Information Centric Analytics (ICA) imports data from data sources, calculates normality and risk scores, generates event scenario and risk model instances, and performs a variety of application and database maintenance tasks through SQL Server Agent jobs. The primary job is the RiskFabric Processing job, which runs once a day (its default schedule is nightly at 00:15). The RiskFabric Intraday Processing job is an optional secondary job that performs a subset of these tasks. Broadcom recommends the intraday job run no more frequently than every two hours during the day.

In addition to these jobs, ICA installs a handful of ancillary jobs, some of which are optional:

• RiskFabric DB Maintenance Weekly
• RiskFabric Send Scan Exclusion Notifications
• RiskFabric Send Vulnerability Summary Emails
• RiskFabric_IW_DataSourceQueryID_<n>

A production ICA environment should be provisioned with adequate resources to enable users to effectively access and use the ICA console while the RiskFabric Intraday Processing job and various ancillary jobs are running (with the exception of the RiskFabric DB Maintenance Weekly job). If users are unable to do so, review the Resolution section of this article.

Version : 6.x

Component : Microsoft SQL Server

As noted in the ICA Administrator Guide, because ICA processes and analyzes vast quantities of incident, event, and other security data, the database server hosting Microsoft SQL Server should be dedicated exclusively for Symantec ICA and not shared with other applications or services. Database backup and maintenance tasks should be scheduled outside of operating hours and should not be scheduled to run concurrently with any of ICA's scheduled jobs.

If users report perform console performance, note the day and time at which this is occurring and review the SQL Server Agent job schedules on the SQL Server hosting the ICA database. If either the nightly or intraday job is the sole job running at the time the console performs poorly, work with your database administrator (DBA) to identify the resource or resources that are constrained and take appropriate steps to increase the availability or capacity of those resources (i.e., RAM, CPU, disk I/O and available space, etc.). Consult the following section of the ICA Administrator Guide to determine whether your environment meets Broadcom's minimum recommended specifications:

https://techdocs.broadcom.com/us/en/symantec-security-software/information-security/information-centric-analytics/6-6/Administrator-Guide/install_privileges/disk-space-requirements-for-symantec-ica.html

For hardware sizing, it is assumed that all servers are dedicated exclusively for Symantec ICA. Of the primary system resources (processors, memory, network, and storage), the resources for storage are the most difficult to estimate for the Symantec ICA life cycle. The following items should be included in storage calculations:

• Size of the initial data sets
• Volatility or weekly growth of the data sets
• Data retention policies
• Space for the tempdb database and log files
• Space for backups

The following recommendations are also taken from the ICA Administrator Guide:

• Symantec ICA jobs can have long run times and frequently run several hours each night. Any configurations that terminate or suspend long-running jobs should be disabled for Symantec ICA.
• Backup jobs should be scheduled at times that do not interfere with the Symantec ICA nightly job.
• Maximize parallel processing and threading parameters. In particular, the maximum degrees of parallelism (MAXDOP) should remain at zero for management by the database engine.
• Data drives should use 64 KB block sizes, and be optimized for read/write throughput.
• tempdb space should be very large and implemented using multi-file architectures on fast spindle pools.
• If the nightly job duration becomes long due to large data imports, then investigate the use of the intraday job to break up the nightly import into smaller chunks performed throughout the day.

https://techdocs.broadcom.com/us/en/symantec-security-software/information-security/information-centric-analytics/6-6/Administrator-Guide/installation.html

If you find custom or third-party jobs are running at the time at which the console performs poorly, ensure that these jobs aren't running concurrently with any of ICA's jobs. For database maintenance tasks, disable those jobs that are duplicative of index defragmentation operations performed by ICA's RiskFabric DB Maintenance Weekly. Disable third-party jobs whenever possible; when not possible, either schedule these jobs to run outside of operating hours or work with the third-party vendor to determine ways these jobs can be modified to reduce resource contention.