DLP system data identifiers miss detections
search cancel

DLP system data identifiers miss detections


Article ID: 174449


Updated On:


Data Loss Prevention Endpoint Prevent Data Loss Prevention Enforce


Symantec Data Loss Prevention (DLP)
Data Identifiers (DI)

Some sensitive data is not detected when you use the built-in DLP DIs.


Windows or MacOS


Symantec provides many data identifiers (DI) with DLP.

Rule Breadth

Each DI can have one of three levels: Wide, Medium, Narrow

If you use Narrow, you can miss some incidents because it is very strict. Try switching to Medium or Wide then test to make sure that you don't get too many false policies. Also, verify that there is a keyword in the content if using Narrow.

If you use Medium and still miss too many incidents, switch to Wide. Again, test to make sure that you don't get too many false positives.

Apply Policy to a Configuration

Create a policy and apply that policy to the configuration that contains the endpoints you want to monitor.

Verify if the content matches the 'Match Counting' options in the data identifier rule. Try selecting 'Count all matches' if there are duplicates in the content.

See if the DI has been edited

If the DI has been edited, it is possible it no longer works as intended. You can check with support to have them review the DI to see if it is still as Symantec intended.