Retaining Original Message on Endpoint Incident

book

Article ID: 159481

calendar_today

Updated On:

Products

Data Loss Prevention Endpoint Prevent

Issue/Introduction

Can I retain the original message on an Endpoint Incident?

Resolution

By default, the original message is not kept on an Endpoint incident.  This is because of size and network constraints.

It is possible to keep the original message through a response rule. 


Create a response rule.  Under actions choose: All: Limit Incident Data Retention (Yes, this sounds like the opposite of what you want.)

All Endpoint Incidents (Including Endpoint Discover Incidents):

Check the box:

Retain Original Message:

Then attach the reponse rule to the policy that you want it to apply.  The original message will be retained.

Note: Retain Original Message on incident may consume table space, if it was calculated by not retained, please monitor the usage.
Also when 2-tier detection rule is used on Endpoint, the original message is retained on the incident on current release whether or not how the above Retain Original Message setting is.