Under what conditions does Information Centric Analytics (ICA) auto-classify an incident or event? Is this related to the portal settings Enable DIM Classification Prediction and Enable Unified Event Classification Prediction? How do I know whether incidents and events are being auto-classified?
If an incident was initially predictively classified and later manually classified by a user, will future predictive classifications be based on the new status and classification? For example, ICA initially predicted the classification 'Violation' for a new incident. An analyst or reviewer subsequently resolved the incident and changed the classification to 'Acceptable'. Will future incidents that match the parameters of this incident and the incident by which its classification was predicted be classified according to the older or newer of the two incidents?
Version : 6.x
Auto-classification and classification prediction are two different functions within ICA. The former is based on event statuses and rules and only applies to Data In Motion (DIM) incidents from Symantec Data Loss Prevention (DLP), while the latter is an event enrichment function and can be applied to all event types.
If a DIM incident is imported with a status that has been configured in ICA to set a particular classification, ICA will auto-classify the incident based on that status and its rules.
If a status has not been configured in ICA to set a classification and a new event is imported with that status (applies to DIM) or no status, predictive classification will attempt to set the classification based on similar events that match on a set of parameters.
If an incident was initially predictively classified and later manually classified by a user, future predictive classifications will be based on the new classification manually set by the user that superseded the originally predicted classification.
The list of parameters used for predictive classification differs between DIM incidents and Unified Event (UE) types: Authentication, Endpoint Protection, Web Activity. For more information about DIM and UE predictive classification, refer to the following sections of the Symantec ICA Administrator Guide:
To determine whether incidents have been classified, navigate in the Risk Fabric console to Data Loss Prevention > DLP Remediation Assessment. There are a number of dashboards on that page which show classification distributions and trends. You can also construct a view using the Analyzer to obtain the same information.
Alternatively, the following query can be executed in SQL Server Management Studio (SSMS) to show classification counts by method:
USE RiskFabric;
GO
WITH cte AS
(
SELECT di.DIMIncidentID,
ec.EventClassificationName AS "Classification",
rm.MethodName AS "Method",
di.IsEventClassificationPredicted AS "Prediction"
FROM dbo.LDW_DIMIncidents AS di WITH (NOLOCK)
INNER JOIN dbo.EventClassifications AS ec
ON di.EventClassificationID = ec.EventClassificationID
INNER JOIN dbo.RemediationMethod AS rm
ON di.ClassificationMethodID = rm.MethodID
WHERE di.IsArchived = 0
)
SELECT COUNT(*) AS "Incidents",
cte.[Classification],
cte.Method,
CASE
WHEN cte.Prediction = 1
THEN 'Predicted'
WHEN cte.Prediction = 0
THEN 'Not Predicted'
END AS "Prediction"
FROM cte
GROUP BY cte.[Classification],
cte.Method,
CASE
WHEN cte.Prediction = 1
THEN 'Predicted'
WHEN cte.Prediction = 0
THEN 'Not Predicted'
END
ORDER BY Incidents DESC;