After upgrading to DLP 14.5, Keyword Proximity matching policies are generating false positives on separate policies with the same keywords, using the same proximity match in both policies.

For example:

Policy 1: 

Legal

Sensitive

Document

Within 1 word

Policy 2:

Legal

Sensitive

Form

Within 1 word

Policy 3

Legal

Frisbee

Tournament

When content with "Legal Sensitive" is seen, all three Policies will create an incident.  The expected behavior would be for only Policies 1 and 2 to produce an incident.

This issue was identified specifically in DLP 14.5.

A defect has been filed for this issue, please see reference section for more details.

The defect is triggered by having 2 or more Keyword Proximity Matching policies withe same words in them, using the same proximity match.  Referencing the example above, the trigger here is that Policies 1 and 2 have the words "Legal" and "Sensitive" and use the same Proximity Match, within 1 word.  This condition will cause all Keyword Proximity Match policies with "Legal" or "Sensitive" to trigger, even if the other required word is not there.

A temporary workaround is to change the Proximity Match.  Using the above example:

Policy 1: 

Legal

Sensitive

Document

Within 1 word

Policy 2:

Legal

Sensitive

Form

Within 1 word

Policy 3

Legal

Frisbee

Tournament

If the proximity is changed so that thepolicies with the same keywords have unique proximity matches (change Policy 2 to "within 0 words" for example) the false positives will no longer be triggered.