DLP Cloud Service Detector not detecting any incidents
search cancel

DLP Cloud Service Detector not detecting any incidents

book

Article ID: 260460

calendar_today

Updated On:

Products

Data Loss Prevention Cloud Service for Email

Issue/Introduction

You added new policies and they appear assigned to your Detectors in the Cloud Service, but your Cloud Service Detector is not showing any incidents and the message count on the Enforce Server for this Detector is also at "0".

If you send out a test email, for example, it is delivered, but policy detection does not appear to be working.

If you either suspend the policies in question, or assign them to a Policy Group that is not associated with the Cloud Services, detection resumes and message counts are incremented as normal.

 

Environment

Release : 16.0, 15.8

Cause

If reverting corrected the issue, look for rules or conditions in your policies that are not technically logical - not relevant - for the Cloud Services.

E.g., Endpoint conditions like Device ID are not expected to work in Cloud Detectors.

In some cases, when a policy containing conditions that do not apply to the Cloud Services is assigned to a Policy Group allocated to a Cloud Detection Service, it breaks the profile (the sum total of all Detector configuraitons like indexes, policies and settings) and policies fail to load on the Detector.

In other cases, although the policies appear to have loaded successfully (Event Code 2705 is shown: "Configuration file [Policy] delivery complete"), the DLP Engineering teams have confirmed that the conditions which have no relevance for the Cloud Service themselves will not be loaded on the Detector.

Resolution

The recommendation from DLP Support is to segregate Endpoint and Cloud policies into separate Policy Groups.

You do not want Endpoint conditions to be assigned to the Cloud Detection Service (and vice versa, as Cloud Services conditions like Contextual Attributes are inappropriate for Endpoint Agent policies).

 

Update: The Engineering teams will be releasing an update to the Cloud Services that is expected to change this behavior. This article will be updated when that occurs (expected in the current quarter).

Additional Information

Similar issues are documented in the following KBs: