Can I retain the original message on an Endpoint Incident?
Create a response rule. Under actions choose: All: Limit Incident Data Retention (Yes, this sounds like the opposite of what you want.)
All Endpoint Incidents (Including Endpoint Discover Incidents):
Check the box:
Retain Original Message:
Then attach the reponse rule to the policy that you want it to apply. The original message will be retained.
Note: Retain Original Message on incident may consume table space, if it was calculated by not retained, please monitor the usage.
Also when 2-tier detection rule is used on Endpoint, the original message is retained on the incident on current release whether or not how the above Retain Original Message setting is.