We had an incident where someone thought they password-protected an email attachment but didn't. It got stopped on the ESG and now the very confidential attachment is sitting in Data Security.
A support case reveals there is no way to delete a DLP incident. While we could force the forensics to be deleted on Close, that would kill everything we need to keep.
We get why it's not advisable to delete DLP incidents, but in a case like this not deleting it carries more risk because the confidential attachment will be there for our three-year retention requirement. Deleting an incident should leave an audit trail so people know when it happened by whom and since DLP is not our only logging tool, other evidence would exist about the incident.
If there was a way to password-protect a specific incident to lock it from being viewed, that would also help.
As an aside, we also use DLP to block inbound executable attachments. Being able to delete those would be great so nobody accidentally releases one.