Hello DLP users..
We had a situation where there was an Endpoint Policy that had 1 or many Rules that were based on a User Group for the Sender (DGM). This is in addition to basic keywords or file types.
It would constantly create 2 Events no matter if there was a response rule or not. What we found out was that this policy was triggering a Two-tier detecton for NO reason. According to SYMC this was ONLY supposed to happen if there was a Recipient Excpetion based on DGM or AD group... we had NO Recipient filters.
It took us some time to figure it out..
In order to figure it out I had to eliminate all of the other policies...
So overall the issue is that the Policy that should NOT trigger a two-tier detection, was happening because there was an EDM policy that was requiring a Two-Teir detection. - This is not how it's supposed to work.
In either case it looks like a DGM based policy on the Endpoint will trigger a two-tier detection (with multiple events) if there is ANOTHER policy that requires a two-tier detection (EDM) on the endpoint.
Good Luck
Ronak
UPDATE -
Answer from Back line on this..
Here is a final explanation of why this occurred in the first place. Normally we avoid duplicates because only the polices with two-tier conditions are evaluated at the endpoint server while policies that have no two-tier conditions are left to only run on the endpoint. So while an event can create multiple incidents, normally its never two for the same policy. The issue here is that the agent was able to do its own lookup and not need two-tier detection; however once another policy forced the two-tier replication of the message, the endpoint server didn’t skip this policy like it did all of the other endpoint only policies because it saw it as containing a two-tier condition. Thus the duplicate incident was created.
OVERALL -
Something changed with detectionin 14.6+ and all previous version (12 Years) did not work this way and it has also not been documented either. So chalk this one up as a "Good to know"
Make sure there are NO EDM or IDM policies in a policy group that works on the Endpoint Servers, if you do it will cause a Two-Tier detection on ALL other policies (DGM or AD Groups) and not just the 1 policy.
You may want to turn off two-tier detection on the Endpoint Server and test this out.
Moving forward.
A case has been sent to SYMC and the Backline support team and it is currently being researched by the Engineering team.
Stay Tuned!
Seems some bug in the product.
Just as an FYI, this was happening on DLP 14.6MP2 agent and server.