I am trying to figure out how exactly CA data protection records events and raises triggers if an email violates both DLP (preemptive email security) and compliance policies (i.e. eml files ingested via an importer into PE). Consider this scenario :
A user sends an email which violates a DLP policy in CA Data Protection , the email is quarantined and a notification email is sent to user and reviewer of the violated policy. User requests the release of email and provides suitable justification , based on which reviewer release the email from quarantine and it's finally sent to intended recipient.
During this process :
1,an event is generated and stored in wgn3event table
2.a trigger is raised and stored in wgn3Trigger table using eventuid generated earlier
3.Event life-cycle from "Quarantine" to "Release" is stored in wgn3eventsuidt table using eventuid generated earlier
In the second part of it's journey the email is exported from Exchange in eml format and passed onto Policy Engine via an importer and is evaluated against compliance policies (Please note that two separate PE servers are used to host and enforce preemptive dlp and post event compliance check) this causes a trigger to be raised as the email violates one of the policies , in this case :
1. Does CA Data Protection raises a new event under new eventuid ? If it does than there will be actually two eventuids' per email one from DLP surveillance and another from post event compliance policies ?
2.Or Does it uses the already existing eventuid which was logged during dlp ? If yes how does it relates the ingested EML file to a particular email id ?
I did some research which suggests option 2 above best describes the event flow , however i am not sure to say the least.
Any help will be appreciated greatly , thanks !
In the scenario described above, there will be two events stored in the wgn3event table with unique eventuids. The CA Data Protection(DLP) product does not do any de-duplication of events being imported by default.