Data Loss Prevention

  • Private Community
 View Only

  • 1.  Only blocked incidents appearing

    Posted Feb 20, 2026 07:40 PM

    dears 

    i'm  running DLp v16.1 and i have Regx configured policy for detection and response rule of blocking and notify users by email.

    the issue here only the block incident are logged and appearing in the console with the allow incident is not appearing at all.

    any idea?



    -------------------------------------------


  • 2.  RE: Only blocked incidents appearing

    Broadcom Employee
    Posted Feb 22, 2026 08:51 PM
    Edited by Jesse Gonzales Feb 22, 2026 08:56 PM

    Greetings, 

    I need to start with that I am speculating based on your post. 

    "the issue here only the block incident are logged and appearing in the console with the allow incident is not appearing at all."

    If the incident is being logged, you can surmise that your detection rule triggered correctly (or close to the intent). As it triggers, an incident is ultimately generated and sent to the Enforce Server and stored in Oracle. This seems to be working as intended. 

    What you stated above is that the data flow is still being allowed. Please correct me if I'm misunderstanding the issue. 

    I'll keep this brief.

    • You have either an issue with the Detection Server configuration... If the case, be sure that Trial Mode is not enabled for on-prem detection servers. Did you alter Server Settings for the Detection Server? 
    • If you're working with the Cloud Service for Email Cloud Detector, is it configured correctly within your MTA chain?
    • Another potential issue would be how you configured the Response Rule. Do you have Conditions configured that could have prevented the Action from being executed?

    There are other possible issues, but these are some that come to mind. You triggered an incident, but didn't execute the response rule. You see the incident, but no action. Take a look at the History of the incident. What kind of information is shown? Servers and Detectors Logs or Events will be useful for a staring point. 

    If this is not what you're looking for, you may be experiencing this:

    Incident Severity is Now Based on the Highest Severity in a Rule - Changed
    With DLP 16.1, the highest offending severity of a rule within a policy represents the incident severity. Remediators can report and remediate incidents that represent the severity of the highest offending rule, instead of an aggregation of all rule conditions.
    If you want to change back to incident severity as an aggregation of all rule conditions. Contact Support for more information.

    I hope this points you in the right direction. 



    ------------------------------
    Jesse Gonzales
    Technical Trainer/Education Services
    Symantec by Broadcom
    Data Loss Prevention, CloudSOC, Cloud SWG, Web Isolation, Endpoint Encryption, ITMS
    ------------------------------

    Original Message