After deploying Information Centric Analytics (ICA) and integrating a Symantec Data Loss Prevention (DLP) data source, you observe that several widgets or fields are showing "No Data" in ICA's DLP dashboard, including the following:

• DLP Incidents by Protocol and Individual Normality Rating
• DLP Incidents by Action and Individual Normality Rating
• DLP Incidents by Top 10 Policies and Individual Normality Rating
• DLP Incidents by Organization and Individual Normality Rating
• DLP Incidents by Protocol and Classification
• DLP Incidents by Action and Classification
• Top Users with Very Unusual Incidents
• Differences Tab in Events: Data in Motion
• Data In Motion Use Cases
• Data In Motion Metrics

Release : 6.x

Component : Symantec Data Loss Prevention Integration Pack

This condition is typically caused by one or both of the following:

1. A user entity data source was not integrated prior to integrating a DLP data source.
2. DLP policies have not yet been enabled in the Risk Fabric console.

1. If a user entity data source like Active Directory has not yet been integrated with ICA, follow the procedures documented in either the Symantec ICA Integration and Solution Accelerator Guide for Microsoft Active Directory or the Using the Integration Wizard to Create a User-defined Data Source section of the Symantec ICA Integration and Solution Accelerator Guides.
   
   After integrating a user entity data source, Broadcom recommends configuring organizational and regional settings to enable ICA to properly calculate the normality of security events. Refer to the Configuring Organizations and Regions Settings section of the Symantec ICA Administrator Guide.
   
   After completing the integration of a user entity data source, contact Broadcom support for assistance with purging and re-importing DLP incidents.

2. Determine whether DLP policies are enabled in the Risk Fabric console by navigating to Admin > Settings > Policy. If policies are not enabled, enable them by clicking the edit icon to the left of each policy name, ticking the Enabled box in the Edit Policy window, and clicking the Ok button to save any changes.

   After enabling DLP policies, run either the nightly RiskFabric Processing job or the RiskFabric Intraday Processing job to start the incident import process.

Because ICA is a User and Entity Behavioral Analytics (UEBA) platform, a user data source integration is foundational and should be configured first. After that, Broadcom highly recommends configuring organizational and regional settings to enable ICA to most accurately calculate the normality of security events. Once these steps are complete, a security events data source like DLP can be integrated successfully.

Most users integrate Active Directory (AD) as their user entity data source, though it's also possible to integrate alternative sources such as Workday and PeopleSoft through the Integration Wizard as user-defined data sources. ICA includes a native integration for AD that is straightforward to setup by following the Symantec ICA Integration and Solution Accelerator Guide for Microsoft Active Directory.