Sample DLP incident XML
The following XML example is for a DLP
incident:
<?xml version="1.0" encoding="UTF-8"?>
<ns1:pa-xml-rpc xmlns:ns1="http://www.portauthoritytech.com/ schmea/xml-rpc/1.0" xmlns:evt="http:// www.portauthoritytech.com/schmea/incident/1.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<ns1:request>
<ns1:service-name>insertEventService</ns1:service-name>
<ns1:params>
<evt:incident>
<evt:dataInMotion>
<evt:incidentInfo>
<evt:incidentId>5352285115603247792</ evt:incidentId>
<evt:serviceId isSecured="false">486169846</ evt:serviceId>
<evt:analyzedBy>nlcv10k-c-esg.nolosscorp.com</ evt:analyzedBy>
<evt:subject>test inbound 3</evt:subject>
Note: The value of the <evt:subject> container is channel dependent. For example, for email, it is the email subject. This same value appears in the subject field in incident
reports.
<evt:localDetectedTime>2017-07- 21T12:33:35+10:00</evt:localDetectedTime>
<evt:installVersion>8.4</evt:installVersion>
<evt:resourceType>NETWORK</evt:resourceType>
Note: The <evt:resourceType> container has a value of either NETWORK or ENDPOINT, depending on the type of DLP incident.
<evt:totalSize>1740</evt:totalSize>
</evt:incidentInfo>
<evt:rules>
Note: The <evt:rules> container holds a list of the rules violated by the incident.
<evt:rule id="171601" type="1" policyID="170899">
<evt:severity>2</evt:severity>
<evt:actionSettings id="172004"/>
<evt:numOfMatches>1</evt:numOfMatches>
<evt:classifierMatches>
Note: The <evt:classifierMatches> container includes a list of matched classifiers within a specific rule.
<evt:classifierMatch id="171094">
<evt:numberOfMatches>1</ evt:numberOfMatches>
<evt:isTruncated>false</evt:isTruncated>
<evt:breachContent>
<evt:contentInfo>
<evt:pathPartInfo order="0">
<evt:path>/var/spool/postfix/tmp// 887C7850695.eml</evt:path>
<evt:partType>1</evt:partType>
<evt:fileType>233</evt:fileType>
</evt:pathPartInfo>
<evt:pathPartInfo order="1">
<evt:path>Transaction Body.txt</
evt:path>
<evt:partType>1</evt:partType>
<evt:fileType>2</evt:fileType>
evt:unMasked>
</evt:pathPartInfo>
</evt:contentInfo>
<evt:detectedValues>
<evt:detectedValue>
<evt:unMasked>WebsenseTestKeyword</
</evt:detectedValue>
</evt:detectedValues>
<evt:numberOfMatches>1</
evt:numberOfMatches>
</evt:breachContent>
</evt:classifierMatch>
</evt:classifierMatches>
</evt:rule>
</evt:rules>
<evt:actionTaken type="2097152">
</evt:actionTaken>
<evt:source>
Note: The <evt:source> container includes the source of the incident. The resource type depends on the source (-2 is email).
<evt:incidentUser>
<evt:detail type="2" value="test@arik.baratz.org" isLookedUp="false"/>
</evt:incidentUser>
</evt:source>
<evt:destinations>
Note: The <evt:destinations> container includes one or more incident destinations. In this sample file, the destinations are email addresses.
<evt:destination>
<evt:incidentUser>
<evt:detail type="2" value="administrator@nolosscorp.com" isLookedUp="false"/>
</evt:incidentUser>
<evt:destinationType>TO</evt:destinationType>
<evt:actionTaken type="2097152">
</evt:actionTaken>
<evt:direction>1</evt:direction>
</evt:destination>
<evt:destination>
<evt:incidentUser>
<evt:detail type="2" value="ragg@nolosscorp.com" isLookedUp="false"/>
</evt:incidentUser>
<evt:destinationType>TO</evt:destinationType>
<evt:actionTaken type="2097152">
</evt:actionTaken>
<evt:direction>1</evt:direction>
</evt:destination>
<evt:destination>
<evt:incidentUser>
<evt:detail type="2" value="ismith@nolosscorp.com" isLookedUp="false"/>
</evt:incidentUser>
<evt:destinationType>TO</evt:destinationType>
<evt:actionTaken type="2097152">
</evt:actionTaken>
<evt:direction>1</evt:direction>
</evt:destination>
</evt:destinations>
<evt:eventEndpointInfo>
<evt:endpointType>Unknown</evt:endpointType>
<evt:endpointSourceAppName>N/A</ evt:endpointSourceAppName>
<evt:endpointDestAppName>N/A</ evt:endpointDestAppName>
<evt:endpointDestDeviceName>N/A</ evt:endpointDestDeviceName>
<evt:endpointDestDeviceType>N/A</ evt:endpointDestDeviceType>
<evt:endpointOperationType>N/A</ evt:endpointOperationType>
<evt:endpointPolicyVersion>0</ evt:endpointPolicyVersion>
<evt:confirmationId>0</evt:confirmationId>
<evt:confirmationString></evt:confirmationString>
<evt:endpointSourceAppID>N/A</ evt:endpointSourceAppID>
<evt:endpointDestAppID>N/A</ evt:endpointDestAppID>
</evt:eventEndpointInfo>
<evt:hasForensics>true</evt:hasForensics>
</evt:dataInMotion>
</evt:incident>
</ns1:params>
</ns1:request>
</ns1:pa-xml-rpc>
Continue with Using the Discovery Incident Processing module.