000031092 - Question: Can unmapped (also known as orphan) events be converted to mapped events

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000031092
Applies ToRSA Product Set: DLP
RSA Product/Service Type: Endpoint
RSA Version/Condition: 9.6 SP2
Platform: Windows
Platform (Other): null
O/S Version: 2008 Server R2 x64
Product Name: null
Product Description: null
IssueThere are several orphan events as a result of  DLP Data Center  Scan.
These events are also know as un-mapped events.
It is not possible to map, the events and create an incident.  The best option is to delete the orphan events by running a purge from the EM UI.
ResolutionSteps to run purge.
Check with DBA to make sure there is sufficient space for the transaction log
Start with small time window. (example last 5 days)
  1. EM UI ->  Admin -> Support -> Settings -> Purge Incidents and Events
  2. Select Events radio box
  3. Purge Options:  check Unmapped Events
  4. Date range,
  5. Rest of options based on policy, content blade, etc,
  6. Click Start Purge