An SMTP incident shows multiple attachments to an email, but when the original message is downloaded from the incident and viewed there is only one attachment. 

This can occur for the following reasons:

1. The missing attachments contained no violations and were discarded as the policy contained a Response Rule with the action Limit Incident Data Retention where the option Discard Attachments with no Violations is selected. It would be recommended to review your policy response rules to verify if this is occurring and modify the response rule as required. 

2. The missing attachments are embedded within the attachment(s), one should review the only present attachment to identify the embedded file attachments and verify they are what is seen within the incident Attachments list. An incident will include embedded files within the attachment list because it would perform content extraction on the embedded files too. It may appear slightly confusing, but it is correct. 

3. There has been some unexpected issue en route for the email, if this is your scenario it would be best to open a DLP Technical Support case to investigate the source of the issue. 

Article ID: 197698 - Removing attachments from DLP incidents

Article ID: 160808 - How to configure Symantec DLP to not store incident attachments in the database for DIM

16.1 - Configuring the Limit Incident Data Retention action (techdocs.broadcom.com)