After adding CASB / CloudSOC to DLP the database is getting full faster than you can remediate the incidents.

Release :

Component : DLP with CDS, CloudSOC, CASB detection server

The default behavior in DLP for a CASB scan is to take a copy of any violating document and retain it with the incident.

In wide policies this can create a large amount of data to be ingested into the database. 

For any wide breadth policy you should ad the "Limit Data Retention" response rule to at least stop the attachments from being persisted into the Database.

You can add this response rule by going to Manage > Policies > Response Rules, in the action dialog select Limit Incident Data Retention, and then select discard attachment, and either "all" or "attachments with no Violations*".

*Please note, a wide policy in a large environment could still retain a large volume of data, please use discretion with CASB policies as they have the potential to scan a very large amount of data.

An enhancement request, ISFR-2037, has been submitted to change the default behavior and have the option to turn off Data Retention from the CASB side.

Please log a support case if you would like to be added to this feature request.