DLP Cloud Detector incident queue stays at 1000 in Enforce console

book

Article ID: 206005

calendar_today

Updated On:

Products

Data Loss Prevention Cloud Detection Service for REST Data Loss Prevention Cloud Detection Service for ICAP Data Loss Prevention Cloud Detection Service

Issue/Introduction

It has been noted in the Enforce management console that the Incident Queue for your Cloud Detector is stuck at 1000 and doesn't seem to be changing.

You aren't seeing a high volume of incidents from this Detector, and don't believe there are DLP policies that would warrant the backlog that you are currently noticing.

You are wanting to know if there is any kind of backend issue with the Detector. 

Cause

The DLP Cloud Service is a hosted service which integrates with the Enforce console - itself a managed on-prem installation.

In contrast to on-prem Detection Servers, the Incident Queue for a Cloud Detector currently reports a maximum of 1000 incidents queued.

The backlog as such is related to how many incidents have been created on the Detector, but is also dependent upon the Enforce server's internet-connection speed to the Cloud Service Gateway, and on the resource availability for the Enforce DLP services processing incidents.

Environment

Release : 15.x

Component :

Resolution

The Incident Queue will remain at 1000 as long as there are more than 1000 incidents remaining on the Detector.

That number can only go down once the rate of new incidents drops below the rate at which incidents can be shipped to Enforce. 

To verify the number of backlogged incidents which were recently generated, versus those which have recently "shipped" to Enforce, you can open a case with Technical Support.

To reduce this issue from recurring, policies creating high volumes of incidents may need to be tuned to eliminate False Positives, as well as Duplicate incidents (multiple incidents triggered by a single event such as one file upload or email message).

You can also increase the memory allocation to specific Enforce services, such as the SymantecDLPDetectionServerController and the SymantecDLPIncidentPersister. For details on that please see this article: Monitor Controller performance issues after adding new Detection Servers (broadcom.com)