How to include attachments for Endpoint Incidents

book

Article ID: 160294

calendar_today

Updated On:

Products

Data Loss Prevention Endpoint Discover

Issue/Introduction

Endpoint Prevent and Endpoint Discover do not retain original file by default.

Resolution

By default, Endpoint does not keep the original files.  The files can be added, however, there will be additional overhead.  The messages between the Endpoint Server and the Endpoint Agent will be larger.  Also, the database space will be increase, which may be significant with Endpoint Discover.

To retain the original file, add a Response Rule to the Endpoint Policy in order to include file attachments.


Actions 
All: Limit Incident Data Retention  
Network Incidents:
Discard Original Message:   
Discard Attachment:   All  Attachments with no Violations  None 
All Endpoint Incidents (Including Endpoint Discover Incidents):
Enabling this option may prevent some events on endpoints from blocking (e.g. Copy to USB). To ensure endpoint prevent works properly, disable the ENABLE_VEP_FILE_ELIMINATION setting from the Endpoint Settings page of the endpoint servers. 
Retain Original Message: