Email incidents take 5 minutes longer to process with Incident Reconciliation
search cancel

Email incidents take 5 minutes longer to process with Incident Reconciliation

book

Article ID: 164384

calendar_today

Updated On:

Products

Data Loss Prevention Cloud Prevent for Microsoft Office 365 Data Loss Prevention Cloud Service for Email Data Loss Prevention Network Prevent for Email

Issue/Introduction

After turning on Incident Reconciliation, incidents seem to take ~5 minutes to process - before any incidents appear in the Enforce Server.

Cause

Incident reconciliation enables managing of duplicate copies of emails, and thus duplicate incidents, generated by MTA handling of messages with multiple recipients.  If the email contains cc's and bcc's, incident reconciliation "reconciles" these multiple incidents into one, avoiding the erroneous duplication of incidents.

Resolution

Incident Reconciliation basically tells Incident Persister to wait for 4 minutes before persisting, and it consolidates multiple incidents created from one message into one incident.

Additional Information

The following settings to IncidentPersister.properties in /SymantecDLP/Protect/config/ are related to Incident Reconciliation.

persister.enable.incident.reconciliation=true
persister.incident.reconciliation.cache.cleanup.interval=10000
persister.incident.reconciliation.cached.incident.timeout=240000
persister.incident.reconciliation.exactduplicate.cache.cleanup.interval=10000
persister.incident.reconciliation.exactduplicate.timeout=600000

Note: Incident Reconciliation is disabled by default ("=false" in first line above).

It is not recommended to reduce the 4-minute timeout, as this could shorten the amount of time necessary to reconcile multiple incidents into one, thus having more than one incident for the same email.

If changing the properties above, restart the SymantecDLPIncidentPersister service on the Enforce Server.

Powered by Wolken Software