Seeing different incident snippet scores when different files with same content were uploaded in DLP IDM
176
Created On 08/12/25 22:00 PM - Last Modified 10/30/25 16:34 PM
Symptom
- In a DLP environment when a fingerprint of a file can be uploaded n DLP->Document Types->Add New
- When the content of the file is same, but the file types are different, the incident scores are different.
- Example a PDF file is uploaded in DLP->Document Types.
- Then copy paste the PDF file (File1) contents into a TXT file (File2).
- During actual test,
- Test1: Upload PDF (File1) to a site “dlptest.com": Incident->Snippet shows score of 100%
- Test2: Upload TXT (File2) to a site “dlptest.com": Incident->Snippet shows score of 98%
- The score is different even when the contents of the file are the same.
Environment
- Prisma Access(SASE)
- Strata(NGFW)
- Enterprise DLP
- Indexed Document Matching (IDM)
Cause
- User may see 100% score if the same file(PDF in this example) that was used for IDM finger print is uploaded to “dlptest.com" or other sites.
- Subsequent files uploads to site dlptest.com, whose content is copy pasted from the finger print file may show slightly less than 100%.
- This is due to IDM processing overhead of file extractions, white spaces, and any file based properties.
Resolution
- This is working as designed.
- Users always see scores slightly less than 100% and this is due to IDM processing overhead of file extractions, white spaces, and any file based properties.