Can I retain the original message on an Endpoint Incident?
By default, the system discards original messages (including files and attachments) for endpoint incidents. You can implement the Limit Incident Data Retention response rule action to override this default behavior and retain original email attachments for endpoint incidents.
Configure the Limit Incident Data Retention action response rule
To configure incident data retention
1. Configure a response rule at the Configure Response Rule screen.
2. Add the action type All: Limit Incident Data Retention from the Actions list.
3. Choose to retain Endpoint Incident data by selecting this option.
4. Click Save to save the response rule configuration.
By default, the agent discards the original message and any attachments for endpoint incidents. Retaining data for endpoint incidents
Then attach the response rule to the policy that you want it to apply. The original message will be retained.
NOTE: Limit Incident Data Retention does not apply to Endpoint Clipboard incidents and is not supported for Endpoint Discover.
NOTE: Retain Original Message on incident may consume table space, if it was calculated by not retained, please monitor the usage.
Also when 2-tier detection rule is used on Endpoint, the original message is retained on the incident on the current release whether or not how the above Retain Original Message setting is.
You may also find helpful guide: Retaining data for endpoint incidents