How DLP incident data is stored, at rest, in the Oracle DB or in external incident storage.

Look for the following table.columns to be encrypted:

The columns described are BLOBs. All tables listed belong to the DLP Schema Owner. The default user is protect.

In terms of incident components, the encrypted parts of an incident are:

• List of matches
• Original message (if present)
• File attachment (if present)

Encryption is performed by the DLP application, which is to say, outside of the Oracle database.  Oracle encryption functionality is not used.

For external storage of incidents, all incident data is stored encrypted on disk and not within the Oracle database..

Incident Attachment External Storage Directory (broadcom.com)