Random false positive match on keyword for Endpoint incidents


Article ID: 169505


Updated On:


Data Loss Prevention Endpoint Prevent


A false positive match on a keyword in the middle of a word may appear in an Endpoint incident.

For Example:

A policy was configured to look for Social Security Numbers with a keyword rule looking for 'SS' and 'SSN', whole word only.

An incident appeared with a match on the 'ss' at the end of the word Success or Process.


The false positive on the “ss” match on “Success” is due to chunking. We have a setting called Detection.CHUNK_OVERLAP.int in Advanced Agent Settings which defines how far back of the previous chunk we collect for the next chunk. For this file, that overlap chunk starts at “ss …” causing the false positive. 


Modifying the chunk overlap setting, Detection.CHUNK_OVERLAP.int, in Advanced Agent Settings will remove the match for that file.