Data Loss Prevention

 View Only

  • 1.  [FlexResponse] Incident ContentItem is Null

    Posted Jul 25, 2017 11:49 AM

    Hello,

     

    I am developing a plug-in that will obtain a list of recipients from an email incident. I understand that the way to do it is through the Incident's .getContentItem() method, but it always returns null. The Incident object's other methods work fine.

    I am calling it using the following line: 

    ContentItem content = incident.getContentItem(); //content is always null

     

    Note that before the plug-in executes, the message "Incident data discarded based on response rule" always appears first in the Enforce console (there is no such rule in the applicable policy). I saw Symantec's article stating that the message was cosmetic. Emails associated with incidents are fully accessible in the Enforce console.

     

    Are there any known issues or gotchas with FlexResponse ContentItem? 

    Much appreciated!



  • 2.  RE: [FlexResponse] Incident ContentItem is Null

    Trusted Advisor
    Posted Jul 26, 2017 08:45 PM

    I think you have it wrong..missing words.

     

    ContentItem contentItem = incident.getContentItem();

     

    Marked solved if possible

    Ronak



  • 3.  RE: [FlexResponse] Incident ContentItem is Null

    Posted Jul 28, 2017 02:35 PM

    Thank you for the reply.

     

    However, changing the variable name did not change anything; I looked at how this method was called in the Developer Guide as well as a similar method in the Quarantine example plugin.

     

    Perhaps there is a setting in the Enforce console that is affecting the availability of incident content?



  • 4.  RE: [FlexResponse] Incident ContentItem is Null

    Posted Aug 03, 2017 07:01 PM

    The 14.6 Developers Guide hints that getContentItem only works on files:

    ContentItem item = incident.getContentItem();
    if (! (item instanceof FileServerItem))
    {
    throw new UnsupportedIncidentTypeException
    ("This plugin only supports incidents on files.");
    }

    what is the "instanceof" type for your email incident?



  • 5.  RE: [FlexResponse] Incident ContentItem is Null

    Posted Aug 08, 2017 08:46 AM

    Hello bcason,

     

    Thank you for your reply. A few paragraphs above that example code snippet is the following:

    "Each incident has a ContentItem associated with it that
    describes the item. For example, the ContentItem can be a file, an SQL database
    row, or an email message that caused the incident. Verify that the item is of the
    right type for your plug-in action."

     

    According to the Javadoc, the ExchangeItem sub-interface is the most appropriate output if the incident was generated by an email- the output of getContentItem can be one of many sub-interfaces, not just FileServerItem. The ExchangeItem sub-interface is what I would expect to receive for an email incident as it contains a method to extract the recipients- the end objective.

    In my testing, the output of getContentItem was always null, so the instanceof test is false and throws the exception.

     

    If there is a different way to programmatically get the list of recipients of emails that generated incidents, I am open to all suggestions.