DLP Incidents not persisting for Cloud Email customer
Article ID: 189289
Data Loss Prevention Cloud Service for EmailData Loss Prevention Cloud Prevent for Microsoft Office 365Data Loss Prevention Cloud Package
Incidents from hosted cloud email (Email Service or Cloud Prevent) have stopped showing up in Enforce.
If one examines the /incidents/ directory on Enforce, there are numerous ".bad" files - these are unpersisted incidents from the cloud detector or cloud prevent server.
Incident Reconciliation task is failing. This task reconciles incidents created for emails with multiple recipients, combining multiple incidents for the same original message into one incident in Enforce. There is a known defect for this task in 14.6-15.5 branches of DLP.
Release : 15.1
Upgrade to 15.5 MP2, where the fix is described in the Release Notes for that maintenance pack:
4245814: The SMTP reconciliation task no longer crashes on cache cleanup, with the Protect incidents reconciliation folder filling up with .idc files. Split-delivery emails no longer generate multiple incidents.