DLP Agent Conditions troubleshooting
Article ID: 255440
Updated On:
Products
Issue/Introduction
Agent is not detecting expected using conditions such as AD group.
Resolution
Several things are needed to confirm if an agent is getting the conditions.
1.) DB export of the conditions.
Use Sql Developer or other tool to login and look at the Protect -> Views -> ConditionView. Then click on the data and export all those entrys.
or run this sql script against the protect database:
CREATE OR REPLACE FORCE EDITIONABLE VIEW "PROTECT"."CONDITIONVIEW" ("CONDITIONID", "NAME", "TYPE") AS
SELECT /*+ MATERIALIZE */ "CONDITIONID","NAME","TYPE"
FROM (
SELECT conditionid, name, type
FROM SenderCondition
UNION ALL
SELECT conditionid, name, type
FROM RecipientCondition
UNION ALL
SELECT conditionid, name, type
FROM DocumentMetaInfoCondition
UNION ALL
SELECT conditionid, name, type
FROM PatternCondition
UNION ALL
SELECT conditionid, name, type
FROM DatabaseInfoCondition
UNION ALL
SELECT conditionid, name, type
FROM DocumentSizeCondition
UNION ALL
SELECT conditionid, name, type
FROM KeywordCondition
UNION ALL
SELECT conditionid, name, type
FROM DocumentNameCondition
UNION ALL
SELECT conditionid, name, type
FROM ProtocolCondition
UNION ALL
SELECT conditionid, name, type
FROM DocumentProfileCondition
UNION ALL
SELECT conditionid, name, type
FROM SenderProfileCondition
UNION ALL
SELECT conditionid, name, type
FROM RecipientProfileCondition
UNION ALL
SELECT conditionid, name, type
FROM DataIdentifierCondition
UNION ALL
SELECT conditionid, name, type
FROM UniversalMetadataCondition
UNION ALL
SELECT conditionid, name, type
FROM DirectoryGroupCondition
UNION ALL
SELECT conditionid, name, type
FROM ConditionGroup
UNION ALL
SELECT conditionid, name, type
FROM BinaryScriptMatchCondition
UNION ALL
SELECT conditionid, name, type
FROM MachineLearningCondition
UNION ALL
SELECT conditionid, name, type
FROM DeviceCondition
UNION ALL
SELECT conditionid, name, type
FROM MapiAttributeCondition
UNION ALL
SELECT conditionid, name, type
FROM FormRecognitionCondition
UNION ALL
SELECT conditionid, name, type
FROM ContextualAttribCondition
UNION ALL
SELECT conditionid, name, type
FROM IctTagCondition
UNION ALL
SELECT conditionid, name, type
FROM AipCondition
UNION ALL
SELECT conditionid, name, type
FROM IcaCondition
UNION ALL
SELECT conditionid, name, type
FROM StructuredDataIdCondition);3.) Then set the agent logging level to finest, and restart agent.
4.) Gather endpoint logs search for the adding condition string. Compare the expected condition from the Database view. If the condition ID matches on the agent then the condition is on the agent and set for detection.
Example log: FINEST | Detection.CompiledConditionStore | Adding Condition: 50
All condition types listed in the additional information.
Additional Information
0 UNKNOWN 1 SENDER 2 RECIPIENT 3 DOCTYPE 4 REGEX 5 DATABASEINFO 6 COMPOUND 7 DOCSIZE 8 KEYWORD 9 DOCNAME 10 PROTOCOL 11 DOCPROFILE 12 SENDERPROFILE 13 RECIPIENTPROFILE 14 DATAIDENTIFIER 15 UNIVERSAL_METADATA 16 FILE_TYPE_SCRIPT 17 CHANNEL 18 DIRECTORY_GROUP
Feedback
