You may wish to deactivate or decommission a Symantec Data Loss Prevention (DLP) data source but preserve the Data In Motion (DIM) incidents from that system in Information Centric Analytics (ICA). Removing the data source integration in ICA will result in these DIM incidents being associated with a non-existent linked server identifier.

Release : 6.x

Component : Symantec Data Loss Prevention Integration Pack

To decommission an existing Symantec DLP data source without orphaning existing DIM incidents, follow this procedure:

1. Using SQL Server Management Studio (SSMS), change the LinkedServerType value for the existing DLP data source in the LinkedServers table to 'DLP-Disabled'.
2. Using SSMS, delete the existing DLP Linked Server connection under Server Objects > Linked Servers.

NOTE: Do not delete the existing Symantec DLP integration using the Risk Fabric console; doing so will orphan existing incidents. By changing the linked server type, you are effectively disabling further processing of that data source connection without losing the data that had been previously ingested.

If you require assistance with performing either of the steps in this procedure, contact Broadcom support.