Did you happen to get any solution from support? even i also see similar problem where some incidents comes with no destination URL info even when loaded in standard mode.

i am having ePO 5.9.1 and DLP 11.4 extension

Hi @sati ,

Thank you for writing in here.

Do you see the DLP Endpoint Chrome Extension loaded on the Chrome Standard mode for the machine from where the Incident with no url was generated?

Thank you.

@jsubbura  hanks for responding.  Yes, the extension is loaded. In fact there are multiple incidents triggered on this machine around same time frame. most of them have URL information available except for 2-3 incidents.

HI @sati ,

Thank you for the update.

Could you help with a full page screenshot of these 2-3 Incidents with no URL information?

Thank you.

@jsubbura  Sure.. please find the attachments

Hi @sati ,

Thank you for the update, however we could see that DLP says that Chrome Incognito window is open when the file was actually uploaded on the Chrome Standard mode.

If by any chance chrome Incognito window is open when the Incident is generated DLP is unable to get the URL information.

Or when the user clicks on windows -> search with chrome and then open the New-Incognito window directly instead of chrome standard mode and then uploads the file, then chrome will not load any third party extensions in chrome and then you see the below additional info in the incident generated.

Thank you.

Hi @jsubbura  Thanks for the explanation. However couple of questions

1) how do you say incognito was enabled by looking at the screenshot of DLP incident. Is it because of the warning you see saying incognito is enabled. If yes, then it is not the case. we do see that warning for any DLP web post incident regardless if incognito mode is open or not

2)  I understand DLP extensions can not be loaded in to incognito. as per your statement if by any chance incognito window is opened when incident gets triggered DLP can not fetch URL info. so are you saying even if the incident gets triggered in standard mode DLP can not capture URL info if incognito window is open. My assumption was in standard mode as the extensions are loaded DLP shoud capture URL info. regardless if incognito window is open or not

Hi @sati ,

Thank you for the info.

As per my screenshot in my post earlier, I have triggered that Incident by having only Incognito window opened in chrome. 

So this matches with you screenshot below which was shared earlier,

So when only Incognito window is opened directly from the windows Start menu and a data loss is attempted, DLP would trigger an Incident for the same, however the additional information section will have the above message in the screenshot above.

When you have opened Incognito window and Standard mode together and uploading files to Standard mode, the URL information captured in the additional information section, will not be reliable, however a URL information will be captured.

To avoid non-reliable URL information, as per the KB91503, we suggest to disable chrome Incognito as per the steps provided in this article, so that we do always get the correct URL information.

May be if there is a difference in the above statements which does not match your case, you can try to test with DLP 11.4 or DLP 11.5 once, or you can always open up a support case with us so that we can assist you in troubleshooting over the remote session.

Thank you.

Yes, DLP 11.5 RTW is the fix for our environment.