Removing attachments from DLP incidents

book

Article ID: 197698

calendar_today

Updated On:

Products

Data Loss Prevention Network Monitor and Prevent for Email and Web Data Loss Prevention Data Loss Prevention Enforce Data Loss Prevention Endpoint Prevent Data Loss Prevention Endpoint Suite Data Loss Prevention Network Prevent for Email Data Loss Prevention Network Prevent for Web

Issue/Introduction

  • Is it possible to strip/delete attachments from incidents?
  • Oracle DB is still using BasicFiles (not the SecureFiles), is it required to run the reclamation tool to free up DB space after removing attachments from the incident?
  • How to prevent DLP from storing incident attachments (especially in terms of taking space in DB) in Network incidents in the future?

Resolution

  1. Navigate to Incidents.
  2. Choose the incidents for which you want to remove attachments.
  3. After marking one or more incidents, under Incident Actions, choose Delete Incidents.
  4. Under Delete Options, select Retain Incident, but Delete Original Message/Attachment(s)/File(s), and check Delete Attachments/Files.

  5. DB space can be reused after removing attachments, but in case of BasicFiles it's not fully available for all types and sizes of new data coming due to BasicFiles technical nature. Information about available space is not visible when checking space allocation for tablespaces.

    To fully release space after deleting incidents (or just attachments) use the reclamation tool or change DB to convert to using SecureFiles which will make reclamation automatically every time you delete data from DB.

  6. To reduce the number of attachments stored in DB apply response rule Limit Incident Data Retention with setting to Discard Attachments and apply them (depending on the severity and other additional parameters, if needed) to policies that need the reduction of incidents with stored attachments.



    Due to the fact, that this response rule (same as most of the automatic rules) is executed on the detection server - it will reduce space allocation of DB because incidents with attachments will not be added to the DB at all.

    In case of BasicFiles, this solution will reduce the number of times the reclamation tool will need to be used.

Additional Information

For more about transferring to SecureFiles and the reclamation tool, see Data Loss Prevention 14.6 and 15.x: Converting your LOB tables from BasicFiles to SecureFiles format.