000011618 - Events and incidents mark as deleted automatically

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000011618
Applies ToEnterprise Manager 8.X
2003 Server SP2
IssueDLP: Events and incidents mark as deleted automatically due to user error

customer found that there are events being marked as deleted in DLP automatically, and as a consequence, the events and incidents associated with them are not visible in EM

When customer first view the incidents, all the details are blank (protocol, email sender, receipent etc).

When customer close the console and try to view the incident the second time, the incident is gone. Then customer also tries to find this event associated with the incident, but the event is also gone

Thus, we look through the DB to study more on this. We look at I_INCIDENT and found this incident and saw that it has being flagged as deleted. We then cross reference this incident with the associate event, and found that in the E_ABSTRACT_EVENT table that the event has also being flagged as deleted

 Furthermore, when customer first view this incident, it also shows the attachment as quarantine.

Cause

This was due to human error.

To clarify this again, if there are 2 users looking at the list of incidents together, and one of them decided to delete a incident, then when the second user tries to view that incident, all the details will goes blank and it will give a warning saying this email has being quarantined

ResolutionAvoid having 2 people viewing / deleting incidents at once
Legacy Article IDa47949

Attachments

    Outcomes