Is there a way to increase incident data as displayed in the Enforce incident snapshot?

Products

Data Loss Prevention Enforce Data Loss Prevention Data Loss Prevention Cloud Package Data Loss Prevention Discover Suite Data Loss Prevention Endpoint Suite Data Loss Prevention Core Package Data Loss Prevention Plus Suite Data Loss Prevention API Detection for Developer Apps Virtual Appliance Data Loss Prevention API Detection Virtual Appliance Data Loss Prevention Cloud Detection Service Data Loss Prevention Cloud Detection Service for ICAP Data Loss Prevention Cloud Detection Service for REST Data Loss Prevention Cloud Service for Email Data Loss Prevention Cloud Storage Data Loss Prevention Endpoint Discover Data Loss Prevention Endpoint Prevent Data Loss Prevention Enterprise Suite Data Loss Prevention for Mobile Data Loss Prevention for Office 365 Email and Gmail with Email Safeguard Data Loss Prevention Form Recognition Data Loss Prevention Network Discover Data Loss Prevention Network Email Data Loss Prevention Network Monitor Data Loss Prevention Network Monitor and Prevent for Email Data Loss Prevention Network Monitor and Prevent for Email and Web Data Loss Prevention Network Monitor and Prevent for Web Data Loss Prevention Network Prevent for Email Data Loss Prevention Network Prevent for Email Virtual Appliance Data Loss Prevention Network Prevent for Web Virtual Appliance Data Loss Prevention Network Protect Data Loss Prevention Network Web Data Loss Prevention Sensitive Image Recognition

Issue/Introduction

The incident snapshot doesn't seem to show enough data around the matches to verify the complete context of the original match.

Environment

DLP - supported versions

Cause

Textual data surrounding incident match highlighting is limited in order to keep performance impacts to a minimum. While all the incident data is stored in the database, displaying it requires processing power on the manager.

Resolution

In this file within the Enforce server directory, SymantecDLP\Protect\config\Manager.properties

The following entries (lines 104-117 in DLP v16.1) relate to the defaults:

### Configuration for highlighting of violations on incident snapshots
# The maximum number of highlights that are shown in a chunk.
# If there are more than this number of highlights, then they are broken into separate chunks.
# The value must be less than or equal to 20.
com.vontu.manager.incidents.matches.maxHighlightsPerViolation = 20

# The maximum number of non-violating characters to show between highlighted violations in a chunk.
# The value must be less than or equal to 1000.
com.vontu.manager.incidents.matches.maxCharactersBetweenHighlights = 1000

# The maximum number of non-violating characters to show before the first highlight in a chunk
# or after the last highlight in a chunk.
# The value must be less than or equal to 20.
com.vontu.manager.incidents.matches.maxCharactersSurroundingHighlights = 20

Changing the highlighted setting will increase the amount of textual data that appears in incident snapshots:

com.vontu.manager.incidents.matches.maxCharactersSurroundingHighlights = 100

Please note that any changes to this file require a restart of the SymantecDLPManager service - which will force you to log back in to Enforce as that will kill any active sessions.

Please also note that this change affects how all incidents are displayed. Changing it substantially may vastly affect performance of the UI when viewing reports.