Sample network discovery incident XML

Discovery incident details take the form of an XML file with no DTD.

For example, the following sample is taken from network (file system) discovery:

<?xml version="1.0" encoding="UTF-8"?>
<ns1:pa-xml-rpc xmlns:ns1="http://www.portauthoritytech.com/ schmea/xml-rpc/1.0" xmlns:evt="http:// www.portauthoritytech.com/schmea/incident/1.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<ns1:request>
<ns1:service-name>insertCrawlerService</ns1:service- name>
<ns1:params>
<evt:incident>
<evt:dataAtRest>
<evt:incidentInfo>
<evt:incidentId>5371106770671816417</ evt:incidentId>
<evt:serviceId isSecured="false">1800221564</ evt:serviceId>
<evt:analyzedBy>NLCTR.nolosscorp.com</ evt:analyzedBy>
 <evt:subject>\\10.4.228.150\DiscoveryTarget\TestFile.txt</ evt:subject>
<evt:localDetectedTime>2017-07- 18T14:54:11+10:00</evt:localDetectedTime>
<evt:installVersion>8.4</evt:installVersion>
<evt:resourceType>NETWORK</evt:resourceType>

Note: The <evt:resourceType> container has a value of either NETWORK or ENDPOINT, depending on whether the incident was triggered by network or endpoint discovery. This can be used to create scripts that work for both types of discovery.

<evt:totalSize>125</evt:totalSize>
</evt:incidentInfo>
<evt:rules>

Note: The <evt:rules> container holds a list of the violated rules.

<evt:rule id="170998" type="1" policyID="170893">
<evt:severity>2</evt:severity>
<evt:actionSettings id="172003"/>
<evt:numOfMatches>1</evt:numOfMatches>
<evt:classifierMatches>

Note: The <evt:classifierMatches> container includes a list of the classifiers matched within a rule.

<evt:classifierMatch id="171094">
<evt:numberOfMatches>1</ evt:numberOfMatches>
<evt:isTruncated>false</evt:isTruncated>
<evt:breachContent>
<evt:contentInfo>
<evt:pathPartInfo order="0">
<evt:path>\\10.4.228.150\DiscoveryTarget\TestFile.txt</ evt:path>
<evt:partType>3</evt:partType>
<evt:fileType>2</evt:fileType>
</evt:pathPartInfo>
</evt:contentInfo>
<evt:detectedValues>
<evt:detectedValue>
evt:unMasked>
<evt:unMasked>ForcepointTestKeyword</
</evt:detectedValue>
</evt:detectedValues>
<evt:numberOfMatches>1</
evt:numberOfMatches>
</evt:breachContent>
</evt:classifierMatch>
</evt:classifierMatches>
</evt:rule>
</evt:rules>
<evt:actionTaken type="2097152">
</evt:actionTaken>
<evt:properties>

Note: The <evt:properties> container includes a list of properties such as file owner, file ACL, and discovery task name.

<evt:property>
<evt:name>acl</evt:name>
 <evt:value>NLC\Administrator:wr,BUILTIN\Administrators:wr,NL C\websense:r,NT AUTHORITY\SYSTEM:wr</evt:value>
</evt:property>
<evt:property>
<evt:name>checksum</evt:name>
<evt:value>7a0627c2efa25daedb56f19b79c22ab7</
evt:value>
</evt:property>
<evt:property>
<evt:name>fileOwner</evt:name>
<evt:value>BUILTIN\Administrators</evt:value>
</evt:property>
<evt:property>
<evt:name>folderOwner</evt:name>
<evt:value>BUILTIN\Administrators</evt:value>
</evt:property>
<evt:property>
<evt:name>jobID</evt:name>
<evt:value>172104</evt:value>
</evt:property>
<evt:property>
<evt:name>jobName</evt:name>
<evt:value>RemediationTest</evt:value>
</evt:property>
<evt:property>
<evt:name>resourceSubType</evt:name>
<evt:value>NETWORK</evt:value>
</evt:property>
</evt:properties>
<evt:file>
<evt:filepath>cifs://10.4.228.150/ DiscoveryTarget/TestFile.txt</evt:filepath>

Note: The <evt:filepath> container includes the path to the file in URI format. (To convert the path to UNC format, replace the slashes with backslashes.)

<evt:filesize>39</evt:filesize>
<evt:filetype>2</evt:filetype>
<evt:encodeType>N/A</evt:encodeType>
<evt:ip>10.4.228.150</evt:ip>
<evt:dateAccessed>2017-07-18T14:51:54</ evt:dateAccessed>
<evt:dateCreated>2017-07-18T14:51:54</ evt:dateCreated>
<evt:dateModified>2017-07-18T14:52:16</ evt:dateModified>

Note: The value of the <evt:dateModified> container is the date and time that the file was last modified in YYYY-MM- DDTHH:MM:SS format.

<evt:owner>
<evt:incidentUser>

Note: Network discovery incidents include an <evt:incidentUser> container with a value attribute of DOMAIN\Username (type 5). On the endpoint, the value attribute is the user’s SID (type 8).


<evt:detail type="5" value="BUILTIN\Administrators" isLookedUp="false"/>
</evt:incidentUser>
</evt:owner>
<evt:folderOwner>
<evt:incidentUser>
<evt:detail type="5" value="BUILTIN\Administrators" isLookedUp="false"/>
</evt:incidentUser>
</evt:folderOwner>
</evt:file>
<evt:jobId>172104</evt:jobId>
<evt:jobName></evt:jobName>
<evt:scanStartTime>2017-07-18T14:54:06</ evt:scanStartTime>
<evt:discoveryEndpointInfo>
<evt:endpointType>Unknown</evt:endpointType>
</evt:discoveryEndpointInfo>
</evt:dataAtRest>
</evt:incident>
</ns1:params>
</ns1:request>
</ns1:pa-xml-rpc>

To compare this example with the XML file created for an Exchange incident, continue with Sample Exchange discovery incident XML.