Data source connections unexpectedly removed
search cancel

Data source connections unexpectedly removed

book

Article ID: 262765

calendar_today

Updated On:

Products

Information Centric Analytics

Issue/Introduction

All previously working data source connections to Symantec Data Loss Prevention (DLP) are unexpectedly missing from the Information Centric Analytics (ICA) portal under Admin > Integration > Data Sources > Choose Data Source | Symantec Data Loss Prevention. The Risk Fabric Symantec Data Loss Prevention Integration Pack is also missing from Admin > Integration > Integration Packs.

This issue may also affect other data sources installed via an integration pack. For example, Symantec Endpoint Protection (EP), or Symantec Web Security Service (WSS).

Environment

Release : 6.5.4

Cause

The integration pack for the data source connections was removed.

Resolution

Beginning with ICA version 6.6, data source connections and their linked servers are not deleted when an integration pack is removed. For versions 6.5.4 MP1 (6.5.4.01) and earlier, contact Broadcom Support for assistance with resolving this issue.

Additional Information

When a data source connection is removed, any incidents previously ingested from that data source become orphaned in the RiskFabric database. References to the incidents persist, but the linked server ID to which they are associated does not have a corresponding linked server reference in the RiskFabric.dbo.LinkedServers table, and the linked server is deleted from sys.servers. If the data source connection is re-created, a new ID is generated for the data source connection's linked server and all incidents subsequently ingested will be associated with the new linked server ID.

The following information may be used for determining the method by which a data source connection was removed, and for auditing portal user activity associated with its removal.

  1. This query will identify which portal users accessed the integration page in the ICA portal within the last n days: 
    SELECT   pu.Username,
             l.DateStamp
    FROM     RiskFabric.dbo.ActivityLog AS l WITH (NOLOCK) 
    JOIN     RiskFabric.dbo.PortalUsers AS pu
    ON       l.PortalUserID = pu.PortalUserId
    WHERE    Detail = '#admin/integration'
    AND      CAST(DateStamp AS date) >= CAST(GETDATE()-n AS date)
    ORDER BY DateStamp DESC
    ;
  2. This query will identify the window of time in which the linked server ID for a Symantec DLP data source changed because a new data source connection was created: 
    SELECT   LinkedServerID,
             RFCreatedDate,
             COUNT(*) AS "Incidents"
    FROM     RiskFabric.dbo.LDW_DIMIncidents WITH (NOLOCK)
    WHERE    CAST(RFCreatedDate AS date) >= CAST(GETDATE()-n AS date)
    GROUP BY RFCreatedDate,
             LinkedServerID
    ORDER BY RFCreatedDate DESC
    ;
  3. This query will identify the window of time in which the linked server ID for a unified event data source (i.e., Web Activity, Authentication, Endpoint) changed because a new data source connection was created: 
    SELECT   LinkedServerID,
             RFCreatedDate,
             COUNT(*) AS "Events"
    FROM     RiskFabric.dbo.LDW_EventDetail WITH (NOLOCK)
    WHERE    CAST(RFCreatedDate AS date) >= CAST(GETDATE()-n AS date)
    GROUP BY RFCreatedDate,
             LinkedServerID
    ORDER BY RFCreatedDate DESC
    ;
  4. The following query will confirm whether the former linked server(s) no longer exist(s) in the RiskFabric.dbo.LinkedServers table: 
    SELECT * FROM RiskFabric.dbo.LinkedServers WHERE LinkedServerID IN ();
    /* Insert the LinkedServerID(s) returned by query 2 (DLP) or 3 (UE) within the parentheses following the IN clause, separated by commas if more than one ID is returned */
  5. The following query returns the time at which a new linked server was created (i.e., when a new data source connection was created): 
    SELECT [name], modify_date FROM sys.servers WHERE is_linked = 1;
  6. In addition to querying the database, IIS logging also captures events that can be parsed to determine when an integration pack or data source connection was removed
    1. When a user removes a single data source connection, the following call is logged by IIS: 
      POST /api/IntegrationPack/DeleteConnectionByID
    2. When a user removes all data source connections (via the Delete All Connections button), the following call is logged by IIS: 
      POST /api/IntegrationPack/DeleteConnectionsByDataSourceID
    3. When a user removes an integration pack, the following call is logged by IIS: 
      POST /api/IntegrationPack/DeleteIntegrationPacks
Powered by Wolken Software