Proofpoint PPAN01 Exam - Topic 5 Question 11 Discussion

If evidence disappears due to routine purge, the correct recommendation is to re-evaluate retention to preserve artifacts needed for investigations, legal review, and lessons learned (D). In Proofpoint-focused IR, key evidence often includes message traces (Smart Search), TAP threat metadata (campaign association, URL/attachment verdicts), click telemetry, quarantine/pull actions (TRAP), and raw message artifacts (.eml with full headers). If these are purged too quickly, responders lose the ability to reconstruct timelines, confirm scope (who received/clicked), and prove containment effectiveness. NIST-aligned preparation requires retention policies that match realistic detection and reporting windows---especially for low-and-slow campaigns, supplier compromise, and credential abuse that may be discovered days or weeks later. The recommendation is not to ignore the gap or assume ''it was fine before''; it is to adjust retention to support IR requirements, including longer log retention, mailbox audit log duration, and secure storage for forensic artifacts. In practice, teams define retention based on regulatory obligations, business risk, and mean-time-to-detect, then implement controls to prevent premature deletion of high-value evidence during active incidents.