The Data Loss Prevention Endpoint Agent reported the wrong URL on an Endpoint incident

Data Loss Prevention 15.7.x

Data Loss Prevention 15.8.x

Data Loss Prevention 16.0.x

The Chrome or Edge Chromium browser could potentially capture the wrong URL when the URL associated with the incident is sent to the EDPA process from the DLP extension installed inside the browser.

The DLP extension is written using published Chromium APIs and those APIs are expected to give the URL of the currently active tab at that moment.

In rare cases, the incorrect URL is sent when the published API sends EDPA a URL of a different tab than the one creating the incident.

This could happen due to timing issues that could possibly be due to extenuating circumstances with some slower machines.

While DLP Engineering is continuing to work with the respective browser developers to improve these APIs, for now the incident remediators should use their investigative skills to determine if these incidents would be illegitimate and should be disregarded. Such as if an incident shows as being uploaded to a website that does not provide means in which to upload data, it would generally be safe to assume that the incident can be disregarded.

Optionally if a particular user seems to have this issue happen more regularly than the average, you may consider educating the user to wait for a file upload to complete before they change to another tab, or to use a separate window or browser than the one they are using to upload sensitive data with.

Another workaround is to whitelist the authorized domains through Domain Filters in the agent configuration Channel Filters tab so inspection is not performed for URLs that are authorized.

You may want to review Article ID: 171330  Exclude / Whitelist URLs from inspection in DLP