search cancel

Incident Persister stages overview

book

Article ID: 215262

calendar_today

Updated On:

Products

Data Loss Prevention Data Loss Prevention Enforce

Issue/Introduction

You want an overview of the DLP Incident Persister service stages.

Environment

DLP 15.x

Resolution

IDC files (incidents) arrive at Enforce via the Symantec DLP Detection Server Controller service, are writted to the C:\ProgramData\Symantec\DataLossPrevention\ServerPlatformCommon\<ver>\incidents directory, get picked up by the Symantec DLP Persister service and go through the following 3 stages while being processed:

  1. Persistence
    IncidentPersisterThread persists incidents to the Incident/Message tables.

  2. Processing
    1. Associates Network Prevent incidents to DataUser records where
      1. Users have been imported from LDAP.
      2. The Domain Controller Agent has been implemented
    2. Associates Discover incidents to Discover Walk records.

  3. Command
    • Executes Enforce Flex Response Rules
    • Performs Custom Incident Attribute Lookups. AKA "post-processing", AKA "incident enrichment".

Additional Information

See also: Understanding incident dates in Data Loss Prevention