You want to retain file or message attachments from offending incidents up to a particular size for example 20 MB but do not want to retain files or attachments above that size because it will significantly increase the size of your Data Loss Prevention (DLP) database.
You will need to create two separate policies based on size detection. The first policy will be used to identify message attachments or files less than the required file size to be retained and the second policy will be quite similar in that you will identify message attachments or files great than the required file size without retaining the file or attachment.
Part I:
Create a Response Rule to retain the original message attachment as follows:
In the Enforce UI go to Manager > Response Rules
Click Add Response Rule
Click Next with the default type of response rule: Automated Response
Enter the Rule Name and Description.
Under Actions choose: All: Limit Incident Data Retention (Yes, this sounds like the opposite of what you want.) and click Add Action
For All Endpoint Incidents (Including Endpoint Discover Incidents) check the box: Retain Original Message
Part II:
In the Enforce UI go to Manager > Policy List
Select and Edit your original policy
Now you will need to add a Detection Rule that contains the content matching condition to match the required content as desired.
On the Detection open or edit your existing rule.
In the Conditions field click into the Also Match: Match... drop down box and select the condition Message Attachment or File Size Match.
Now enter the maximum size of attachments that you want to match and retain by selecting the Less Than.
Enter a number, and select the unit of measure: bytes, kilobytes (KB), megabytes (MB), or gigabytes (GB). Save the rule by clicking Ok.
Next go to the Response tab
From the drop down box select the Response Rule you created and click Add Response Rule.
Click on the Save button.
Part III:
Next create a new policy almost replicating the same rules but with two changes do not apply the Response Rule to retain the original message and also change the condition for "Message Attachment or File Size Match" from Less Than to Greater Than so it is the opposite of the first policy so it will only detect files greater than the specified size.