Duplicate incidents on Endpoint with Active Directory (AD) Sender based policy

book

Article ID: 160566

calendar_today

Updated On:

Products

Data Loss Prevention Endpoint Prevent Data Loss Prevention Endpoint Discover

Issue/Introduction

The customer is getting duplicated incidents on Endpoint monitoring. If he removes the Sender User Group exception, he gets only one incident.

Resolution

They have two policies. One is two-tier detection (Article ID: 160344 - What Rule Conditions Will Cause Two Tier Detection) the other is AD Sender group matching.

AD group matching for sender (not recipient) is done on the agent. The AD recipient matching is done on the server. 

We do not check when it gets sent to the server, so a message gets sent to the server for the EDM policy.

The server sees there is an AD policy, and re-evaluates it. One incident is processed on the agent, a second is processed on the server. 

The two rules, AD Sender and two-tier do not need to be in the same policy.  

Note: Block or Notify Response Rules are not available on the Server. Therefore, the incident from the Server will not show the message being blocked. The message is blocked, and that is specified on the agent incident.