Incorrect or missing DIM incident user association
search cancel

Incorrect or missing DIM incident user association

book

Article ID: 211834

calendar_today

Updated On:

Products

Information Centric Analytics

Issue/Introduction

Data In Motion (DIM) incidents from Symantec Data Loss Prevention (DLP) are not associated with a user, or to the correct user, in Information Centric Analytics (ICA) Risk Fabric; consequently, these incidents may be missing user IDs or account names in the Risk Fabric console.

For example, when using the Analyzer to create a view displaying the top 10 users with very unusual incidents in the last 30 days, you include the User > Account Name dimension with the DIM Incident Count measure and find many incidents are associated with the account name 'None' even though each incident has a user association in DLP.

Environment

Release : 6.x

Component : Symantec Data Loss Prevention Integration Pack

Cause

In ICA 6.7 (6.7.0.0), DIM incidents from Symantec DLP are mapped to user entities with a match on either of the following keys:

  1. NetBIOSDomain + AccountName (a composite of two values) for all incident types except Network
  2. NetworkSenderIdentifier (typically an e-mail address, but may also be in the format WinNT://%/%/) for Network incidents

If no records in the RiskFabric relational database table dbo.LDW_Users match either of the above keys, a record for the user is assumed to not exist and one is created in the table LDW_Users (see the second note below).

NOTE1: The NetBIOSDomain value needs to match the Default Domain value specified in the ICA console's general settings for the first method to work.

NOTE2: Network incidents may be mapped to Network Endpoint (NE) entities type if the incident's sender identifier matches any of the following formats:

  • HTTP/S
  • FTP
  • IP address
  • An e-mail address that is not extant in the dbo.LDW_Users table

Resolution

To investigate the cause of a missing or incorrectly mapped user account for a DIM incident in the ICA console:

  1. Ensure users are associated with incidents in the Symantec DLP database and the user identifier is appropriate for the incident channel type
    For example, an endpoint incident should include the NetBIOSDomain + AccountName key pair, whereas a network incident should provide either an e-mail address or an identifier in the format WinNT://%/%/
  2. Ensure the value of the ICA portal setting Default Domain matches that of the users in question by navigating to Admin > Settings > General and search for the setting Default Domain

If you have integrated Symantec Edge SWG (SGOS versions 6.7.5.23 or 7.3.4.1 and later) with Symantec DLP, Edge SWG incidents are sent to DLP with the header X-SYMC-User-Email-Address rather than the X-Authenticated-User header. Refer to the KB article EdgeSWG is sending incorrect User ID to DLP servers for more information. ICA 6.7 has been updated to handle the X-SYMC-User-Email-Address sender identifier format on these incidents.

Powered by Wolken Software