Hello everyone, we're rolling out version 14.6. In our testing we hit the ceiling for the default value of 10,000 for the setting - IncidentDetection.MaxIncidentsPerPolicy. The first thing that came to mind was this setting is designed to prohibit a runaway policy. For Discover scans we plan to limit incidents via the Target properties because we experienced a misconfigured policy that maxed out our DB but we have no idea how many incidents we'll see in the DIM world. We'll have to activate policies slowly and monitor incident volume I guess.
Has anyone had to adjust the default setting for IncidentDetection.MaxIncidentsPerPolicy?
What about it's companion setting "IncidentDetection.IncidentLimitResetTime"?
I'm thinking there should be no performance impact to Symantec detection servers since the content inspection will continue regardless but no incidents for the policy in question will be generated. It's the backend database we need to be concerned with and we have the proper monitoring/alerts in place for that.
Thanks in advance.