Southern California Data Loss Prevention User Group

 View Only

Duplicate DLP Endpoint Incidents when the Policy has Sender User Groups 

Nov 07, 2017 01:49 PM

Hello DLP users..

We had a situation where there was an Endpoint Policy that had 1 or many Rules that were based on a User Group for the Sender (DGM). This is in addition to basic keywords or file types.

It would constantly create 2 Events no matter if there was a response rule or not. What we found out was that this policy was triggering a Two-tier detecton for NO reason. According to SYMC this was ONLY supposed to happen if there was a Recipient Excpetion based on DGM or AD group... we had NO Recipient filters.

It took us some time to figure it out.. 

In order to figure it out I had to eliminate all of the other policies...

  1. I first disabled all of the policies that were in the Endpoint ONLY Policy Group. Except our test one.
    1. This did not solve the problem, so it was NOT related to any policy, that was part of the Endpoint Policy Group.
  2. I then looked at all of the Policy Groups and it looks like someone had them misconfigured. Where the policy group that is supposed to be ONLY for Email or Network (because of EDM policies), was also configured for Endpoint. Those policy groups have EDM’s that would trigger a 2 Tier Detection and should not have been applied to Endpoint.

So overall the issue is that the Policy that should NOT trigger a two-tier detection, was happening because there was an EDM policy that was requiring a Two-Teir detection. - This is not how it's supposed to work.

In either case it looks like a DGM based policy on the Endpoint will trigger a two-tier detection (with multiple events) if there is ANOTHER policy that requires a two-tier detection (EDM) on the endpoint.

 

Good Luck

 

Ronak

Statistics
0 Favorited
0 Views
0 Files
0 Shares
0 Downloads

Tags and Keywords

Comments

Apr 05, 2018 04:07 PM

UPDATE - 

Answer from Back line on this.. 

Here is a final explanation of why this occurred in the first place.

Normally we avoid duplicates because only the polices with two-tier conditions are evaluated at the endpoint server while policies that have no two-tier conditions are left to only run on the endpoint.  So while an event can create multiple incidents, normally its never two for the same policy.
 
The issue here is that the agent was able to do its own lookup and not need two-tier detection; however once another policy forced the two-tier replication of the message, the endpoint server didn’t skip this policy like it did all of the other endpoint only policies because it saw it as containing a two-tier condition.  Thus the duplicate incident was created.

OVERALL - 

Something changed with detectionin 14.6+ and all previous version (12 Years) did not work this way and it has also not been documented either. So chalk this one up as a "Good to know"

Make sure there are NO EDM or IDM policies in a policy group that works on the Endpoint Servers, if you do it will cause a Two-Tier detection on ALL other policies (DGM or AD Groups) and not just the 1 policy.

You may want to turn off two-tier detection on the Endpoint Server and test this out.

Moving forward.

 

Good Luck

 

Ronak

Nov 08, 2017 01:02 PM

A case has been sent to SYMC and the Backline support team and it is currently being researched by the Engineering team.

 

Stay Tuned!

Nov 08, 2017 05:37 AM

Seems some bug in the product.

Nov 07, 2017 06:03 PM

Just as an FYI, this was happening on DLP 14.6MP2 agent and server.

Related Entries and Links

No Related Resource entered.