Delay in availability of Symantec DLP incidents in ICA
search cancel

Delay in availability of Symantec DLP incidents in ICA

book

Article ID: 213825

calendar_today

Updated On:

Products

Information Centric Analytics Data Loss Prevention

Issue/Introduction

Symantec DLP incidents do not immediately appear in the Information Centric Analytics (ICA) console but are visible in the Enforce console.

Environment

Release : 6.5.x

Component : Symantec DLP Integration Pack

Cause

Symantec DLP incidents must first be reported to the Enforce server before they can be ingested by ICA. Once a DLP endpoint agent reports an incident to Enforce, the incident will be ingested into ICA during the next intraday or nightly RiskFabric processing job run. Depending upon the frequency of these jobs' schedules and the gap between an incident's Occurred On and Reported On timestamps, there may be a significant delay between the date and time at which an incident occurred and its availability in the ICA database.

For example, a DLP endpoint agent installed on a laptop that was disconnected from the network detected a policy violation on April 1, 2021 at 23:50. This is the Occurred On date. The laptop was not reconnected to the network until 08:05 on April 2nd, at which point the agent reported the incident to Enforce. This is the Reported On date. The RiskFabric Intraday Processing job was scheduled to run at the top of the hour every hour between 06:00 and 23:00 daily. Because the job at 08:00 had already started, the incident reported to Enforce at 08:05 wasn't processed into ICA until the 09:00 job ran. Cumulatively, this meant more than ten hours elapsed between when the incident occurred and when the incident was ingested into ICA, but only an hour or so elapsed between when the incident was first reported to Enforce and when it was ingested into ICA.

Resolution

If you suspect there is an abnormal delay before an incident is available in ICA, check the following:

  1. Occurred On date
  2. Reported On date
  3. RFCreated date for the SourceIncidentID in the RiskFabric table LDW_DIMIncidents
  4. SQL Server Agent job history for the RiskFabric Processing and RiskFabric Intraday Processing jobs

Additional Information

From the Symantec DLP Data Loss Prevention Help Center: About Endpoint Incident Lists

Occurred On Date

  • Incident date and time

Reported On Date

  • Time and date that the incident was reported. If the endpoint is disconnected from the corporate network, incidents are reported when the connection is restored.