Hit highlighting

The hit highlighting option helps administrators identify exactly which sensitive content caused an event.

When selected, it stores an encrypted XML evidence file with extracted text.

The evidence file is made up of snippets, also referred to as match strings, where a snippet for content classifications or content fingerprints typically contains the sensitive text, with 100 characters preceding it and 100 characters after it (for context) organized by the content classification or content fingerprint that triggered the event, and including a count of the number of events per content classification or content fingerprint. If there are multiple hits within 100 characters of the previous hit, those hits are highlighted, and the highlighted text together with the next 100 characters are added to the snippet. If the hit is in the header or footer of a document, the snippet contains the highlighted text without the 100 character prefix or suffix.

For McAfee DLP Endpoint and McAfee DLP Endpoint for Mac, display options are set on the Evidence Copy Service page of the client configuration policy in the Classification matches file field. For McAfee DLP Discover, display options are set on the Evidence Copy Service page of the server configuration policy in the Classification matches file field:

  • Create abbreviated results (default)
  • Create all matches
  • Disabled — Disables the hit highlighting feature

Abbreviated results can contain up to 20 snippets. An all matches hit highlight file can contain an unlimited number of snippets, but there is a limit on the number of hits per classification. For Advanced Pattern and Keyword classifications, the limit is 100 hits. For Dictionary classifications, the limit is 250 hits per dictionary entry. If there are multiple classifications in a hit highlight file, the classification names and the match counts are displayed at the beginning of the file, before the snippets.

In the Incident Information field, you can choose to display the Short Match String on the incident details page. Short match strings contain up to three hit highlights as a single string. Short match strings, like other hit highlights, are saved as encrypted files.