Support Center > Search Results > SecureKnowledge Details
"Your emails are about to expire" notifications from DLP. However, there are no e-mails in the DLP portal
Symptoms
  • "Your emails are about to expire" notifications are sent from Data Loss Prevention blade.
    However, there are no quarantined e-mail messages to review in DLP portal.
Cause

The issue is caused by incorrect database query.

Once there is a match for a DLP rule, in which the action is set to "Ask" or "Prevent", an incident is created.

Each incident is saved in a local database and includes the following information:

  • Incident ID
  • Sender e-mail address
  • Creation date
  • DLP action

On a daily basis, a database query is made searching for incidents, which are over 4 days old. The result, a number of incidents, will be sent to the "sender e-mail address" with a pre-defined text:

"You have X un-handled incidents awaiting for you in the Data Loss Prevention portal.
Click here in order to view and handle them."

Once the user logs in to the DLP portal, a different database query is made to present the pending incidents.

While the DLP portal query filters the incidents based on "DLP action" - "Ask", the daily query does not.

This causes the number of pending incidents written in the expiration notification e-mail to being larger than the actual number of pending incidents.


Solution
Note: To view this solution you need to Sign In .