You have set up external storage, and your policies are set to not retain attachments but the external storage directory is still growing, and you would like to know why.

Applicable to any DLP version, but at the time of writing DLP 15.8 and 16.0 

Even though you have removed the attachment that created the incident we still retain portions of the offending data.

You could have a 5 MB file that contained 100 Social Security numbers.

Example 123-45-6789 = 11 bytes of data for 1 SSN.

In this case, we would have dropped the 5MB attachment, but we still retain the offending portion which in this case would equal 11,000 bytes or 11KB, as we have to show you what data was contained that created the incident.

Incidents with OCR images will also take up more space as we have to provide you with the portion of the data that created the incident. When it comes to images there is no way to extrapolate JUST the offending portion, so you end up with a copy of the image as evidence.

Working as designed 

Please note:

There is currently a feature request under evaluation to provide a way in the incidents list to filter for incidents generated by OCR.

Feature request number PM-3261, if this is desirable to your organization please put in a support ticket and request to have your organization added to that request.