Sample Exchange discovery incident XML
Here is a sample incident XML file resulting from Exchange discovery:
<?xml version="1.0" encoding="UTF-8"?> <ns1:pa-xml-rpc xmlns:ns1="http://www.portauthoritytech.com/ schmea/xml-rpc/1.0" xmlns:evt="http:// www.portauthoritytech.com/schmea/incident/1.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <ns1:request> <ns1:service-name>insertCrawlerService</ns1:service- name> <ns1:params> <evt:incident> <evt:dataAtRest> <evt:incidentInfo> <evt:incidentId>4679778800686204169</ evt:incidentId> <evt:serviceId isSecured="false">1800221564</ evt:serviceId> <evt:analyzedBy>NLCTR.nolosscorp.com</ evt:analyzedBy> <evt:subject>ismith/Deleted Items/DSS Incident [ID:12564].EML</evt:subject> <evt:localDetectedTime>2017-07- 26T14:17:57+10:00</evt:localDetectedTime> <evt:installVersion>8.4</evt:installVersion> <evt:resourceType>EXCHANGE</evt:resourceType> <evt:totalSize>36827</evt:totalSize> </evt:incidentInfo><evt:rules> <evt:rule id="170998" type="1" policyID="170893"> <evt:severity>2</evt:severity> <evt:actionSettings id="172003"/> <evt:numOfMatches>1</evt:numOfMatches> <evt:classifierMatches> <evt:classifierMatch id="171094"> <evt:numberOfMatches>1</ evt:numberOfMatches> <evt:isTruncated>false</evt:isTruncated> <evt:breachContent> <evt:contentInfo> <evt:pathPartInfo order="0"> <evt:path>ismith/Deleted Items/DSS Incident [ID:12564].EML</evt:path> <evt:partType>1</evt:partType> <evt:fileType>233</evt:fileType> </evt:pathPartInfo> <evt:pathPartInfo order="1"> <evt:path>Transaction Body.txt</evt:path> <evt:partType>1</evt:partType> <evt:fileType>236</evt:fileType> </evt:pathPartInfo> </evt:contentInfo> <evt:detectedValues> <evt:detectedValue> evt:unMasked> <evt:unMasked>WebsenseTestKeyword</ </evt:detectedValue> </evt:detectedValues> <evt:numberOfMatches>1</evt:numberOfMatches> </evt:breachContent> <evt:breachContent> <evt:contentInfo> <evt:pathPartInfo order="0"> <evt:path>ismith/Deleted Items/DSS Incident [ID:12564].EML</evt:path> <evt:partType>1</evt:partType> <evt:fileType>233</evt:fileType> </evt:pathPartInfo> <evt:pathPartInfo order="1"> <evt:path>Original_Message_Incident_12564</evt:path> <evt:partType>2</evt:partType> <evt:fileType>233</evt:fileType> </evt:pathPartInfo> <evt:pathPartInfo order="2"> <evt:path>Transaction Body.txt</evt:path> evt:unMasked> <evt:partType>2</evt:partType> <evt:fileType>2</evt:fileType> </evt:pathPartInfo> </evt:contentInfo> <evt:detectedValues> <evt:detectedValue> <evt:unMasked>WebsenseTestKeyword</ </evt:detectedValue> </evt:detectedValues> <evt:numberOfMatches>1</ evt:numberOfMatches> </evt:breachContent> </evt:classifierMatch> </evt:classifierMatches> </evt:rule> </evt:rules> <evt:actionTaken type="2097152"> </evt:actionTaken> <evt:properties> <evt:property> <evt:name>checksum</evt:name> <evt:value>60104d41558c2d6aba1ad287813155ea</ evt:value> </evt:property> <evt:property> <evt:name>exchange-from</evt:name> <evt:value>"DSS@nolosscorp.com" <DSS@nolosscorp.com></evt:value> </evt:property> <evt:property> <evt:name>exchange-subject</evt:name> <evt:value>DSS Incident [ID:12564]</evt:value> </evt:property> <evt:property> <evt:name>exchange-to</evt:name> <evt:value>"ismith@nolosscorp.com" <ismith@nolosscorp.com></evt:value> </evt:property> <evt:property> <evt:name>fileOwner</evt:name> <evt:value>ismith</evt:value> </evt:property> <evt:property> <evt:name>folderOwner</evt:name> <evt:value>N/A</evt:value> </evt:property> <evt:property> <evt:name>jobID</evt:name> <evt:value>172106</evt:value> </evt:property> <evt:property> <evt:name>jobName</evt:name> <evt:value>Test discovery</evt:value> </evt:property> <evt:property> <evt:name>resourceSubType</evt:name> <evt:value>PRIVATE FOLDER</evt:value> </evt:property> </evt:properties> <evt:file> <evt:filepath>cifs://ismith/Deleted Items/DSS Incident [ID:12564].EML</evt:filepath> <evt:filesize>19672</evt:filesize> <evt:filetype>233</evt:filetype> <evt:encodeType>N/A</evt:encodeType> <evt:hostname>ismith@nolosscorp.com</ evt:hostname> <evt:dateAccessed>2010-10-21T03:10:51.505</ evt:dateAccessed> <evt:dateCreated>2010-10-21T03:10:51.505</ evt:dateCreated> <evt:dateModified>2010-10-21T03:10:51.505</ evt:dateModified> <evt:owner> <evt:incidentUser> <evt:detail type="5" value="ismith" isLookedUp="false"/> </evt:incidentUser> </evt:owner> <evt:folderOwner> <evt:incidentUser> <evt:detail type="5" value="N/A" isLookedUp="false"/> </evt:incidentUser> </evt:folderOwner> </evt:file> <evt:jobId>172106</evt:jobId> <evt:jobName></evt:jobName> <evt:scanStartTime>2017-07-26T14:16:49</ evt:scanStartTime> <evt:discoveryEndpointInfo> <evt:endpointType>Unknown</evt:endpointType> </evt:discoveryEndpointInfo> </evt:dataAtRest> </evt:incident> </ns1:params> </ns1:request> </ns1:pa-xml-rpc>
Please note the main differences between the network discovery incident and this Exchange incident:
- The <evt:parameters> containers hold more Exchange-specific information, such as email fields.
- The pathname in the <evt:file> section is invalid as a path name, but is valid as a URL suffix in OWA.
- The <evt:resourceType> value is EXCHANGE.
Include parsing code in custom scripts to get information from Exchange incidents. The sample script cannot extract any meaningful information from it.