Atlanta Security User Group

We are experiencing issues with incidents failing to report up to the console, and are receiving some grief from our Compliance department as a result. What could be causing incidents to not report to the console, i.e. we see incidents reporting in the 'System/Overview' panel showing in the "Incidents/Today" column, yet when running a report no incidents for "today" show in the reports?

I can think of two reasons: 1.) the incidents for some reason are not being written to the database and are queuing on detection/enforce servers. 2.) the user who is creating the reports doesn't have the correct access level to see the incidents - (Incident Acess tab on the UserManagement->Role configuration).

Based on what you're describing, it sounds like either a simple reporting or role-authorization problem.  For instance, check the following: you might "auto-encrypt" emails when finding sensitive data by stamping the subject line with a secure keyword via a response rule, and also set the status of that incident to closed automatically.  But when you open a report in DLP, the default status for the report filter is always "New", so you're filtering out these closed incidents. It's pretty common...I've been working with DLP for years now, and still get caught on that one occasionally.

Or, your Compliance group users are in a Role that doesn't have access to "Closed" incidents, so they can't see them. 

Easiest thing to verify the incidents are in there is to log in with the Administrator user...it has access to everything, then you should be able to deduce the issue from there.

~Keith