search cancel

Remediation action populated as UNKNOWN in DLP Endpoint incident / "?" sign seen instead of the correct or no response from the end user.


Article ID: 240691


Updated On:


Data Loss Prevention Endpoint Prevent


Remediation action populated as UNKNOWN in incident / "?" sign seen in the incident instead of the correct response from the end user.

As seen in the above screenshot, an Endpoint incidents display a "?" sign instead of "Notify" or "Cancel" response icons.


DLP 15.x


This is working as designed. The behavior of agent remediation response unknown is caused when an endpoint event violates 2 policies, where 1 policy has an "Endpoint Notify" response rule and the other one has a "User: Cancel" response rule configured. In case of a violation, both the response rules are triggered. If the "User Cancel" response rule supersedes the "User Notify" rule, the remediation input for the "Notify" becomes unknown.
Although there should be no "remediation action" for "Notify" response rule but due to the 2nd response rule it becomes unknown.