Forcepoint DLP databases

Forcepoint DLP has 2 databases for incident and forensics data:

• The incident database contains information about policy breaches, such as what rule was matched, how many times, what were the violation triggers, what was the date, channel, source, ID, and more. It is stored in Microsoft SQL Server along with policy configuration data.

  When the incident database gets very large, it is partitioned so that it can be archived onto different physical disks. See Archiving incident partitions section.

• The forensics repository contains information about the transaction that resulted in an incident, such as the contents of an email body and the From, To, and Cc fields, as well as attachments, URL category, hostname, file name, and more.

  To configure the size and location of the forensics repository, see Configuring the forensics repository section

Both incident data and forensics data are displayed in the “Incidents, Last n days” report.