Severity not set correctly for Cloud Email Service incidents
search cancel

Severity not set correctly for Cloud Email Service incidents

book

Article ID: 170477

calendar_today

Updated On:

Products

Data Loss Prevention Cloud Service for Email Data Loss Prevention Cloud Package Data Loss Prevention Data Loss Prevention Cloud Detection Service Data Loss Prevention Cloud Detection Service for ICAP Data Loss Prevention Cloud Detection Service for REST

Issue/Introduction

Incidents are marked as HIGH severity when policy uses an AND condition in the policy, changing expected severity from INFO, LOW, or MEDIUM

Steps to reproduce:

  1. Create a policy with at least one compound rule condition (keyword AND DI; EDM AND keyword; etc.)
  2. Set default severity to 'medium'.
  3. Add severity condition to set severity to 'High' when match count is greater than or equals '10'
  4. Add a response rule which executes only if the severity is 'High'.

Note that the issue can prevent many Response Rules from being applied correctly.

Environment

DLP Cloud Service

Cause

Cause of the issue is that the compound condition causes the settings for severities to drop out from the incident summary, defaulting to the HIGH severity.

Resolution

One instance of this issue occurred on prior versions of DLP, and was fixed by subsequent updates.

However, a related issue seems to have recurred - e.g., the severity of an incident which should be flagged as either LOW or INFO is instead increased to MEDIUM.

Additional Information

If you are impacted by this issue in the DLP Cloud Service, please contact Technical Support.

Powered by Wolken Software