Documentation | Support

Go to the table of contents Go to the previous page Go to the next page View or print as PDF
Creating Remediation Scripts for Forcepoint DLP > Sample Exchange discovery incident XML
Sample Exchange discovery incident XML
Creating Remediation Scripts | Forcepoint DLP | v8.4.x, v8.5.x, v8.6.x
Here is a sample incident XML file resulting from Exchange discovery:
<?xml version="1.0" encoding="UTF-8"?>
<ns1:pa-xml-rpc xmlns:ns1="http://www.portauthoritytech.com/schmea/xml-rpc/1.0" xmlns:evt="http://www.portauthoritytech.com/schmea/incident/1.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<ns1:request>
<ns1:service-name>insertCrawlerService</ns1:service-name>
<ns1:params>
<evt:incident>
<evt:dataAtRest>
<evt:incidentInfo>
<evt:incidentId>4679778800686204169</evt:incidentId>
<evt:serviceId isSecured="false">1800221564</evt:serviceId>
<evt:analyzedBy>NLCTR.nolosscorp.com</evt:analyzedBy>
<evt:subject>ismith/Deleted Items/DSS Incident [ID:12564].EML</evt:subject>
<evt:localDetectedTime>2017-07-26T14:17:57+10:00</evt:localDetectedTime>
<evt:installVersion>8.4</evt:installVersion>
<evt:resourceType>EXCHANGE</evt:resourceType>
<evt:totalSize>36827</evt:totalSize>
</evt:incidentInfo>
<evt:rules>
<evt:rule id="170998" type="1" policyID="170893">
<evt:severity>2</evt:severity>
<evt:actionSettings id="172003"/>
<evt:numOfMatches>1</evt:numOfMatches>
<evt:classifierMatches>
<evt:classifierMatch id="171094">
<evt:numberOfMatches>1</evt:numberOfMatches>
<evt:isTruncated>false</evt:isTruncated>
<evt:breachContent>
<evt:contentInfo>
<evt:pathPartInfo order="0">
<evt:path>ismith/Deleted Items/DSS Incident [ID:12564].EML</evt:path>
<evt:partType>1</evt:partType>
<evt:fileType>233</evt:fileType>
</evt:pathPartInfo>
<evt:pathPartInfo order="1">
<evt:path>Transaction Body.txt</evt:path>
<evt:partType>1</evt:partType>
<evt:fileType>236</evt:fileType>
</evt:pathPartInfo>
</evt:contentInfo>
<evt:detectedValues>
<evt:detectedValue>
<evt:unMasked>WebsenseTestKeyword</evt:unMasked>
</evt:detectedValue>
</evt:detectedValues>
<evt:numberOfMatches>1</evt:numberOfMatches>
</evt:breachContent>
<evt:breachContent>
<evt:contentInfo>
<evt:pathPartInfo order="0">
<evt:path>ismith/Deleted Items/DSS Incident [ID:12564].EML</evt:path>
<evt:partType>1</evt:partType>
<evt:fileType>233</evt:fileType>
</evt:pathPartInfo>
<evt:pathPartInfo order="1">
<evt:path>Original_Message_Incident_12564</evt:path>
<evt:partType>2</evt:partType>
<evt:fileType>233</evt:fileType>
</evt:pathPartInfo>
<evt:pathPartInfo order="2">
<evt:path>Transaction Body.txt</evt:path>
<evt:partType>2</evt:partType>
<evt:fileType>2</evt:fileType>
</evt:pathPartInfo>
</evt:contentInfo>
<evt:detectedValues>
<evt:detectedValue>
<evt:unMasked>WebsenseTestKeyword</evt:unMasked>
</evt:detectedValue>
</evt:detectedValues>
<evt:numberOfMatches>1</evt:numberOfMatches>
</evt:breachContent>
</evt:classifierMatch>
</evt:classifierMatches>
</evt:rule>
</evt:rules>
<evt:actionTaken type="2097152">
</evt:actionTaken>
<evt:properties>
<evt:property>
<evt:name>checksum</evt:name>
<evt:value>60104d41558c2d6aba1ad287813155ea</evt:value>
</evt:property>
<evt:property>
<evt:name>exchange-from</evt:name>
<evt:value>&quot;DSS@nolosscorp.com&quot; &lt;DSS@nolosscorp.com></evt:value>
</evt:property>
<evt:property>
<evt:name>exchange-subject</evt:name>
<evt:value>DSS Incident [ID:12564]</evt:value>
</evt:property>
<evt:property>
<evt:name>exchange-to</evt:name>
<evt:value>&quot;ismith@nolosscorp.com&quot; &lt;ismith@nolosscorp.com></evt:value>
</evt:property>
<evt:property>
<evt:name>fileOwner</evt:name>
<evt:value>ismith</evt:value>
</evt:property>
<evt:property>
<evt:name>folderOwner</evt:name>
<evt:value>N/A</evt:value>
</evt:property>
<evt:property>
<evt:name>jobID</evt:name>
<evt:value>172106</evt:value>
</evt:property>
<evt:property>
<evt:name>jobName</evt:name>
<evt:value>Test discovery</evt:value>
</evt:property>
<evt:property>
<evt:name>resourceSubType</evt:name>
<evt:value>PRIVATE FOLDER</evt:value>
</evt:property>
</evt:properties>
<evt:file>
<evt:filepath>cifs://ismith/Deleted Items/DSS Incident [ID:12564].EML</evt:filepath>
<evt:filesize>19672</evt:filesize>
<evt:filetype>233</evt:filetype>
<evt:encodeType>N/A</evt:encodeType>
<evt:hostname>ismith@nolosscorp.com</evt:hostname>
<evt:dateAccessed>2010-10-21T03:10:51.505</evt:dateAccessed>
<evt:dateCreated>2010-10-21T03:10:51.505</evt:dateCreated>
<evt:dateModified>2010-10-21T03:10:51.505</evt:dateModified>
<evt:owner>
<evt:incidentUser>
<evt:detail type="5" value="ismith" isLookedUp="false"/>
</evt:incidentUser>
</evt:owner>
<evt:folderOwner>
<evt:incidentUser>
<evt:detail type="5" value="N/A" isLookedUp="false"/>
</evt:incidentUser>
</evt:folderOwner>
</evt:file>
<evt:jobId>172106</evt:jobId>
<evt:jobName></evt:jobName>
<evt:scanStartTime>2017-07-26T14:16:49</evt:scanStartTime>
<evt:discoveryEndpointInfo>
<evt:endpointType>Unknown</evt:endpointType>
</evt:discoveryEndpointInfo>
</evt:dataAtRest>
</evt:incident>
</ns1:params>
</ns1:request>
</ns1:pa-xml-rpc>
Please note the main differences between the network discovery incident and this Exchange incident:
*
The <evt:parameters> containers hold more Exchange-specific information, such as email fields.
*
The pathname in the <evt:file> section is invalid as a path name, but is valid as a URL suffix in OWA.
*
The <evt:resourceType> value is EXCHANGE.
Include parsing code in custom scripts to get information from Exchange incidents. The sample script cannot extract any meaningful information from it.

Go to the table of contents Go to the previous page Go to the next page View or print as PDF
Creating Remediation Scripts for Forcepoint DLP > Sample Exchange discovery incident XML
Copyright 2018 Forcepoint. All rights reserved.