Data In Motion (DIM) incidents from Symantec Data Loss Prevention (DLP) are not associated with a user, or to the correct user, in the Information Centric Analytics (ICA) console.

Release : 6.x

Component : Symantec DLP Integration Pack

Users are associated to DIM incidents from Symantec DLP with a match on either of the following keys:

1. NetBIOSDomain + AccountName (a composite of two values)
2. NetworkSenderIdentifier (typically an e-mail address, but may also be in the format WinNT://)

If no records in the RiskFabric relational database table dbo.LDW_Users match either of the above keys, the user is assumed to not exist and is created in the table LDW_Users. Note that the NetBIOSDomain value needs to match the Default Domain value specified in the ICA console's general settings for the first method to work.

To investigate the cause of the missing or incorrectly mapped user account for a DIM incident in the ICA console, 

1. Ensure users are associated with incidents in the Symantec DLP database and the user identifier is appropriate for the type of incident
   For example, an endpoint incident should include the NetBIOSDomain + AccountName key pair, whereas a network incident should provide either an e-mail address or an identifier in the format WinNT://
2. Ensure the value of the ICA setting Default Domain matches that of the users in question by navigating to Admin > Settings > General and search for the setting Default Domain