search cancel

Adjust the "maximum matches count" in a DLP policy incident

book

Article ID: 159776

calendar_today

Updated On:

Products

Data Loss Prevention Enforce Data Loss Prevention

Issue/Introduction

A policy only returns 100 matches even if the file has over 100 strings that should match the policy.

Example:
There are 2 Excel docs, each with over 1600 "capturable strings".  Yet the policy incident only shows "100 matches".
How can the number of matches be increased?

Resolution

Relevant versions:  7.0 and up

The following values can be configured from the Server Detail -> Advanced Settings page for your particular detection server. Restart the File Reader or recycle the detection server from the Server Detail page for the changes to take effect.

NOTE:  Increasing these numbers negatively affects the detection performance, increases the size of incidents and potentially slows down the incident snapshot report. 

DI.MaxViolations

Specifies the maximum number of violations allowed with data identifiers.

EDM.MaximumNumberOfMatchesToReturn

The intermediary limit on the number of EDM matches. This limit is applied before all the search results are combined and duplicates eliminated.

IncidentDetection.databaseInfoConditionMaxViolations - This option is no longer available in any supported version of DLP (3 August 2022).

The absolute limit on the number of EDM matches. This limit is applied after all the search results are combined and duplicates eliminated.

IncidentDetection.patternConditionMaxViolations

The maximum number of pattern (regular expression) violations highlighted by detection. The exact number of matches may still be 'correct' but only the first 'patternConditionMaxViolations' are marked up in reporting. Increasing this number increases the size of incidents and potentially slows down the incident snapshot report.