The following are observed in the DLP environment:

Detection server log entries:

C:\ProgramData\Symantec\DataLossPrevention\DetectionServer\16.1.00000\logs\debug\detection_operational_X.log

19/Nov/25:14:59:21:998-0700 [INFO] (DETECTION.400) The Policy [721:Max_Incidents_Per_Day_Test] has generated the maximum number of incidents (10) and has been disabled

C:\ProgramData\Symantec\DataLossPrevention\DetectionServer\16.1.00000\logs\debug\SymantecDLPDetectorX.log

Nov 19, 2025 2:59:21 PM com.vontu.detection.PolicyIncidentLimiterImpl isPolicyLimited
INFO: (DETECTION.400) The Policy [721:Max_Incidents_Per_Day_Test] has generated the maximum number of incidents (10) and has been disabled

Nov 19, 2025 2:59:21 PM com.vontu.logging.LocalLogWriter write
WARNING: Incident limit reached for Policy "Max_Incidents_Per_Day_Test". The policy "Max_Incidents_Per_Day_Test" has found incidents in more than 10 messages within the last 24 hours.

The policy will not be enforced until the policy is changed, or the reset period of 24 hours is reached.

Or the following event in the Enforce console:

Event Code 1205 - Incident limit reached for Policy "policy_name"

The policy "policy_name" has found incidents in more than "x" messages within the last "y" hours. The policy will not be enforced until the policy is changed, or the reset period of "y" hours is reached.

This error/event indicate that a particular policy has generated 10,000 incidents in a single day. Once the limit is reached, no more incidents will be generated for that specific policy on that detection server until the next day. This also means that no response rules will be executed for the policy that has reached the limit because no incidents are being generated.

It is intended to alert you to the fact that incident volume is very high and may affect performance of your Broadcom DLP software. This is usually an indication that the policy may be in need of refinement, either by making it more restrictive or by breaking it into a few smaller policies.

This limit will be reset any time you save the policy again, whether you make changes to it or not. Symantec recommends considering changes to this policy (adding exceptions for internal domain names, adding more keywords to the filter, etc.) to reduce the number of incidents before running the policy again.

If there is a true need to leave the policy as is, there are ways to control this behavior via the following advanced server settings found in the Enforce UI under System > Servers and Detectors > select your Detection server > Server Settings page:

IncidentDetection.IncidentLimitResetTime:

Specifies the time frame used by the IncidentDetection.MaxIncidentsPerPolicy setting. Default is 1 day as specified in milliseconds (86400000).

IncidentDetection.MaxIncidentsPerPolicy:

Defines the maximum number of incidents that are detected by a specific policy on a particular server within the time-frame that is specified in the IncidentDetection.IncidentTimeLimitResetTime. The default is 10,000 incidents per policy per time limit for all detection servers except Network Discover Cluster. For Network Discover Cluster the default is 2147483647 incidents per time limit.