Documentation | Support

Go to the table of contents Go to the previous page Go to the next page View or print as PDF
Creating Remediation Scripts for Forcepoint DLP > Sample network discovery incident XML
Sample network discovery incident XML
Creating Remediation Scripts | Forcepoint DLP | v8.4.x, v8.5.x, v8.6.x
Discovery incident details take the form of an XML file with no DTD.
For example, the following sample is taken from network (file system) discovery:
<?xml version="1.0" encoding="UTF-8"?>
<ns1:pa-xml-rpc xmlns:ns1="http://www.portauthoritytech.com/schmea/xml-rpc/1.0" xmlns:evt="http://www.portauthoritytech.com/schmea/incident/1.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<ns1:request>
<ns1:service-name>insertCrawlerService</ns1:service-name>
<ns1:params>
<evt:incident>
<evt:dataAtRest>
<evt:incidentInfo>
<evt:incidentId>5371106770671816417</evt:incidentId>
<evt:serviceId isSecured="false">1800221564</evt:serviceId>
<evt:analyzedBy>NLCTR.nolosscorp.com</evt:analyzedBy>
<evt:subject>\\10.4.228.150\DiscoveryTarget\TestFile.txt</evt:subject>
<evt:localDetectedTime>2017-07-18T14:54:11+10:00</evt:localDetectedTime>
<evt:installVersion>8.4</evt:installVersion>
<evt:resourceType>NETWORK</evt:resourceType>
 
* 
Note 
The <evt:resourceType> container has a value of either NETWORK or ENDPOINT, depending on whether the incident was triggered by network or endpoint discovery.
This can be used to create scripts that work for both types of discovery.
<evt:totalSize>125</evt:totalSize>
</evt:incidentInfo>
<evt:rules>
 
* 
Note 
The <evt:rules> container holds a list of the violated rules.
<evt:rule id="170998" type="1" policyID="170893">
<evt:severity>2</evt:severity>
<evt:actionSettings id="172003"/>
<evt:numOfMatches>1</evt:numOfMatches>
<evt:classifierMatches>
 
* 
Note 
The <evt:classifierMatches> container includes a list of the classifiers matched within a rule.
<evt:classifierMatch id="171094">
<evt:numberOfMatches>1</evt:numberOfMatches>
<evt:isTruncated>false</evt:isTruncated>
<evt:breachContent>
<evt:contentInfo>
<evt:pathPartInfo order="0">
<evt:path>\\10.4.228.150\DiscoveryTarget\TestFile.txt</evt:path>
<evt:partType>3</evt:partType>
<evt:fileType>2</evt:fileType>
</evt:pathPartInfo>
</evt:contentInfo>
<evt:detectedValues>
<evt:detectedValue>
<evt:unMasked>ForcepointTestKeyword</evt:unMasked>
</evt:detectedValue>
</evt:detectedValues>
<evt:numberOfMatches>1</evt:numberOfMatches>
</evt:breachContent>
</evt:classifierMatch>
</evt:classifierMatches>
</evt:rule>
</evt:rules>
<evt:actionTaken type="2097152">
</evt:actionTaken>
<evt:properties>
 
* 
Note 
The <evt:properties> container includes a list of properties such as file owner, file ACL, and discovery task name.
<evt:property>
<evt:name>acl</evt:name>
<evt:value>NLC\Administrator:wr,BUILTIN\Administrators:wr,NLC\websense:r,NT AUTHORITY\SYSTEM:wr</evt:value>
</evt:property>
<evt:property>
<evt:name>checksum</evt:name>
<evt:value>7a0627c2efa25daedb56f19b79c22ab7</evt:value>
</evt:property>
<evt:property>
<evt:name>fileOwner</evt:name>
<evt:value>BUILTIN\Administrators</evt:value>
</evt:property>
<evt:property>
<evt:name>folderOwner</evt:name>
<evt:value>BUILTIN\Administrators</evt:value>
</evt:property>
<evt:property>
<evt:name>jobID</evt:name>
<evt:value>172104</evt:value>
</evt:property>
<evt:property>
<evt:name>jobName</evt:name>
<evt:value>RemediationTest</evt:value>
</evt:property>
<evt:property>
<evt:name>resourceSubType</evt:name>
<evt:value>NETWORK</evt:value>
</evt:property>
</evt:properties>
<evt:file>
<evt:filepath>cifs://10.4.228.150/DiscoveryTarget/TestFile.txt</evt:filepath>
 
* 
Note 
The <evt:filepath> container includes the path to the file in URI format. (To convert the path to UNC format, replace the slashes with backslashes.)
<evt:filesize>39</evt:filesize>
<evt:filetype>2</evt:filetype>
<evt:encodeType>N/A</evt:encodeType>
<evt:ip>10.4.228.150</evt:ip>
<evt:dateAccessed>2017-07-18T14:51:54</evt:dateAccessed>
<evt:dateCreated>2017-07-18T14:51:54</evt:dateCreated>
<evt:dateModified>2017-07-18T14:52:16</evt:dateModified>
 
* 
Note 
The value of the <evt:dateModified> container is the date and time that the file was last modified in YYYY-MM-DDTHH:MM:SS format.
<evt:owner>
<evt:incidentUser>
 
* 
Note 
Network discovery incidents include an <evt:incidentUser> container with a value attribute of DOMAIN\Username (type 5).
On the endpoint, the value attribute is the user's SID (type 8).
<evt:detail type="5" value="BUILTIN\Administrators" isLookedUp="false"/>
</evt:incidentUser>
</evt:owner>
<evt:folderOwner>
<evt:incidentUser>
<evt:detail type="5" value="BUILTIN\Administrators" isLookedUp="false"/>
</evt:incidentUser>
</evt:folderOwner>
</evt:file>
<evt:jobId>172104</evt:jobId>
<evt:jobName></evt:jobName>
<evt:scanStartTime>2017-07-18T14:54:06</evt:scanStartTime>
<evt:discoveryEndpointInfo>
<evt:endpointType>Unknown</evt:endpointType>
</evt:discoveryEndpointInfo>
</evt:dataAtRest>
</evt:incident>
</ns1:params>
</ns1:request>
</ns1:pa-xml-rpc>
To compare this example with the XML file created for an Exchange incident, continue with Sample Exchange discovery incident XML.

Go to the table of contents Go to the previous page Go to the next page View or print as PDF
Creating Remediation Scripts for Forcepoint DLP > Sample network discovery incident XML
Copyright 2018 Forcepoint. All rights reserved.