Severity of an incident is being set based on the total number of matches for a policy, instead of total number of matches for a rule.
The root cause appears to be part of the design of applying severities, Symantec DLP only creates and operates a single incident per policy. Enhancement PM-760 has been filed for the observed behavior.
As reference see the DLP Administration Guide:
The system supports fine-grained policy development. Each detection rule within
a policy is assigned a severity level. The detection engine determines the overall
severity of an incident by the highest severity rule triggered. You can apply a
detection rule to a specific message component, such as the header, body, or
At this point, the only real workaround we could propose would be to create separate policies for the various severities. In that way, their process could be to track all incidents but only react to high severity ones.
If in case you want to set severity level of incident based on overall match count, you can try below work around.
Afterwards, set appropriate Response Rules then based on severities: