You want to modify detection for certain match count settings for your DLP Cloud Detector and want to know how that might impact your Cloud Detector.
The settings are described in this help center topic: Advanced detector settings (broadcom.com)
As per the help center topic above, the following settings are the defaults for both on-premises and cloud service detection servers:
Setting | Default Value | Setting description (from help center topic) |
DI.MaxViolations | 100 | Specifies the maximum number of violations allowed with data identifiers. |
EDM.MaximumNumberOfMatchesToReturn | 100 | Defines a top limit on the number of matches returned from each RAM index search. |
IncidentDetection.patternConditionMaxViolations | 100 | The maximum number of matches a detector reports. The detector does not report matches more than the value of the 'IncidentDetection.patternConditionMaxViolations' parameter, even if there are any. |
Release : 15.8
Component : Default-Sym
You wish to know the threshold of the number of detections configured in your DLP system, and how that might affect performance and detection.
Each setting above affects a different matcher. And each matcher utilizes this value differently, and behavior of detection and performance may vary in response.
More information about these settings is also given in this KB: Adjust the "maximum matches count" in a DLP policy incident (broadcom.com).
When adjusting this for on-premises Detection Servers, if you modify these settings you can clearly see impacts by monitoring CPU and Memory performance after making the changes.
When adjusting this for Detectors in the Cloud Service, however, you do not have the ability to directly monitor impacts of your changes to the system.
Making smaller changes to the default values (e.g., increasing match counts to 200) will not have a huge impact - and the engineering team has confirmed that change is acceptable for the settings listed above.
Larger changes could have unintended consequences - so if you plan to modify these to significantly higher values (e.g., >200) and are doing this for Detectors in the Cloud Service, it's recommended to open a case with technical support to confirm.