search cancel

Reconciling Web Activity DIM incident counts between Symantec DLP and the ICA Analyzer

book

Article ID: 201738

calendar_today

Updated On:

Products

Information Centric Analytics Data Loss Prevention Core Package

Issue/Introduction

The number of Web Activity DIM incidents returned in the ICA Analyzer with an associated top level domain (TLD) name may appear low relative to expectations.

Cause

This situation can be produced by one or both of the following conditions:

  1. The number of messages violating Web Activity policies in DLP is low relative to expectations.
  2. The number of incidents with an unresolved recipient domain name is high relative to expectations.

Environment

Release : 6.5.x

Component : Analyzer

Resolution

The results of queries against the DLP database should show that for each incident in which the recipient domain name is NULL in ICA, the domain name was unresolved and represented as an IP address in DLP; however, for those incidents in which the domain name is provided in ICA, the recipient domain name had been successfully resolved in DLP.

The following query will provide a count of incidents in Symantec DLP in which the recipient domain name has not been resolved:

USE RiskFabric
SELECT
 DOMAIN AS Domain,
 COUNT(MESSAGERECIPIENTID) AS Incidents
FROM openquery
 (
  [RISKFABRIC_DLP_RISKFABRIC_DLPServerName_PROTECT],
  '
  SELECT
   DOMAIN,
   MESSAGERECIPIENTID
  FROM PROTECT.MESSAGERECIPIENT
  WHERE DOMAIN IS NULL
  '
 )
GROUP BY DOMAIN
ORDER BY Incidents DESC
;

Replace DLPServerName with the name of your Symantec DLP server.