DLP SMTP Prevent policy to capture "X" violation and create a email header and forward to mailgate way. Once there mailgate way policy looks for header "X" if found then quarantine. All this works and has been in place for a few days. Also all rights are correct to view all incidents.
Issue is we are seeing a few emails in the mailgate but not in DLP.
The random missing incidents that are in mailgate way server show that the headers have been created so it does shows that DLP found it and tag it. But that email isn't shown in DLP.
The incidents are not being deleted or moved.
If restarted all the Enforce services --> didn't work.
Log at in the SmtpPrevent_operational.log and found the email and it showed "disposition=MODIFY" so i know Prevent did it's part.
ALso DLP system isn't showing any errors/alerts and DB is fine.
FYI this random and has happend about a handful of times.
Anyone have any ideas where to look because the GRC department won't let this go as a random issue?