Can I retain the original message on an Endpoint Incident?
By default, the original message is not kept on an Endpoint incident. This is because of size and network constraints.
It is possible to keep the original message through a response rule.
Create a response rule. Under actions choose: All: Limit Incident Data Retention (Yes, this sounds like the opposite of what you want.)
All Endpoint Incidents (Including Endpoint Discover Incidents):
Check the box:
Retain Original Message:
Then attach the reponse rule to the policy that you want it to apply. The original message will be retained.
Note: Retain Original Message on incident may consume table space, if it was calculated by not retained, please monitor the usage. Also when 2-tier detection rule is used on Endpoint, the original message is retained on the incident on current release whether or not how the above Retain Original Message setting is.
Imported Document ID: TECH218833
Subscribing will provide email updates when this Article is updated. Login is required to Subscribe