Not able to save the Original Message/ Files that triggered incidents.

For Detection servers other than Endpoint, when we open the snapshot of an Incident, in the Message Body section (at the bottom left side of the incident snapshot) there is an option to Open Original Message.

If the Detection server is Endpoint then in the snapshot under Message Body we don’t get this option.

This is working by design for Endpoint server, because by default Incident Data is not retained for Endpoint incidents. It is possible to change this behavior - for details see KB 46550.