Duplicate incidents are created when an AD user group, Endpoint keyword/protocol rule, and an IDM/EDM rule exist in a single policy
Article ID: 160666
Updated On:
Products
Data Loss Prevention Enforce
Issue/Introduction
Symptoms:
In Enforce, incidents appear in pairs, always identical, the order may be different. Each incident highlights the same Matches, has the same Incident Details, Attributes (if Lookup used) and Policy Matches.
This issue was detected on v11.1 in December, 2011, according to Etrack 2636025. A fix will be included in a future version.
Explanation:
The Endpoint Agent performs keyword or protocol monitoring and generates incidents, which are transmitted back to the Endpoint Server. The Agent is unable to process EDM/IDM rules, so it cracks the information for later detection on the Endpoint Server. As a result, the EP server, running the EDM/IDM rule, detects the same violations and creates a second incident for the same violation.
Resolution
The client needs to review their policies. Best to split up policies with EDM/IDM to not also include Active Directory lookup.
Feedback
Yes
No
Powered by
