Technical Library | Support

Go to the table of contents Go to the previous page Go to the next page View or print as PDF
Creating Remediation Scripts for TRITON AP-DATA > DLP incident structure
DLP incident structure
Creating Remediation Scripts | Data Protection | Version 8.3.x
<?xml version="1.0" encoding="UTF-8"?>
<ns1:pa-xml-rpc xmlns:ns1="http://www.portauthoritytech.com/schmea/xml-rpc/1.0" xmlns:evt="http://www.portauthoritytech.com/schmea/incident/1.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<ns1:request>
<ns1:service-name>insertEventService</ns1:service-name>
<ns1:params>
<evt:incident>
<evt:dataInMotion>
<evt:incidentInfo>
<evt:incidentId>5352285115603247792</evt:incidentId>
<evt:serviceId isSecured="false">486169846</evt:serviceId>
<evt:analyzedBy>nlcv10k-c-esg.nolosscorp.com</evt:analyzedBy>
<evt:subject>test inbound 3</evt:subject>
<evt:localDetectedTime>2011-07-21T12:33:35+10:00</evt:localDetectedTime>
<evt:installVersion>7.6</evt:installVersion>
<evt:resourceType>NETWORK</evt:resourceType>
<evt:totalSize>1740</evt:totalSize>
</evt:incidentInfo>
<evt:rules>
<evt:rule id="171601" type="1" policyID="170899">
<evt:severity>2</evt:severity>
<evt:actionSettings id="172004"/>
<evt:numOfMatches>1</evt:numOfMatches>
<evt:classifierMatches>
<evt:classifierMatch id="171094">
<evt:numberOfMatches>1</evt:numberOfMatches>
<evt:isTruncated>false</evt:isTruncated>
<evt:breachContent>
<evt:contentInfo>
<evt:pathPartInfo order="0">
<evt:path>/var/spool/postfix/tmp//887C7850695.eml</evt:path>
<evt:partType>1</evt:partType>
<evt:fileType>233</evt:fileType>
</evt:pathPartInfo>
<evt:pathPartInfo order="1">
<evt:path>Transaction Body.txt</evt:path>
<evt:partType>1</evt:partType>
<evt:fileType>2</evt:fileType>
</evt:pathPartInfo>
</evt:contentInfo>
<evt:detectedValues>
<evt:detectedValue>
<evt:unMasked>WebsenseTestKeyword</evt:unMasked>
</evt:detectedValue>
</evt:detectedValues>
<evt:numberOfMatches>1</evt:numberOfMatches>
</evt:breachContent>
</evt:classifierMatch>
</evt:classifierMatches>
</evt:rule>
</evt:rules>
<evt:actionTaken type="2097152">
</evt:actionTaken>
<evt:source>
<evt:incidentUser>
<evt:detail type="2" value="test@arik.baratz.org" isLookedUp="false"/>
</evt:incidentUser>
</evt:source>
<evt:destinations>
<evt:destination>
<evt:incidentUser>
<evt:detail type="2" value="administrator@nolosscorp.com" isLookedUp="false"/>
</evt:incidentUser>
<evt:destinationType>TO</evt:destinationType>
<evt:actionTaken type="2097152">
</evt:actionTaken>
<evt:direction>1</evt:direction>
</evt:destination>
<evt:destination>
<evt:incidentUser>
<evt:detail type="2" value="ragg@nolosscorp.com" isLookedUp="false"/>
</evt:incidentUser>
<evt:destinationType>TO</evt:destinationType>
<evt:actionTaken type="2097152">
</evt:actionTaken>
<evt:direction>1</evt:direction>
</evt:destination>
<evt:destination>
<evt:incidentUser>
<evt:detail type="2" value="ismith@nolosscorp.com" isLookedUp="false"/>
</evt:incidentUser>
<evt:destinationType>TO</evt:destinationType>
<evt:actionTaken type="2097152">
</evt:actionTaken>
<evt:direction>1</evt:direction>
</evt:destination>
</evt:destinations>
<evt:eventEndpointInfo>
<evt:endpointType>Unknown</evt:endpointType>
<evt:endpointSourceAppName>N/A</evt:endpointSourceAppName>
<evt:endpointDestAppName>N/A</evt:endpointDestAppName>
<evt:endpointDestDeviceName>N/A</evt:endpointDestDeviceName>
<evt:endpointDestDeviceType>N/A</evt:endpointDestDeviceType>
<evt:endpointOperationType>N/A</evt:endpointOperationType>
<evt:endpointPolicyVersion>0</evt:endpointPolicyVersion>
<evt:confirmationId>0</evt:confirmationId>
<evt:confirmationString></evt:confirmationString>
<evt:endpointSourceAppID>N/A</evt:endpointSourceAppID>
<evt:endpointDestAppID>N/A</evt:endpointDestAppID>
</evt:eventEndpointInfo>
<evt:hasForensics>true</evt:hasForensics>
</evt:dataInMotion>
</evt:incident>
</ns1:params>
</ns1:request>
</ns1:pa-xml-rpc>
Some interesting nodes in this file:
 
/ns1:pa-xml-rpc/ns1:request/ns1:params/evt:incident/
evt: dataInMotion/evt:incidentInfo/evt:resourceType
Contains NETWORK or ENDPOINT – depending on the type of discovery incident. Can enable the creation of scripts that work on both types.
/ns1:pa-xml-rpc/ns1:request/ns1:params/evt:incident/
evt: dataInMotion/evt:incidentInfo/evt:subject
Channel dependent, in case of email would be the email subject, in other channels will contain other types of information (URL for HTTP for example).
/ns1:pa-xml-rpc/ns1:request/ns1:params/evt:incident/
evt: dataInMotion/evt:rules/
A list of the violated rules.
…evt:rules/evt:rule/evt:classifierMatches
/ns1:pa-xml-rpc/ns1:request/ns1:params/evt:incident/
A list of the matched classifier in a specific rule.
evt: dataInMotion /evt:source/evt:incidentUser/evt:detail
/ns1:pa-xml-rpc/ns1:request/ns1:params/evt:incident
The source of the incident in the "value" attribute. Resource type depends on what the source is – 2 is email.
/evt:DataInMotion/evt:destinations/evt:destination/
evt:incidentUser/evt:detail
The destination(s) of the incident. In this example these are email addresses.
 

Go to the table of contents Go to the previous page Go to the next page View or print as PDF
Creating Remediation Scripts for TRITON AP-DATA > DLP incident structure
Copyright 2016 Forcepoint LLC. All rights reserved.