Hello, I need to figure why this is happening and whether or not I can work around it.
Running ePO 22.214.171.1248 update 3 and various DLP 11.4/11.5.
It appears that when a user is surfing the web with the DLP agent installed, the web traffic is (sometimes) impersonates that user so that the firewall log itself correlated to the ePO service account instead of the user's own domain account.
I am seeing this for external web browsing, internal LDAP, kerberos, DNS, and all sorts of traffic.
Yes it is, and I can see it would be related to the local resource needed to connect to the share (kerberos, dns) But not sure why it would be associated with external 443 traffic.