How to retain files or message attachments up to a certain size for Endpoint Incidents


Article ID: 160322


Updated On:


Data Loss Prevention Endpoint Prevent


You want to retain file or message attachments from offending incidents up to a particular size for example 20 MB but do not want to retain files or attachments above that size because it will significantly increase the size of your Data Loss Prevention (DLP) database.


You will need to create two separate policies based on size detection. The first policy will be used to identify message attachments or files less than the required file size to be retained and the second policy will be quite similar in that you will identify message attachments or files great than the required file size without retaining the file or attachment.

Part I:

 Create a Response Rule to retain the original message attachment as follows:

 In the Enforce UI go to Manager > Response Rules

 Click Add Response Rule
 Click Next with the default type of response rule: Automated Response
 Enter the Rule Name and Description.
 Under Actions choose: All: Limit Incident Data Retention (Yes, this sounds like the opposite of what you want.) and click Add Action
 For All Endpoint Incidents (Including Endpoint Discover Incidents) check the box: Retain Original Message
Part II:

 In the Enforce UI go to Manager > Policy List
 Select and Edit your original policy

 Now you will need to add a Detection Rule that contains the content matching condition to match the required content as desired.
 On the Detection open or edit your existing rule.
 In the Conditions field click into the Also Match: Match... drop down box and select the condition Message Attachment or File Size Match.
 Now enter the maximum size of attachments that you want to match and retain by selecting the Less Than.
 Enter a number, and select the unit of measure: bytes, kilobytes (KB), megabytes (MB), or gigabytes (GB). Save the rule by clicking Ok.

 Next go to the Response tab
 From the drop down box select the Response Rule you created and click Add Response Rule

 Click on the Save button.

Part III:

 Next create a new policy almost replicating the same rules but with two changes do not apply the Response Rule to retain the original message and also change the condition for "Message Attachment or File Size Match" from Less Than to Greater Than so it is the opposite of the first policy so it will only detect files greater than the specified size.