A policy only returns 100 matches even if the file has over 100 strings that should match the policy.
Example:
There are 2 Excel docs, each with over 1600 "capturable strings". Yet the policy incident only shows "100 matches".
How can the number of matches be increased?
Relevant versions: 15.7 and up
The following values can be configured from the Server Detail -> Advanced Settings page for your particular detection server. Restart the File Reader or recycle the detection server from the Server Detail page for the changes to take effect.
NOTE: Increasing these numbers negatively affects the detection performance, increases the size of incidents and potentially slows down the incident snapshot report.
DI.MaxViolations
Specifies the maximum number of violations allowed with data identifiers.
EDM.MaximumNumberOfMatchesToReturn
The intermediary limit on the number of EDM matches. This limit is applied before all the search results are combined and duplicates eliminated.
IncidentDetection.databaseInfoConditionMaxViolations - This option is no longer available in any supported version of DLP (3 August 2022).
The absolute limit on the number of EDM matches. This limit is applied after all the search results are combined and duplicates eliminated.
IncidentDetection.patternConditionMaxViolations
The maximum number of pattern (regular expression) violations highlighted by detection. The exact number of matches may still be 'correct' but only the first 'patternConditionMaxViolations' are marked up in reporting. Increasing this number increases the size of incidents and potentially slows down the incident snapshot report.
For Endpoint
And agent configuration Advanced settings you can modify
Detection.MAX_NUM_MATCHES.int Default is 300