Symantec DLP incidents are not associated to users in ICA

book

Article ID: 211834

calendar_today

Updated On:

Products

Information Centric Analytics

Issue/Introduction

Users may encounter situations in which DIM incidents from Symantec DLP are not associated to users, or to the correct user, in the ICA console.

Cause

Users are associated to DIM incidents from Symantec DLP based on either of the following:

  1. NETBIOSDomain + AccountName (a combination of two fields)
  2. NETWORKSENDERIDENTIFIER (typically an e-mail address)

If no records in the ICA database table LDW_Users match either of the above values, the user is assumed to not exist and is created in the table LDW_Users. Note that the NETBIOSDomain name needs to match the Default Domain value specified in the ICA console's general settings for the first method to work.

Environment

Release : 6.5.x

Component : Symantec DLP

Resolution

  1. Ensure users are associated with incidents in the Symantec DLP database
  2. Ensure the value of the setting Default Domain matches that of the users in question:
    • Admin > Settings > General > Default Domain