Here is an overview of the DLP Incident Persister service stages.

IDC files (incidents) arrive at Enforce via the Symantec DLP Detection Server Controller service, are written to the C:\ProgramData\Symantec\DataLossPrevention\ServerPlatformCommon\<ver>\incidents directory, get picked up by the Symantec DLP Persister service and go through the following 3 stages while being processed:

1. Persistence
   IncidentPersisterThread persists incidents to the Incident/Message tables.
   
   
2. Processing
   1. Associates Network Prevent incidents to DataUser records where
      1. Users have been imported from LDAP.
      2. The Domain Controller Agent has been implemented
   2. Associates Discover incidents to Discover Walk records.
      
      
3. Command
   • Executes Enforce Flex Response Rules
   • Performs Custom Incident Attribute Lookups. AKA "post-processing", AKA "incident enrichment".

See also: Understanding incident dates in Data Loss Prevention