Duplicate incidents are created when an AD user group, Endpoint keyword/protocol rule, and an IDM/EDM rule exist in a single policy

book

Article ID: 160666

calendar_today

Updated On:

Products

Data Loss Prevention Enforce

Issue/Introduction

Symptoms:

In Enforce, incidents appear in pairs, always identical, the order may be different. Each incident highlights the same Matches, has the same Incident Details, Attributes (if Lookup used) and Policy Matches.

This issue was detected on v11.1 in December, 2011, according to Etrack 2636025. A fix will be included in a future version.

Explanation:

The Endpoint Agent performs keyword or protocol monitoring and generates incidents, which are transmitted back to the Endpoint Server. The Agent is unable to process EDM/IDM rules, so it cracks the information for later detection on the Endpoint Server. As a result, the EP server, running the EDM/IDM rule, detects the same violations and creates a second incident for the same violation.

Resolution

The client needs to review their policies. Best to split up policies with EDM/IDM to not also include Active Directory lookup.