Duplicate incidents on Endpoint with Active Directory (AD) Sender based policy
search cancel

Duplicate incidents on Endpoint with Active Directory (AD) Sender based policy

book

Article ID: 160566

calendar_today

Updated On:

Products

Data Loss Prevention Endpoint Prevent Data Loss Prevention Endpoint Discover

Issue/Introduction

The customer is getting duplicated incidents on Endpoint monitoring. If he removes the Sender User Group exception, he gets only one incident.

Resolution

They have two policies. One is two-tier detection and the other is AD Sender group matching.

AD group matching for sender (not recipient) is done on the agent. The AD recipient matching is done on the server. 

We do not check when it gets sent to the server, so a message gets sent to the server for the EDM policy.

The server sees there is an AD policy, and re-evaluates it. One incident is processed on the agent, a second is processed on the server. 

The two rules, AD Sender and two-tier do not need to be in the same policy.  

Note: Block or Notify Response Rules are not available on the Server. Therefore, the incident from the Server will not show the message being blocked. The message is blocked, and that is specified on the agent incident.

The behavior has been fixed in DLP 16.1, and since that version, the policy that doesn't contain any TTD rules, but does contain a AD Sender User Group, should no longer be evaluated by the EP server. As a result, such policy should no longer generate duplicate incidents since that version. 

Additional Information

An example scenario which will result in a duplicate incident can be found below. EDM is used as an example but it may be any other TTD (two-tier detection) inducing condition. A full list of such conditions can be found be following the link below:

Two-Tier Detection for DLP Agents (broadcom.com)

 

1. IF policy A contains EDM THEN policy A will NOT be able to block AND will trigger TTD

2. IF policy B contains non-TTD rules such as keyword, data identifiers or others, THEN policy B will be able to block without a duplicate

3. IF policy C contains non-TTD rules like keywords but also Sender User Group in rules or exceptions THEN policy C will be able to block AND will not trigger TTD but will create a duplicate because of TTD triggered by policy A.

Since DLP 16.1, policy C should not generate a duplicate incident anymore even if active policy A triggers a TTD detection request. 

Powered by Wolken Software