I have an issue with NDLP monitor. We see both incoming as well as outgoing emails in the NDLP manager as the same captures the traffic at the exit or perimeter of the network. Since it is creating a lot of unwanted incidents as we want to monitor only the outgoing emails. How to create a rule in NDLP to avoid such duplication or incidents?
create the capture filter to exclude the incoming emails.
Moreover the incoming emails will be stored only to the rfs unless there is a policy created to generate a incident. You can manage the rfs wiping policy as time or space based by going to system tab in your manager.