DGM policy not triggering incidents

book

Article ID: 160479

calendar_today

Updated On:

Products

Data Loss Prevention Enforce

Issue/Introduction

When setting up a DGM policy with a 'Where' clause, no incidents are created against the policy.

Resolution

This can happen if the 'Where' clause name matches a word on Symantec DLP's stopword list.

For Example:

If the word in your 'Where' clause happens to be "It" as in  'Where Department contains any of "It"' then an incident for this policy will never be generated due to the same word "it" being in our stopword list.

This list can be found in \Vontu\Protect\config\stopwords on the Detection Server. 

SOLUTION

  • change the name you are using in the 'Where' clause to be something other than a word found in our stopword list
  • remove the stopword that matches your 'Where clause

If you remove the stopword then you have to also do the following;

  1. Save the file
  2. restart the Detection Server service

Additionally, DGM's behave just like EDM in that spaces are not permitted as the field will be parsed and the two words will be seen as separate words, not part of the same phrase.  For example, if the "Where" clause happens to contain a name with a space in it such as "Sales Department", then the DGM will only be looking for "Sales" only and will not generate an Incident.  The solution for this is to change the data for the DGM to include an underscore, change the where clause and reindex the DGM.

See Also:  KB 46663: Does DLP have a list of "common" words that it ignores?