Symantec DLP incidents do not immediately appear in the Information Centric Analytics (ICA) console but are visible in the Enforce console.

Release : 6.5.x

Component : Symantec DLP Integration Pack

Symantec DLP incidents must first be reported to the Enforce server before they can be ingested by ICA. Once a DLP endpoint agent reports an incident to Enforce, the incident will be ingested into ICA during the next intraday or nightly RiskFabric processing job run. Depending upon the frequency of these jobs' schedules and the gap between an incident's Occurred On and Reported On timestamps, there may be a significant delay between the date and time at which an incident occurred and its availability in the ICA database.

For example, a DLP endpoint agent installed on a laptop that was disconnected from the network detected a policy violation on April 1, 2021 at 23:50. This is the Occurred On date. The laptop was not reconnected to the network until 08:05 on April 2nd, at which point the agent reported the incident to Enforce. This is the Reported On date. The RiskFabric Intraday Processing job was scheduled to run at the top of the hour every hour between 06:00 and 23:00 daily. Because the job at 08:00 had already started, the incident reported to Enforce at 08:05 wasn't processed into ICA until the 09:00 job ran. Cumulatively, this meant more than ten hours elapsed between when the incident occurred and when the incident was ingested into ICA, but only an hour or so elapsed between when the incident was first reported to Enforce and when it was ingested into ICA.

If you suspect there is an abnormal delay before an incident is available in ICA, check the following:

1. Occurred On date
2. Reported On date
3. RFCreated date for the SourceIncidentID in the RiskFabric table LDW_DIMIncidents
4. SQL Server Agent job history for the RiskFabric Processing and RiskFabric Intraday Processing jobs

From the Symantec DLP Data Loss Prevention Help Center: About Endpoint Incident Lists

Occurred On Date