Can a value be listed multiple times in an EDM and still be detected?
search cancel

Can a value be listed multiple times in an EDM and still be detected?

book

Article ID: 159488

calendar_today

Updated On:

Products

Data Loss Prevention Endpoint Prevent Data Loss Prevention Network Monitor Data Loss Prevention Network Prevent for Email Data Loss Prevention Enforce Data Loss Prevention Network Protect Data Loss Prevention Endpoint Discover

Issue/Introduction

Consider the following scenario:

There is an EDM that contains an email address for a team managers and their direct reports.  In testing, one manager has more than 10 direct reports, but his email address does not have a match, even though the email addresses for direct reports match.

Cause

The EDM tries not to index common terms.  By default, a common term is defined as something listed more than 10 times.  In this case, the manager's email address is listed in the EDM too many times, and therefore, Symantec DLP will not match on that common term (manager's email address). 

Resolution

The common terms threshold of 10 can be increased in the Indexer.properties file, but should be reverted back to 10 in case of issues.

To configure, modify the following:

Indexer.properties

If a term appears in SDP more then this number of times,

# it is considered a common term with appropriate ramifications

# during SDP indexing and detection.

sdp_term_commonality_threshold=10