Policy seems to be detecting emails but not creating incidents in Enforce Server
search cancel

Policy seems to be detecting emails but not creating incidents in Enforce Server


Article ID: 271831


Updated On:


Data Loss Prevention Cloud Service for Email


You are seeing Response Rule actions being performed on emails as which are identical to those created on your policy but you cannot find any related incidents in the Enforce Server console*.

You can see when reviewing test emails (prior to sending) they don't have the x-headers applied before they reach the DLP Detection Server, but when the messages get to your downstream cloud gateway (after DLP content inspection) it has the x-header from the response rule for the policy.


Release : 16.0

Network Prevent for Email

Cloud Service for Email


In most cases, it's not possible for the DLP Email Prevent or Cloud Service for Email services to apply Response Rule actions without recording incidents.



In this case, there was a header modification in the upstream MTA that was actually performing the same actions as DLP is configured to do.

Finding and disabling that rule eliminated the header modifications occurring.

Thus, for Gmail, check:

Google Workspace > Settings for Gmail > Compliance

Look for a rule that performs the same actions, in the "Content Compliance" section.

In this case, the rule in Gmail was even using the same name as the Policy configured in DLP.



Additional Information

*To confirm there are no "bad" incidents in the Enforce Server, or the Detection Server itself, look in the "incidents" directories. For more details on why those occur, see What is a .bad file? (broadcom.com).