search cancel

Incident reporting discrepancy between filtering on Policy versus Policy Group and Summarizing by Policy

book

Article ID: 224625

calendar_today

Updated On:

Products

Data Loss Prevention Data Loss Prevention Endpoint Discover Data Loss Prevention Plus Suite Data Loss Prevention Discover Suite Data Loss Prevention Network Email Data Loss Prevention Network Monitor Data Loss Prevention Network Monitor and Prevent for Web

Issue/Introduction

A policy created has been renamed and also was moved to a different Policy Group.  Issue is when running reports.  When reporting by filtering on the Policy name all the incidents show.  When filtering on the Policy Group and summarizing by Policy then maybe 1/3 of the incidents show. 

Cause

This is by designed.  In our Oracle schema, for each incident we retain the policyID, policyVersion and policyGroupID that led to the creation of this incident.
This way we can tie any incident to the particular version of the policy that triggered it, regardless of how many changes the policy went through after that (and as you know you could always change the structure of that policy to something drastically different if you want to). And we can also remember which policy group was involved at that time, regardless of the policy group associated to the current form/version of the policy.

Environment

DLP Release : 15.7 MP2

Examples of the search being performed - returned Total Number of results differently after the changes to the Policy.

1. Search Query: Filtered by Policy Group
Filter by Policy Group: Is Any of “Policy Group1”
Summarized by Policy: “PolicyName
Total Results: 805,678

2. Search Query: Filtered by Policy by Month
Filter by Policy:  is Any of “PolicyName”
Total Results: 3,514,919

 

Resolution

You can go into the Incident Access and revert the access to the PolicyName

Only show incidents meeting the following criteria:

Policy Group Is None Of <Revert the policies here> so they can see the full report