Skip to main content

Inaccurate Counts in Risks Overview

Summary: Customers may report a discrepancy between the event count in Risk Overview (RO) and the count shown when editing a policy. This is expected behavior due to recent changes in backfill processing and limitations with list-based policies. Question_md: Why does the count for a policy show different values in risks overview vs. when in edit mode?

Answer_md: # Root Cause

This is caused by the backfill behavior introduced in version 25.04 :

  • Backfill is now disabled by default on newly created or updated policies.

  • The Risk Overview count only reflects events that matched the policy at the time of collection.

  • The Edit Policy view dynamically calculates how many events from the selected timeframe would have matched the policy conditions - even if they weren’t tagged originally.

Additionally:

  • If the policy uses a list , backfill will not reprocess past events using that list due to current limitations.

  • This leads to a situation where the Edit preview shows accurate "what-if" results, but the Risk Overview shows 0 events if no matches were recorded at collection time.

Supporting Documentation:

[Understanding the Impact of Updating Past Events](https://docs.cyberhaven.io/latest/docs/policy- management#understanding-the-impact-of-updating-past-events)

Policy Management

ViewCount IncludesBackfill Required?Notes
Risk OverviewEvents tagged at time of ingestion (What DID happen)Yes
(disabled by default)May show 0 even if matches exist
Policy Edit PreviewDynamic match of past events (What WOULD happen)
NoIncludes list-based logic

Example Scenario:

  • A policy "[Block] Printing" contains a list of "Printers not approved". Results for the past 30 days show 0 In Risks Overview.
  • Clicking on EDIT will show a count of 20 matches. This is because: backfill is disabled by default - but even if enabled, LISTS will not reprocess past events due to limitations.

⚙️ Understanding Backfill and Dynamic Configuration Updates in Cyberhaven

When editing policies or datasets in Cyberhaven, it's important to understand how changes affect both new and historical events , and how the Console reflects these updates. Two key settings control this behavior:

  • Advanced Setting: Apply Policy Changes to Past Events (aka Backfill) — found in the new Object Management section

  • Dynamic Configuration Updates — a Console-level user preference

These settings work together to determine how quickly and accurately your changes are reflected in the system.

Setting 1: Advanced Setting (Backfill)

  • This setting is part of the new Object Management section in the Console.

Purpose:

This per-policy (or dataset) checkbox asks:

" Should we attempt to reprocess historical events using this updated policy?"

  • If unchecked (default): Only new events will be evaluated with the updated logic.

  • If checked : Previously collected events will also be reprocessed in the background (during off-peak hours).

Limitations:

  • Does not modify previously created incidents.

  • Does not support policies using lists or user risk groups — backfill will not occur for those.

  • May impact Console performance

Setting 2: Dynamic Configuration Updates

Location : Found in Account Settings.

This user preference controls how quickly you see reprocessed event counts in the UI after saving a policy or dataset.

SettingConsole BehaviorBackend Reprocessing
EnabledUI reflects updated counts immediately after savingStill
processed in the background during off-peak hours
Disabled (default)UI shows old counts until reprocessing completes
Reprocessing still occurs later

🔍 This setting does not control when reprocessing happens; it only affects what the UI shows immediately after saving.

These two settings work in tandem to determine whether historical event counts will change and how soon that change is reflected in the Console.

Advanced Setting| Dynamic Configuration Updates| Reprocesses Past Events?| Console Reflects Change Immediately?
---|---|---|---
Off| Any setting| ❌ No| ❌ No
On| Off (default)| ✅ Yes| ❌ No (UI updates after background job completes)
On| On| ✅ Yes| ✅ Yes (UI shows updated count right away)

💡 If Advanced Setting is off , then Dynamic Configuration Updates has no effect - because there’s no backfill to visualize.

To Enable Dynamic Config:

  1. Navigate to account settings

2. Toggle Dynamic Configuration Updates

To Enable Advanced Settings under Object Management:

  1. Select Object Management in the bottom left corner, located above the Cloud sensor icon.
  2. Select the 3 dots on the far right of an object --> View and edit

3. Click on "Edit Policy" in the top right

4. Click "Advanced Settings" on the left hand side under email notifications.

5. Toggle Advanced Settings