The "Limit Incident Data Retention" response rule is not retaining attachment for some incidents when the attachment size is large. The incident reflects the original file as abc.doc.txt

Component : DLP Endpoint Prevent

This behavior is as designed. If data retention is enabled and the original file is larger than the "incidentHandler.MAX_FILE_SIZE" limit, the actual original file is renamed from abc.doc to abc.doc.txt. The default limit is 30MB. 

You do have an option to increase this limit but consider checking the endpoints performance/resources and network bandwidth usage before this change.

To modify this limit:

• Open the Agent Configuration
• Go to Agent Advanced Settings
• Locate the setting "incidentHandler.MAX_FILE_SIZE"
• Change the default limit to the size you wish to increase it to.
• Save the Agent configuration.
• Apply the new configuration to all Endpoints.