Using the DiscoveryIncidentProcessing module

Creating Remediation Scripts | Forcepoint DLP | v8.4.x, v8.5.x, v8.6.x

To make it easier to write remediation scripts for common use cases, Forcepoint DLP includes a helper Python module that performs some common tasks with the incident data XML file. The module:

Is named DiscoveryIncidentProcessing

Can be easily imported into your Python code

Is not required

Administrators can instead write their own XML parsing routines.


	Note The DiscoveryIncidentProcessing module cannot be used on endpoints with impersonation.

The DiscoveryIncidentProcessing module includes the routines described in the following sections.

GetFilePathFromXML(IncidentXml)

This routine reads and analyzes the incident details from the provided XML file.

Parameters


IncidentXml	Unicode	The path to the XML file containing the incident details.

Returns


0	Unicode	The discovery location: NETWORK or ENDPOINT
1	Unicode	The absolute file path. For endpoint discovery, uses UNC format "\\hostname\C\path\to\file".
2	Unicode	True - File exists False - File not found

Example

>>> import DiscoveryIncidentProcessing

>>> DiscoveryIncidentProcessing.GetFilePathFromXML(r'C:\Temp\5371106770671816417.xml')

(u'NETWORK', u'\\\\10.4.228.150\\DiscoveryTarget\\TestFile.txt', True)

>>>

ProcessDicoveryIncident(IncidentXml, Command)

This routine runs a command, providing the incident file name as a parameter. This is quite useful to run commands that expect the original file as one of its parameters.

NOTE: The typo in the function name will be fixed in future versions.

Parameters


IncidentXML	Unicode	The path of the incident XML file.
Command	Unicode	A command to execute The string should contain the string "$filepath$", which is replaced with the actual filename in the incident XML.

Returns

None

Example

>>> DiscoveryIncidentProcessing.ProcessDicoveryIncident(r'C:\Temp\5371106770671816417.xml',

u'notepad.exe filepath ')

2017-07-19 18:32:45,312 root Debug Processing C:\Temp\5371106770671816417.xml Encryption

2017-07-19 18:32:45,496 root Debug Processing \\10.4.228.150\DiscoveryTarget\TestFile.txt

2017-07-19 18:32:45,500 root Debug Command:notepad.exe \\10.4.228.150\DiscoveryTarget\TestFile.txt

2017-07-19 18:32:50,898 root Debug \\10.4.228.150\DiscoveryTarget\TestFile.txt RunCommand Successful

>>>

MoveDiscoveryIncident (IncidentXml, Location, RemoveFile, DaysKeepActiveFiles, QuarentineMsg)

This routine moves the file pointed to by the incident into a folder.

The file is moved by copying it to the destination folder, then overwriting the original file with a text message.

Alternatively, the file can be copied (rather than moved).

The file is checked for access before it is copied or moved, and it is not moved if it has been accessed recently.

Parameters


IncidentXML	Unicode	The path of the incident XML file
Location	Unicode	Destination folder to which to move or copy the file
RemoveFile	bool	If True, the original file is moved. If False, the original file is copied.
DaysKeepActiveFiles	Int	Don't move the file if it was accessed within this number of days.
QuarantineMsg	str	A string which will replace the original file Make sure the file is formatted appropriately. For example, to use Unicode, encode it as UTF-8 or UTF-16 with BOM. The file will always have a ".txt" extension, so make sure it can be opened in Notepad.

Returns

None

Example

>>> DiscoveryIncidentProcessing.MoveDiscoveryIncident(r'C:\Temp\5371106770671816417.xml',r'C:\Temp',False,0,'')

2017-07-21 16:03:16,365 root Debug Processing C:\Temp\5371106770671816417.xml move file 0

2017-07-21 16:03:16,742 root Debug Moving \\10.4.228.150\DiscoveryTarget\TestFile.txt to C:\Temp

2017-07-21 16:03:16,786 root Debug Creating C:\Temp\10.4.228.150\DiscoveryTarget

>>>