We have to save Incidents and evidences for two years, but DLP Incident Task 'Purge Incidents' will delete part of it. What could you suggest? Is it possible extend this limit more than 5,000,000? Or are there some possibilities to archive events and when needed access them with ability also get (decrypt) proper evidences?
There is no mechanism in place to increase the limit passed 5,000,000 incidents. However, exported incidents using Case Management could be an option.
For example, go to Incident Manager and select the desired incidents to add to a Case.
Once Case is created, go to DLP Case Management under Data Protection. Select the Case ID, click actions, then Export Selected Cases.
The exported .zip file contains a separate folder for each case. Each case folder contains matching incident sub-folders with details.
You have the option to add the decrypted evidence files and match-string files to each incident ID supbfolder, Add a CSV file with incidents list information, or Add a CSV file with details about each evidence file.