ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.
Retaining Original Message on Endpoint Incident
Article ID: 159481
Updated On:
Products
Data Loss Prevention Endpoint Prevent
Issue/Introduction
Can I retain the original message on an Endpoint Incident?
Resolution
By default, the original message is not kept on an Endpoint incident. This is because of size and network constraints.
It is possible to keep the original message through a response rule.
Create a response rule. Under actions choose: All: Limit Incident Data Retention (Yes, this sounds like the opposite of what you want.)
All Endpoint Incidents (Including Endpoint Discover Incidents):
Check the box:
Retain Original Message:
Then attach the reponse rule to the policy that you want it to apply. The original message will be retained.
Note: Retain Original Message on incident may consume table space, if it was calculated by not retained, please monitor the usage.
Also when 2-tier detection rule is used on Endpoint, the original message is retained on the incident on current release whether or not how the above Retain Original Message setting is.
Feedback
Yes
No
Powered by
