The customer is getting duplicated incidents on Endpoint monitoring. If he removes the Sender User Group exception, he gets only one incident.
They have two policies. One is two-tier detection (What Rule Conditions Will Cause Two Tier Detection) the other is AD Sender group matching.
AD group matching for sender (not recipient) is done on the agent. The AD recipient matching is done on the server. We do not check when it gets sent to the server, so a message gets set to the server for the EDM policy. The server sees there is an AD policy, and reevaluates it. One incident is processed on the agent, a second is processed on the server.
The two rules, AD Sender and two-tier do not need to be in the same policy.
Note: Block or Notify Response Rules are not available on the Server. Therefore, the incident from the Server will not show the message being blocked. The message is blocked, and that is specified on the agent incident.
Etracks: 2422105, 3234844.