Inconsistent Timestamps for “Content Blocked” Events in Enforce Incident History (CASB / Gateway DIM)
Article ID: 424311
Updated On:
Products
Issue/Introduction
Customers using Enforce with CDS for REST (CASB integration) may notice a time mismatch in Gateway DIM policy-violation events within the Incident History. Specifically, the response rule action “content blocked” displays a timestamp that differs from other related events, depending on the Enforce Server’s configured timezone, even though the content block is triggered at the exact time the file is uploaded. All other Gateway DIM and incident events correctly reference the Enforce Server timezone.
Event example:
Environment
DLP Enforce with CASB integration (CDS for REST)
Cause
This behavior is caused by a timezone handling discrepancy between the cloud service (CASB) and the Enforce Server.
The CASB Gatelet sends event acknowledgements with timestamps in UTC.
The Enforce UI displays these timestamps without converting them to the server’s local timezone, unlike other incident events.
As a result, when the Enforce Server is configured for UTC+1, UTC+2, etc., the “content blocked” event appears offset by the corresponding number of hours, while all other events correctly reflect the server timezone.
Resolution
As a short-term workaround, configure the Enforce Server timezone to UTC. This aligns the server time with the UTC timestamps from the cloud and resolves the display discrepancy.
For a long-term resolution, a Feature Request (ISFR-3831) has been filed to normalize timestamps across all cloud and Enforce events. There is currently no target date for this functionality to be added to the product.
If you would like to be added to this feature request, please open a support case and reference this KB article.
Feedback
