How are incidents persisted to the database in Data Loss Prevention?

book

Article ID: 160844

calendar_today

Updated On:

Products

Symantec Products

Issue/Introduction

Describe the workflow of incident persistence in Data Loss Prevention

Resolution

There are a number of different processes involved in the initial detection on a data channel, and it is beyond the scope of this document to address those variations.

After data has been analyzed within the memory on a monitor, if a valid violation occurs that needs to be recorded the original communication will be captured and written to the local disk. This incident will be persisted across the network through to the manager before the manager then writes this violation to the database. The specific workflow follows: 
  1. Detection is run against data provided by the content extraction process.
  2. If an Incident is created, the Incident Writer reads sends this to the Enforce Server (via Monitor Controller process on the Enforce Platform).
  3. Monitor Controller stores the Incident on Disk as a file ending in ".idc".
  4. Incident Persister reads the persisted incident and transforms it into the data model.
  5. Incident Persister runs the response rules against the incident.
  6. Incident Persister stores the incident in the database via jdbc.