Is the Match Count Per Message, or per Component?

book

Article ID: 160530

calendar_today

Updated On:

Products

Data Loss Prevention Enforce

Issue/Introduction

I have a message where the match count is not what I expect. Some of the matches are in the message body, and some are in an attachment. Why are these not being combined?

Resolution

The match count in a policy is per component, not per message. So, it is possible to have the right number of violations, but not create an incident. This would occur, for example, if some of the violations were in the body and some were in an attachment.

For example, there is a policy with a match count set to five. There are three violations in the body and three in the attachment. An incident will not be created, even though there are six violations. In order to create an incident, all five would need to be in the body or the attachment. If three were in one attachment and three were in another, this also would not create an incident. All matches would need to be in the same attachment.