Adjust the "maximum matches count" in a DLP policy incident
search cancel

Adjust the "maximum matches count" in a DLP policy incident

book

Article ID: 159776

calendar_today

Updated On:

Products

Data Loss Prevention Enforce Data Loss Prevention

Issue/Introduction

A policy only returns 100 matches even if the file has over 100 strings that should match the policy.

Example:
There are 2 Excel docs, each with over 1600 "capturable strings".  Yet the policy incident only shows "100 matches".
How can the number of matches be increased?

Cause

Default settings are in place to prevent performance impacts due to high incident match counts.

Resolution

Relevant versions:  All supported releases

The following values can be configured from the Server Detail -> Advanced Settings page for your particular detection server. Restart the File Reader or recycle the detection server from the Server Detail page for the changes to take effect.

NOTE:  Increasing these numbers increases the size of incidents and potentially slows down the incident snapshot report - it can also negatively affect the detection performance.

 

DI.MaxViolations

Specifies the maximum number of violations allowed with data identifiers.

EDM.MaximumNumberOfMatchesToReturn

The intermediary limit on the number of EDM matches. This limit is applied before all the search results are combined and duplicates eliminated.

IncidentDetection.patternConditionMaxViolations

The maximum number of pattern (regular expression) violations highlighted by detection. The exact number of matches may still be 'correct' but only the first 'patternConditionMaxViolations' are marked up in reporting. Increasing this number increases the size of incidents and potentially slows down the incident snapshot report.

For Endpoint

And agent configuration Advanced settings you can modify

Detection.MAX_NUM_MATCHES.int Default is 300

 

 

Additional Information

You want to modify detection match count settings for your DLP Cloud Detector and want to know about impact

 

Please note:

Definition of function per engineering.

Defines a top limit on the number of matches returned from each RAM index search. For multi-file indices this limit is applied to each sub-index search independently before the search results are combined. As a result the number of actual matches can exceed this limit for multifile indices.

In other words, the limit is per file and or sub-file

Powered by Wolken Software