>2</evt:fileType>
</evt:pathPartInfo>
</evt:contentInfo>
<evt:detectedValues>
<evt:detectedValue>
<evt:unMasked>WebsenseTestKeyword</evt:unMasked>
</evt:detectedValue>
</evt:detectedValues>
<evt:numberOfMatches>1</evt:numberOfMatches>
</evt:breachContent>
</evt:classifierMatch>
</evt:classifierMatches>
</evt:rule>
</evt:rules>
<evt:actionTaken type="2097152">
</evt:actionTaken>
<evt:source>
 
* 
Note 
The <evt:source> container includes the source of the incident. The resource type depends on the source (-2 is email).
<evt:incidentUser>
<evt:detail type="2" value="test@arik.baratz.org" isLookedUp="false"/>
</evt:incidentUser>
</evt:source>
<evt:destinations>
 
* 
Note 
The <evt:destinations> container includes one or more incident destinations. In this sample file, the destinations are email addresses.
<evt:destination>
<evt:incidentUser>
<evt:detail type="2" value="administrator@nolosscorp.com" isLookedUp="false"/>
</evt:incidentUser>
<evt:destinationType>TO</evt:destinationType>
<evt:actionTaken type="2097152">
</evt:actionTaken>
<evt:direction>1</evt:direction>
</evt:destination>
<evt:destination>
<evt:incidentUser>
<evt:detail type="2" value="ragg@nolosscorp.com" isLookedUp="false"/>
</evt:incidentUser>
<evt:destinationType>TO</evt:destinationType>
<evt:actionTaken type="2097152">
</evt:actionTaken>
<evt:direction>1</evt:direction>
</evt:destination>
<evt:destination>
<evt:incidentUser>
<evt:detail type="2" value="ismith@nolosscorp.com" isLookedUp="false"/>
</evt:incidentUser>
<evt:destinationType>TO</evt:destinationType>
<evt:actionTaken type="2097152">
</evt:actionTaken>
<evt:direction>1</evt:direction>
</evt:destination>
</evt:destinations>
<evt:eventEndpointInfo>
<evt:endpointType>Unknown</evt:endpointType>
<evt:endpointSourceAppName>N/A</evt:endpointSourceAppName>
<evt:endpointDestAppName>N/A</evt:endpointDestAppName>
<evt:endpointDestDeviceName>N/A</evt:endpointDestDeviceName>
<evt:endpointDestDeviceType>N/A</evt:endpointDestDeviceType>
<evt:endpointOperationType>N/A</evt:endpointOperationType>
<evt:endpointPolicyVersion>0</evt:endpointPolicyVersion>
<evt:confirmationId>0</evt:confirmationId>
<evt:confirmationString></evt:confirmationString>
<evt:endpointSourceAppID>N/A</evt:endpointSourceAppID>
<evt:endpointDestAppID>N/A</evt:endpointDestAppID>
</evt:eventEndpointInfo>
<evt:hasForensics>true</evt:hasForensics>
</evt:dataInMotion>
</evt:incident>
</ns1:params>
</ns1:request>
</ns1:pa-xml-rpc>
Continue with Using the DiscoveryIncidentProcessing module.
 

Go to the table of contents Go to the previous page Go to the next page View or print as PDF
Creating Remediation Scripts for Forcepoint DLP > Sample DLP incident XML
Copyright 2018 Forcepoint. All rights reserved.