Random false positive match on keyword for Endpoint incidents

book

Article ID: 169505

calendar_today

Updated On:

Products

Data Loss Prevention Endpoint Prevent

Issue/Introduction

A false positive match on a keyword in the middle of a word may appear in an Endpoint incident.

For Example:

A policy was configured to look for Social Security Numbers with a keyword rule looking for 'SS' and 'SSN', whole word only.

An incident appeared with a match on the 'ss' at the end of the word Success or Process.

Cause

The false positive on the “ss” match on “Success” is due to chunking. We have a setting called Detection.CHUNK_OVERLAP.int in Advanced Agent Settings which defines how far back of the previous chunk we collect for the next chunk. For this file, that overlap chunk starts at “ss …” causing the false positive. 

Resolution

Modifying the chunk overlap setting, Detection.CHUNK_OVERLAP.int, in Advanced Agent Settings will remove the match for that file.