search cancel

Remediation action populated as UNKNOWN in DLP Endpoint incident / "?" sign seen instead of the correct or no response from the end user.

book

Article ID: 240691

calendar_today

Updated On:

Products

Data Loss Prevention Endpoint Prevent

Issue/Introduction

Remediation action populated as UNKNOWN in incident / "?" sign seen in the incident instead of the correct response from the end user.

As seen in the above screenshot, an Endpoint incidents display a "?" sign instead of "Notify" or "Cancel" response icons.

Environment

DLP 15.x

Resolution

This is working as designed. The behavior of agent remediation response unknown is caused when an endpoint event violates 2 policies, where 1 policy has an "Endpoint Notify" response rule and the other one has a "User: Cancel" response rule configured. In case of a violation, both the response rules are triggered. If the "User Cancel" response rule supersedes the "User Notify" rule, the remediation input for the "Notify" becomes unknown.
Although there should be no "remediation action" for "Notify" response rule but due to the 2nd response rule it becomes unknown. 

Attachments