search cancel

Duplicate incidents are created when an AD user group, Endpoint keyword/protocol rule, and an IDM/EDM rule exist in a single policy


Article ID: 160666


Updated On:


Data Loss Prevention Enforce



In Enforce, incidents appear in pairs, always identical, the order may be different. Each incident highlights the same Matches, has the same Incident Details, Attributes (if Lookup used) and Policy Matches.

This issue was detected on v11.1 in December, 2011, according to Etrack 2636025. A fix will be included in a future version.


The Endpoint Agent performs keyword or protocol monitoring and generates incidents, which are transmitted back to the Endpoint Server. The Agent is unable to process EDM/IDM rules, so it cracks the information for later detection on the Endpoint Server. As a result, the EP server, running the EDM/IDM rule, detects the same violations and creates a second incident for the same violation.


The client needs to review their policies. Best to split up policies with EDM/IDM to not also include Active Directory lookup.