search cancel

Symantec DLP incidents are not associated to users in ICA


Article ID: 211834


Updated On:


Information Centric Analytics


Users may encounter situations in which DIM incidents from Symantec DLP are not associated to users, or to the correct user, in the ICA console.


Release : 6.5.x

Component : Symantec DLP


Users are associated to DIM incidents from Symantec DLP based on either of the following:

  1. NETBIOSDomain + AccountName (a combination of two fields)
  2. NETWORKSENDERIDENTIFIER (typically an e-mail address)

If no records in the ICA database table LDW_Users match either of the above values, the user is assumed to not exist and is created in the table LDW_Users. Note that the NETBIOSDomain name needs to match the Default Domain value specified in the ICA console's general settings for the first method to work.


  1. Ensure users are associated with incidents in the Symantec DLP database
  2. Ensure the value of the setting Default Domain matches that of the users in question:
    • Admin > Settings > General > Default Domain