When viewing an entity in the Information Centric Analytics (ICA) Risk Fabric console, details such as the user name, manager, phone, department, etc., are blank. Searches for the entity by e-mail address or account name may also fail to return results.
Version : 6.x
This is caused by a disconnect between the entity details associated with events and the entity records as retrieved via ICA's integration with Active Directory (AD) or other organizational system of record.
In most cases, this occurs when a security event data source (for example, Symantec DLP) is integrated with ICA prior to integrating any entity data source (for example, Active Directory); however, this may also occur in an environment in which a secondary entity data source has been integrated to enrich entity records but the domain name specified does not match the domain name parsed from each account's distinguished name in Active Directory by ICA's staging process. In both cases, duplicate records will be created for each entity, with some details missing from each.
This condition can also arise if certain fields are not mapped in an import rule mapping for a user-defined integration. For example, if domain name and account name fields are not mapped, user enrichment data will not be mapped to existing users. Likewise, if certain metadata attribute fields (for example, department or organization) are not mapped, those details will not mapped to existing entities.
Determine whether the problem is specific to a single entity or applies to most entities. If the latter, review the import rule mappings for each of your entity data sources to confirm all fields are mapped as expected.
If all mappings are correct and you have integrated Active Directory using ICA's Active Directory Connector Utility, execute the following query to determine whether the parsed domain name matches the default domain name you specified at the time ICA was installed:
SELECT DISTINCT domain FROM RiskFabric.dbo.Stg_AD_User WITH (NOLOCK)
UNION ALL
SELECT DISTINCT [value] FROM RiskFabric.dbo.PortalSettings WHERE [name] = N'DefaultDomain';
If the query results do not match, contact Broadcom Support to discuss options for correcting this discrepancy.
If you integrated ICA with security event data sources prior to integrating any entity data sources, contact Broadcom Support for assistance with purging entity records created from your security event data source(s).