Duplicate incidents with a specific application on Endpoint Prevent.
search cancel

Duplicate incidents with a specific application on Endpoint Prevent.


Article ID: 275835


Updated On:


Data Loss Prevention Enforce


Multiple incidents are being generated for the same files repeatedly for certain applications, such as WeChat.


Search for evidence within the original file path that suggest it may be a folder that attempts to sync or transfer repeatedly, e.g. 'some/path/transfers/'
This is evidence that it may be expected application behavior to try repeatedly if the transfer fails, thus generating future DLP events.


While not cloud applications themselves. some applications may retry a file transfer if the initial one failed, such as if blocked by DLP


Try the following to remediate the duplicate incidents:

1. If within acceptable risk, create a path filter within the channel filters to exclude the paths creating the duplicate incidents.

2. Within Application monitoring(either global or local) set the offending application as a cloud application, this will cause the files in the sync/transfer folder to be removed upon a block and stored in the 'my recovered files' location. This will, however, cause incidents generated by this application to be listed as cloud sync incidents within the DLP console instead of the prior incident type(varies)

3. If the incidents are very close together, but stop eventually, you can try increasing the UI.CONSECUTIVE_TRANSACTION_TIME.int. Increasing this setting makes consecutive transfers considered part of the same file activity, potentially eliminating duplicate.s 

Additional Information

About Channel Filter Configuration
About Global Application Monitoring
Advanced Agent Settings