Recipient identifiers on DIM incidents
search cancel

Recipient identifiers on DIM incidents


Article ID: 268192


Updated On:


Information Centric Analytics


A custom dashboard widget that displays a list of DIM incidents and the e-mail addresses of both source and destination users does not display destination user addresses for all incidents.


Release : 6.x

Component : Dashboards


The dashboard query is written in such a way that it joins the DIM incidents table to the network endpoints table but does not join DIM incidents to user destinations. When the destination e-mail address on a DIM incident exists in the users table in Information Centric Analytics (ICA), a network endpoint record is not created. Instead, the DIM incident is associated with the existing user.

The stored procedure that creates associations between DIM incidents and network endpoint destinations (spLDW_UpdateSymantecDLPIncidentsToNetworkEndpointDestinations) applies the following logic when parsing recipient identifiers:

Don’t create a Network Endpoint
    If it’s an IP Address
    If it's an email address that exists in the LDW_Users table
Create a Network Endpoint
    If it’s HTTP, FTP, etc.
    If it’s not an IP Address
    If it's an email address that does not appear in the LDW_Users table


Update the dashboard widget query to also join the LDW_DIMIncidents table to both LDW_DIMIncidentsToNetworkEndpointDestinations and LDW_DIMIncidentsToUserDestinations to return all destination e-mail addresses for DIM incidents.