On the polcy, we habe 3 autoreponse rules.
1) Notify:
You are attempting to move, copy, save, or transfer potentially sensitive information containing $POLICIES$. The Risk Management department received an alert about this activity and may follow up with you.
2) Notify: Endpoint Prevent: User Cancel . This allows user to enter an explination and then it allows the email through.
3) Send an email to DLP administrator.
-----
I just tried a test keyword block and the incident was detected at the Incident > Network report tab. It was not detected or reported at the Incident > Endpoint .