Sample Exchange discovery incident XML

Here is a sample incident XML file resulting from Exchange discovery: 
<?xml version="1.0" encoding="UTF-8"?>
<ns1:pa-xml-rpc xmlns:ns1="http://www.portauthoritytech.com/ schmea/xml-rpc/1.0" xmlns:evt="http:// www.portauthoritytech.com/schmea/incident/1.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<ns1:request>
<ns1:service-name>insertCrawlerService</ns1:service- name>
<ns1:params>
<evt:incident>
<evt:dataAtRest>
<evt:incidentInfo>
<evt:incidentId>4679778800686204169</ evt:incidentId>
<evt:serviceId isSecured="false">1800221564</ evt:serviceId>
<evt:analyzedBy>NLCTR.nolosscorp.com</ evt:analyzedBy>
<evt:subject>ismith/Deleted Items/DSS Incident [ID:12564].EML</evt:subject>
<evt:localDetectedTime>2017-07- 26T14:17:57+10:00</evt:localDetectedTime>
<evt:installVersion>8.4</evt:installVersion>
<evt:resourceType>EXCHANGE</evt:resourceType>
<evt:totalSize>36827</evt:totalSize>
</evt:incidentInfo><evt:rules>
<evt:rule id="170998" type="1" policyID="170893">
<evt:severity>2</evt:severity>
<evt:actionSettings id="172003"/>
<evt:numOfMatches>1</evt:numOfMatches>
<evt:classifierMatches>
<evt:classifierMatch id="171094">
<evt:numberOfMatches>1</ evt:numberOfMatches>
<evt:isTruncated>false</evt:isTruncated>
<evt:breachContent>
<evt:contentInfo>
<evt:pathPartInfo order="0">
<evt:path>ismith/Deleted Items/DSS Incident [ID:12564].EML</evt:path>
<evt:partType>1</evt:partType>
<evt:fileType>233</evt:fileType>
</evt:pathPartInfo>
<evt:pathPartInfo order="1">
<evt:path>Transaction Body.txt</evt:path>
<evt:partType>1</evt:partType>
<evt:fileType>236</evt:fileType>
</evt:pathPartInfo>
</evt:contentInfo>
<evt:detectedValues>
<evt:detectedValue>
evt:unMasked>
<evt:unMasked>WebsenseTestKeyword</
</evt:detectedValue>
</evt:detectedValues>
<evt:numberOfMatches>1</evt:numberOfMatches>
</evt:breachContent>
<evt:breachContent>
<evt:contentInfo>
<evt:pathPartInfo order="0">
<evt:path>ismith/Deleted Items/DSS Incident [ID:12564].EML</evt:path>
<evt:partType>1</evt:partType>
<evt:fileType>233</evt:fileType>
</evt:pathPartInfo>
<evt:pathPartInfo order="1">
 <evt:path>Original_Message_Incident_12564</evt:path>
<evt:partType>2</evt:partType>
<evt:fileType>233</evt:fileType>
</evt:pathPartInfo>
<evt:pathPartInfo order="2">
<evt:path>Transaction Body.txt</evt:path>
evt:unMasked>
<evt:partType>2</evt:partType>
<evt:fileType>2</evt:fileType>
</evt:pathPartInfo>
</evt:contentInfo>
<evt:detectedValues>
<evt:detectedValue>
<evt:unMasked>WebsenseTestKeyword</
</evt:detectedValue>
</evt:detectedValues>
<evt:numberOfMatches>1</
evt:numberOfMatches>
</evt:breachContent>
</evt:classifierMatch>
</evt:classifierMatches>
</evt:rule>
</evt:rules>
<evt:actionTaken type="2097152">
</evt:actionTaken>
<evt:properties>
<evt:property>
<evt:name>checksum</evt:name>
<evt:value>60104d41558c2d6aba1ad287813155ea</
evt:value>
</evt:property>
<evt:property>
<evt:name>exchange-from</evt:name>
<evt:value>&quot;DSS@nolosscorp.com&quot;
&lt;DSS@nolosscorp.com></evt:value>
</evt:property>
<evt:property>
<evt:name>exchange-subject</evt:name>
<evt:value>DSS Incident [ID:12564]</evt:value>
</evt:property>
<evt:property>
<evt:name>exchange-to</evt:name>
<evt:value>&quot;ismith@nolosscorp.com&quot; &lt;ismith@nolosscorp.com></evt:value>
</evt:property>
<evt:property>
<evt:name>fileOwner</evt:name>
<evt:value>ismith</evt:value>
</evt:property>
<evt:property>
<evt:name>folderOwner</evt:name>
<evt:value>N/A</evt:value>
</evt:property>
<evt:property>
<evt:name>jobID</evt:name>
<evt:value>172106</evt:value>
</evt:property>
<evt:property>
<evt:name>jobName</evt:name>
<evt:value>Test discovery</evt:value>
</evt:property>
<evt:property>
<evt:name>resourceSubType</evt:name>
<evt:value>PRIVATE FOLDER</evt:value>
</evt:property>
</evt:properties>
<evt:file>
<evt:filepath>cifs://ismith/Deleted Items/DSS Incident [ID:12564].EML</evt:filepath>
<evt:filesize>19672</evt:filesize>
<evt:filetype>233</evt:filetype>
<evt:encodeType>N/A</evt:encodeType>
<evt:hostname>ismith@nolosscorp.com</ evt:hostname>
<evt:dateAccessed>2010-10-21T03:10:51.505</ evt:dateAccessed>
<evt:dateCreated>2010-10-21T03:10:51.505</ evt:dateCreated>
<evt:dateModified>2010-10-21T03:10:51.505</ evt:dateModified>
<evt:owner>
<evt:incidentUser>
<evt:detail type="5" value="ismith" isLookedUp="false"/>
</evt:incidentUser>
</evt:owner>
<evt:folderOwner>
<evt:incidentUser>
<evt:detail type="5" value="N/A" isLookedUp="false"/>
</evt:incidentUser>
</evt:folderOwner>
</evt:file>
<evt:jobId>172106</evt:jobId>
<evt:jobName></evt:jobName>
<evt:scanStartTime>2017-07-26T14:16:49</ evt:scanStartTime>
<evt:discoveryEndpointInfo>
<evt:endpointType>Unknown</evt:endpointType>
</evt:discoveryEndpointInfo>
</evt:dataAtRest>
</evt:incident>
</ns1:params>
</ns1:request>
</ns1:pa-xml-rpc>
Please note the main differences between the network discovery incident and this Exchange incident:
  • The <evt:parameters> containers hold more Exchange-specific information, such as email fields.
  • The pathname in the <evt:file> section is invalid as a path name, but is valid as a URL suffix in OWA.
  • The <evt:resourceType> value is EXCHANGE.

Include parsing code in custom scripts to get information from Exchange incidents. The sample script cannot extract any meaningful information from it.