Data Loss Prevention

  • Private Community
 View Only

  • 1.  Domain controller agent (DCA) cannot map IP to User

    Posted Dec 25, 2025 12:37 PM

    Hi all,

    I'm troubleshooting Symantec DLP Web Prevent user resolution using DCA (Domain Controller Agent).

    The DCA is installed on a separate server, connected to Active Directory/DCs. I can verify the DCA successfully pulled IP → username mappings  from the DCs:
    TRACE EnforceHttpsClient - POST EVENTS::: Read URL content: {"IpUserUpdatesReceived":[{"DC-ABCCOMPANY.COM":83}]} [EnforceHttpsClient.cpp(133)]
    INFO EnforceHttpsClient - POST EVENTS::: Completed Enforce request [EnforceHttpsClient.cpp(134)]
    TRACE EnforceHttpsClient - Parsed Enforce response: DC host: , DC-ABCCOMPANY.COM, query time: 0, number events: 83, error: [EnforceResponseParser.cpp(70)]
    INFO EnforceEventConsumer - Enforce received 83 events [EnforceEventConsumer.cpp(147)]

    On Enforce I can see the mapping is succesfully updated to the database:
    INFO .com.vontu.enforce.domainlayer.userresolution.batch.BatchIpUserRecordsUpdater.insertUserRecords Inserting records for DC-ABCCOMPANY.COM. Number of records 20

    Issue:

    In Enforce, I see a Web incident where the incident contains IP A. In DCA's log i can see the mapping of IP A to username B. However, in Enforce the incident does not resolve to username B. When I click Run Mapping Job in Enforce, no users get mapped for that incident / IP, the mapping starts and immediately finishes, with the message "0 users mapped"

    Enforce Tomcat shows jobs running successfully (no errors), but mapping still doesn't happen:
    17:00:55.289 INFO ... IpResolutionPackage.runStoredProcedure JobID 1 returned with status: COMPLETED
    17:00:55.315 INFO ... IpUserMappingService.mapUserRecords ... Status COMPLETED
    17:00:55.694 INFO ... IpResolutionPackage.runStoredProcedure JobID 21 returned with status: COMPLETED
    17:00:55.714 INFO ... IpUserMappingService.purgeUserRecords ... Status COMPLETED

    Question:
    Even though the mapping job return COMPLETED, what could cause Enforce not to resolve the incident IP to the username when DCA clearly has the mapping? Any recommended checks (proxy/NAT vs client IP, username format, time window/retention, DB tables to validate, etc.) would be appreciated. 



    -------------------------------------------


  • 2.  RE: Domain controller agent (DCA) cannot map IP to User

    Broadcom Employee
    Posted Dec 28, 2025 11:06 PM

    Hello Anh Pham,

    I see a lot of people confusing the "Domain Controller Agent" functionality to think that the "IP to UserName" resolution will be visible in "Network Prevent for Web" Incidents page.

    Please review the DCA documentation : https://techdocs.broadcom.com/us/en/symantec-security-software/information-security/data-loss-prevention/16-1/install-dlp/installing-the-domain-controller-agent-to-identify-users-i/about-the-domain-controller-agent.html

     The domain controller agent enables you to resolve user names from IPv4 address and associates the IP addresses in those incidents with user names in the User Risk Summary. 

    The co-relation will be visible in the "User Risk Summary" page NOT in the Web Incidents page.

    If your requirement is to get the "User Name" instead of the "IP" in the sender of the Web Incidents, then you need to get the Proxy to send the correct UserName instead of the IP.

    Example :

    https://knowledge.broadcom.com/external/article/169418/send-the-user-name-to-symantec-dlp.html

    https://knowledge.broadcom.com/external/article/160011/using-liveldap-lookup-with-httphttps-inc.html

    Regards,

    Ajay

    -------------------------------------------

    Original Message