Hello,
Add a Response Rule in the policy to retain all attachments (no matter is endpoint or network) should be enough to let the incident retain the attachments / violation files.
But you should be aware that in certain types of incidents (e.g. print, application file access) is not possible to retain the attachments.
BR,
Morgado