The number of Web Activity DIM incidents returned in the ICA Analyzer with an associated top level domain (TLD) name may appear low relative to expectations.
Release : 6.5.x
Component : Analyzer
This situation can be produced by one or both of the following conditions:
The results of queries against the DLP database should show that for each incident in which the recipient domain name is NULL in ICA, the domain name was unresolved and represented as an IP address in DLP; however, for those incidents in which the domain name is provided in ICA, the recipient domain name had been successfully resolved in DLP.
The following query will provide a count of incidents in Symantec DLP in which the recipient domain name has not been resolved:
USE RiskFabric
SELECT
DOMAIN AS Domain,
COUNT(MESSAGERECIPIENTID) AS Incidents
FROM openquery
(
[RISKFABRIC_DLP_RISKFABRIC_<DLP_Server_Name>_PROTECT],
'
SELECT
DOMAIN,
MESSAGERECIPIENTID
FROM PROTECT.MESSAGERECIPIENT
WHERE DOMAIN IS NULL
'
)
GROUP BY DOMAIN
ORDER BY Incidents DESC;
Replace DLPServerName with the name of your Symantec DLP server.