What is a one sentence summary of your feature request?
Implement policy deduplication logic to prevent redundant event recording when multiple policies monitor the same activity, reducing database bloat and protecting system performance.
Please describe your idea in detail. What is your problem, why do you feel this idea is the best solution, etc.
When multiple Threat Prevention policies are configured to monitor identical or overlapping event activity, the system records an individual database entry for each policy that matches the event criteria. This creates redundant records in NVMonitorData.
Example: If Policy A monitors “User added to Sensitive Group X” and Policy B monitors “User added to ANY group,” a single user-group-addition event will generate two separate records in the database.
Over time, especially in large enterprises with dozens of policies, this redundancy causes:
• Excessive disk usage in the NVMonitorData database, leading to storage cost inflation
• Degraded query performance on compliance reports and security investigations
• Reduced system responsiveness during high event activity periods
• Administrative burden of managing oversized databases and performance tuning
The issue compounds in environments with 50+ policies where monitoring scope overlaps naturally (e.g., broad policies + specific policies monitoring the same event types on the same resources).
How do you currently solve the challenges you have by not having this feature?
Currently, administrators must manually review and consolidate overlapping policies into fewer, more comprehensive policies. This approach:
• Requires regular manual audit of policy configurations
• Is error-prone and time-consuming in environments with many policies
• Does not prevent new overlaps from being introduced
• Provides no automation or governance mechanism
As an alternative, organizations resort to aggressive database archival and cleanup schedules, which reduces historical data retention and adds operational overhead without addressing the root cause.
Suggested Solutions
OPTION 1 — Policy Conflict Detection (Recommended):
Implement a discovery/analysis tool that scans all active policies and flags those monitoring identical or substantially overlapping activity. Provide administrators with a report showing which policies are redundant and suggest consolidation opportunities. This can be run on-demand or scheduled, helping teams identify and fix overlaps proactively.
OPTION 2 — Configuration Prevention:
Validate new or modified policies at save time to prevent creation of policies that would monitor already-monitored activity. When administrators configure a policy that matches existing policy criteria, warn them of the redundancy and offer to suggest consolidation options or block creation (with override).
OPTION 3 — Database-Level Deduplication:
Modify event-processing logic to deduplicate records at write time. Instead of creating separate rows for each matching policy, create a single event record with a “matched_policies” array or relationship table indicating which policies triggered it. Maintain full audit trail while eliminating row multiplication.