Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1704
Views
5
Helpful
4
Replies

Changes to DLP alerts settings not staying

Go to solution
DavidBarnes29511
Level 1
Level 1

‎06-23-2021 08:51 AM

I wanted to turn off getting notifications about quarantined emails sent to my email address as we have a shared email we use. I went to the DLP policy settings and removed the email address, but I am still getting the emails. Any ideas? We don’t use outgoing content filters for quarantine, we use them to block random stuff rather than PII, etc. We use DLP policies for PII. 
The only place I could find the email addresses was under Mail Policies>DLP Policy customizations>Standard DLP message action. I am certain there is another place, but I cannot find it. I have looked for 2 hours. I even downloaded the config file for the ESA and did a search and my email address is not there. When I removed my email, I submit/commit and when I go back in there, it is gone. But when someone sends  a test email, I still get the notification. We also have an SMA, but policy quarantines are not managed by it, just message tracking. That is another issue, but is it possible the setting is also on the SMA and that is why it is still sending?

Cisco C170, OS 11.03-251

Labels:
1 Accepted Solution

Accepted Solutions

Go to solution
DavidBarnes29511
Level 1
Level 1
In response to DavidBarnes29511

‎06-24-2021 07:04 AM

So the weirdness continues. Today another user went to the same place I went to yesterday, Standard DLP message action, and the email address I removed yesterday was back. He removed it and now it is working. I have no idea...

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Mathew Huynh
Cisco Employee
Cisco Employee

‎06-23-2021 06:06 PM

Hey David,

 

Can you share with me an output of this alert so i can narrow down the scope?

 

Thanks,

Mathew

0 Helpful

Go to solution
DavidBarnes29511
Level 1
Level 1
In response to Mathew Huynh

‎06-24-2021 05:11 AM

Basically we have enabled the DLP rules for various things like SSN, PII, etc so that if a user sends an email with that type of info, the email is quarantined and the ESA sends an email to us so we know to go review the thing. I need to know everywhere that email addresses are located so I can remove one. I removed it from the DLP message action, but I still get the notification that an email was quarantined. I cannot share the actual notification email.

0 Helpful

Go to solution
DavidBarnes29511
Level 1
Level 1
In response to DavidBarnes29511

‎06-24-2021 07:04 AM

So the weirdness continues. Today another user went to the same place I went to yesterday, Standard DLP message action, and the email address I removed yesterday was back. He removed it and now it is working. I have no idea...

0 Helpful

Go to solution
Mathew Huynh
Cisco Employee
Cisco Employee

‎06-24-2021 04:27 PM

Hey David,

 

If it was clustered i could only imagine it could have been different levels of override at cluster level might have been done, or the sync between machines.

 

Glad to hear it's sorted though.

Cheers,

Mathew

0 Helpful
Customers Also Viewed These Support Documents