Understanding incident dates in Data Loss Prevention
search cancel

Understanding incident dates in Data Loss Prevention

book

Article ID: 215084

calendar_today

Updated On:

Products

Data Loss Prevention

Issue/Introduction

You want to understand what the "Occurred On" (MessageDate) and "Reported On" (DetectionDate) dates in incident snapshots mean, and how they relate to the following timestamps from the Incident table in the database:

  • MessageDate
  • DetectionDate
  • CreationDate

 

NOTE:

MessageDate and DetectionDate are stored in the database and displayed relative to the Enforce server's time zone. For example, if an incident is generated on an endpoint machine in the US Central time zone at 9:00a but the Enforce is in the US Mountain time zone, the Occurred On will be stored in the database and displayed in the Enforce console as 8:00a.

Environment

DLP 15.x

DLP 16.x

Resolution

Occurred On / MessageDate

Network Prevent for Email (SMTP Prevent) Incidents

Occurred On is the date from the email header itself.

All Other Incident Types

The date when the violation was detected within the message that generated the incident. This gets adjusted to the Enforce's timezone when the incident is persisted.

Reported On / DetectionDate

Enpdoint Agent Incidents

When the DLP agent sent the incident to Aggregator service on the Endpoint Detection server (not the local time on the Endpoint Detection Server). This gets adjusted to the Enforce's timezone when the incident is persisted.

Detection Server Incidents (including Endpoint TTD)

When FileReader generates an incident. Detection Server incidents should generally have very similar Message and Detection timestamps. FileReader writes .idc files (incidents) to the C:\ProgramData\Symantec\DataLossPrevention\ServerPlatformCommon\<ver>\incidents directory, which is monitored by the IncidentWriter service, which in turn picks up the .idc files and ships them to the SymantecDLPDetectionServerController service on the Enforce.

CreationDate

When the IncidentPersister service on Enforce first persists the incident into the database (stage 1/peristence).

Example

In an Incident Snapshot's Incident Details section, the MessageDate and DetectionDate timestamps are represented as "Occurred On" and "Reported On" as shown in the screenshots below:

In the case of Endpoint Agent incidents, the MessageDate corresponds to the persistDate field for the given Incident as found in the is.ead (IncidentStore) database, DetectionResultData table.

Additional Information

See also: Incident Persister stages overview