I have setup DLP Endpoint for our network
Initial requirement was to notify IT manager about users connecting USB drives to laptops
I have configured DLP rule to report incident and take no action when a user connects USB to windows laptop
Also i had a test rule which blocked the USB access for a test laptop
Then i created an automatic mail notification to send DLP incidents
Now these things happened
Can you please give some light towards what to do in this situation
The first thing to check is if there are any errors in the agent logs regarding getting events from dlp and/or sending them to epo. The masvc log will show communication and macompatsvc log will show issues with the agent and point product communications. c:\programdata\mcafee\agent\logs.
You would then need to possibly check with dlp team for anything else.
Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?
So if I understand correctly, the issue is related to the below scenario--
"Configured monitoring policy to report USB plug and no incidents were updated in the incident manager. i know devices were connected because i have automatic responses configured from ENS Exploit prevention to report USB plugs".
If a device having a reaction(Monitor), it will still be creating events\incidents. On a single machine, please create a new rule in a ruleset and a new policy. Now check if the Monitor Only rule is triggering. If needed, you can remove DLP client and re-deploy it before assigning the new DLP Policy.