Incident Severity is Now Based on the Highest Severity in a Rule - Changed
search cancel

Incident Severity is Now Based on the Highest Severity in a Rule - Changed

book

Article ID: 386331

calendar_today

Updated On:

Products

Data Loss Prevention

Issue/Introduction

With DLP 16.1, the highest offending severity of a rule within a policy represents the incident severity. Remediators can report and remediate incidents that represent the severity of the highest offending rule, instead of an aggregation of all rule conditions. 
 

Environment

DLP 16.1

Cause

Changes to DLP with the 16.1 update

Resolution

If you want to change back to incident severity as an aggregation of all rule conditions you need to complete the steps below: 

1) For the Detection Server, old behavior can be preserved by adding the following line in the Protect.properties file on Enforce. (default is on)

Protect.properties

PostProcessor.SET_HIGHEST_RULE_LEVEL_SEVERITY_ENABLED = off

To make this setting effective, you need to restart MonitorController. After restarting the MonitorController, you need to restart all detection servers.

2) For Endpoint, old behavior can be preserved by setting PostProcessor.SET_HIGHEST_RULE_LEVEL_SEVERITY_ENABLED.str Advanced Setting in the Agent Group Configuration to off (default is on).

After saving this Agent Configuration, apply it. The setting will take effect once the agent syncs up with the server.

Note: You will need to set this in every agent configuration and on the enforce to be applied in the entire environment

Powered by Wolken Software