Email incidents take 5 minutes longer to process with Incident Reconciliation
search cancel

Email incidents take 5 minutes longer to process with Incident Reconciliation


Article ID: 164384


Updated On:


Data Loss Prevention Cloud Prevent for Microsoft Office 365 Data Loss Prevention Cloud Service for Email Data Loss Prevention Network Prevent for Email


After turning on Incident Reconciliation, incidents seem to take ~5 minutes to process - before any incidents appear in the Enforce Server.


Incident reconciliation enables managing of duplicate copies of emails, and thus duplicate incidents, generated by MTA handling of messages with multiple recipients.  If the email contains cc's and bcc's, incident reconciliation "reconciles" these multiple incidents into one, avoiding the erroneous duplication of incidents.


Incident Reconciliation basically tells Incident Persister to wait for 4 minutes before persisting, and it consolidates multiple incidents created from one message into one incident.

Additional Information

The following settings to in /SymantecDLP/Protect/config/ are related to Incident Reconciliation.


Note: Incident Reconciliation is disabled by default ("=false" in first line above).

It is not recommended to reduce the 4-minute timeout, as this could shorten the amount of time necessary to reconcile multiple incidents into one, thus having more than one incident for the same email.

If changing the properties above, restart the SymantecDLPIncidentPersister service on the Enforce Server.