Match Count Lower Than Expected

book

Article ID: 192495

calendar_today

Updated On:

Products

Data Loss Prevention Data Loss Prevention Discover Suite Data Loss Prevention Endpoint Suite Data Loss Prevention Network Monitor and Prevent for Email and Web

Issue/Introduction

When testing content with a specific number of matches. An incident is generated with fewer matches than expected, and fewer than the configured maximum matches.

Cause

Duplicate matches count towards the total number of violations allowed per the advanced server settings.
Namely:
IncidentDetection.patternConditionMaxViolations
DI.MaxViolations
The default for both of these is 100. 

So if the content being inspected consists of 50 unique violations, followed by 50 duplicate violations, followed by 50 more unique violations. We will generate an incident with just 50 violations, because the duplicates counted towards the MaxViolations and resulted in hitting the default 100 violations before the remainder of the content was inspected. 

Environment

You can test this by changing the policy to 'Count All Matches' and re-testing. You should see more matches than before, with the duplicates included, possibly up until you reach the Maximum Violation count. 

Resolution

You may consider using larger values for:
IncidentDetection.patternConditionMaxViolations
and
DI.MaxViolations

This will not outright solve the issue, but it will make detection more tolerant of duplicates, and will result in overall more matches in situations were many duplicates are present.