Retaining Original Message on Endpoint Incident


Article ID: 159481


Updated On:


Data Loss Prevention Endpoint Prevent


Can I retain the original message on an Endpoint Incident?


By default, the original message is not kept on an Endpoint incident.  This is because of size and network constraints.

It is possible to keep the original message through a response rule. 

Create a response rule.  Under actions choose: All: Limit Incident Data Retention (Yes, this sounds like the opposite of what you want.)

All Endpoint Incidents (Including Endpoint Discover Incidents):

Check the box:

Retain Original Message:

Then attach the reponse rule to the policy that you want it to apply.  The original message will be retained.

Note: Retain Original Message on incident may consume table space, if it was calculated by not retained, please monitor the usage.
Also when 2-tier detection rule is used on Endpoint, the original message is retained on the incident on current release whether or not how the above Retain Original Message setting is.