Event scenario instances are not generated during either the nightly RiskFabric Processing job or the RiskFabric Intraday Processing job for event scenarios with cube-based (MDX) event scenario set definitions created in the Analyzer.

Release : 6.x

Component : Event Scenarios

Either the event scenario processing steps in the nightly and intraday jobs are failing, or the event scenario's criteria are not met by the entity and security events data imported from integrated data sources.

The following job steps handle event scenario instance generation for any scenarios with definitions built on Analyzer (cube) dimensions and measures:

• RiskFabric Processing job
  • Process Risk Models
  • Process Collections and Scenarios and Risk Models Measures Groups
• RiskFabric Intraday Processing job
  • Process Event Scenarios
  • Process Event Scenario Measures and Dimensions

Follow these steps to determine whether these job steps are completing successfully:

1. Open SQL Server Management Studio (SSMS).
2. Connect to the Database Engine hosting the RiskFabric relational database.
3. In Object Explorer, navigate to SQL Server Agent > Jobs.
4. Right-click the RiskFabric Processing job and select View History.
   The Log File Viewer window opens
5. Expand the latest entry in the log.
6. Successful job steps are denoted by a white checkmark against a green circle; failed steps are denoted by a white x against a red circle. If any of the job steps failed, search the Broadcom knowledge base (KB) for the content of the Message column in the log viewer for that job step.
7. Repeat steps 4 through 6 for the RiskFabric Intraday Processing job.

If no processing job steps have failed, evaluate the logic of the event scenario's configuration and event scenario set definition in the Analyzer. Refer to the Understanding Entity Collections, Event Scenarios, and Risk Models section of the Symantec ICA User Guide and the Event Scenarios Configuration section of the Symantec ICA Administrator Guide, as needed.

If a simple event scenario set definition fails to return results as expected in the Analyzer (for example, DIM Incident Count by User > Account Name), refer to the KB article Incorrect or missing DIM incident user association.