Duplicate incidents are created when an AD user group, Endpoint keyword/protocol rule, and an IDM/EDM rule exist in a single policy
Last Updated February 10, 2012
In Enforce, incidents appear in pairs, always identical, the order may be different. Each incident highlights the same Matches, has the same Incident Details, Attributes (if Lookup used) and Policy Matches.
This issue was detected on v11.1 in December, 2011, according to Etrack 2636025. A fix will be included in a future version.
The Endpoint Agent performs keyword or protocol monitoring and generates incidents, which are transmitted back to the Endpoint Server. The Agent is unable to process EDM/IDM rules, so it cracks the information for later detection on the Endpoint Server. As a result, the EP server, running the EDM/IDM rule, detects the same violations and creates a second incident for the same violation.
The client needs to review their policies. Best to split up policies with EDM/IDM to not also include Active Directory lookup.
Imported Document ID: TECH221840
Subscribing will provide email updates when this Article is updated. Login is required to Subscribe