We have a need to search past incidents for specific text in any field (body, sender, attachments if still contained in the DB, etc.) to identify details of certain patterns. For instance, if we come across a suspicious credit card number, we want to see if it was ever found in any other DLP incidents.
Or if someone emails a document whose name includes a version number in the attachment name, we want to be able to identify all versions of that doc. Currently, we are limited to the correlations but that is only usefulif the document name is the same every time, or we could search through every incident from a specific sender, but that gets to be too big of a job when the sender has thousands of incidents.