My understanding is that the DLP threat events differ from DLP incidents, is there any ‘link’ or ‘dependency’ for operational purposes - If for example, DLP threat events were purged after 3 months – could this purge impact any active DLP incidents (ie if a DLP incident is 6 months old, does it in any way rely on any data stored in the threat event data, or does it have its own ‘copy’ of the details).
For the sake of this example, Threat events in question is - DLP threat event 19115 – which refers to empty cd/dvd. Apparently thi may be a bug. If I was to disable/suppress the logging this this threatevent how will it impact the incident logging as mentioned on first paragraph.
Also is there a way to selectively reduce frequency for certain events - for example DLP threat event 19115 tells us every minute that "CD/DVD tray is empty" or something along those lines.
Can events be purged in selective manner? For example purge events 1112 and 1113 but retain event ID 1111.
Lastly, What is the best method to archive DLP events/incidents data?