You want to modify detection match count settings for your DLP Cloud Detector and want to know about impact
search cancel

You want to modify detection match count settings for your DLP Cloud Detector and want to know about impact

book

Article ID: 247304

calendar_today

Updated On:

Products

Data Loss Prevention Cloud Service for Email

Issue/Introduction

You want to modify detection for certain match count settings for your DLP Cloud Detector and want to know how that might impact your Cloud Detector.

The settings are described in this help center topic: Advanced detector settings (broadcom.com)

As per the help center topic above, the following settings are the defaults for both on-premises and cloud service detection servers:

Setting Default Value Setting description (from help center topic)
DI.MaxViolations 100 Specifies the maximum number of violations allowed with data identifiers.
EDM.MaximumNumberOfMatchesToReturn 100 Defines a top limit on the number of matches returned from each RAM index search.
IncidentDetection.patternConditionMaxViolations 100 The maximum number of matches a detector reports. The detector does not report matches more than the value of the 'IncidentDetection.patternConditionMaxViolations' parameter, even if there are any.

 

Environment

Release : 15.8

Component : Default-Sym

Cause

You wish to know the threshold of the number of detections configured in your DLP system, and how that might affect performance and detection.

 

 

Resolution

Each setting above affects a different matcher. And each matcher utilizes this value differently, and behavior of detection and performance may vary in response.

More information about these settings is also given in this KB: Adjust the "maximum matches count" in a DLP policy incident (broadcom.com).

 

When adjusting this for on-premises Detection Servers, if you modify these settings you can clearly see impacts by monitoring CPU and Memory performance after making the changes.

When adjusting this for Detectors in the Cloud Service, however, you do not have the ability to directly monitor impacts of your changes to the system.

 

Making smaller changes to the default values (e.g., increasing match counts to 200) will not have a huge impact - and the engineering team has confirmed that change is acceptable for the settings listed above.

Larger changes could have unintended consequences - so if you plan to modify these to significantly higher values (e.g., >200) and are doing this for Detectors in the Cloud Service, it's recommended to open a case with technical support to confirm.

 

Additional Information