After turning on Incident Reconciliation, incidents seem to take ~5 minutes to process - before any incidents appear in the Enforce Server.
Incident reconciliation enables managing of duplicate copies of emails, and thus duplicate incidents, generated by MTA handling of messages with multiple recipients. If the email contains cc's and bcc's, incident reconciliation "reconciles" these multiple incidents into one, avoiding the erroneous duplication of incidents.
Incident Reconciliation basically tells Incident Persister to wait for 4 minutes before persisting, and it consolidates multiple incidents created from one message into one incident.
The following settings to IncidentPersister.properties in /SymantecDLP/Protect/config/ are related to Incident Reconciliation.
persister.enable.incident.reconciliation=true
persister.incident.reconciliation.cache.cleanup.interval=10000
persister.incident.reconciliation.cached.incident.timeout=240000
persister.incident.reconciliation.exactduplicate.cache.cleanup.interval=10000
persister.incident.reconciliation.exactduplicate.timeout=600000
Note: Incident Reconciliation is disabled by default ("=false" in first line above).
It is not recommended to reduce the 4-minute timeout, as this could shorten the amount of time necessary to reconcile multiple incidents into one, thus having more than one incident for the same email.
If changing the properties above, restart the SymantecDLPIncidentPersister service on the Enforce Server.