Sample Exchange discovery incident XML (contd..)


<evt:file>
<evt:filepath>cifs://ismith/Deleted Items/DSS Incident [ID:12564].EML</evt:filepath>
<evt:filesize>19672</evt:filesize>
<evt:filetype>233</evt:filetype>
<evt:encodeType>N/A</evt:encodeType>
<evt:hostname>ismith@nolosscorp.com</ evt:hostname>
<evt:dateAccessed>2010-10-21T03:10:51.505</ evt:dateAccessed>
<evt:dateCreated>2010-10-21T03:10:51.505</ evt:dateCreated>
<evt:dateModified>2010-10-21T03:10:51.505</ evt:dateModified>
<evt:owner>
<evt:incidentUser>
<evt:detail type="5" value="ismith" isLookedUp="false"/>
</evt:incidentUser>
</evt:owner>
<evt:folderOwner>
<evt:incidentUser>
<evt:detail type="5" value="N/A" isLookedUp="false"/>
</evt:incidentUser>
</evt:folderOwner>
</evt:file>
<evt:jobId>172106</evt:jobId>
<evt:jobName></evt:jobName>
<evt:scanStartTime>2017-07-26T14:16:49</ evt:scanStartTime>
<evt:discoveryEndpointInfo>
<evt:endpointType>Unknown</evt:endpointType>
</evt:discoveryEndpointInfo>
</evt:dataAtRest>
</evt:incident>
</ns1:params>
</ns1:request>
</ns1:pa-xml-rpc>

Please note the main differences between the network discovery incident and this Exchange incident:

The <evt:parameters> containers hold more Exchange-specific information, such as email fields.
The pathname in the <evt:file> section is invalid as a path name, but is valid as a URL suffix in OWA.
The <evt:resourceType> value is EXCHANGE.

Include parsing code in custom scripts to get information from Exchange incidents. The sample script cannot extract any meaningful information from it.