Symantec’s Integrated Cyber Defense (ICD) Platform unifies products, services and partners to drive down the cost and complexity of cyber security, while protecting enterprises against sophisticated threats. ICD combines information protection, threat protection, identity management, compliance and other advanced services, powered by shared intelligence and automation across endpoints, networks, applications, and clouds.
Product Page
Collector and Forwarder Support matrix for ICDx https://support.symantec.com/us/en/article.tech252892.html TECH252892
The DLP Incident Data Views is an excellent article on how data is related in DLP, this is very useful even if you don't use ICDx.
Preparing to configure Symantec Data Loss Prevention collectors https://support.symantec.com/us/en/article.HOWTO129892.html HOWTO129892
etc
Hi Alex, yes, there are events being collected, we can also see those fields in the sql db. The icdx schema also seem to show that user_name and device_names should be exposed. In the ICDX search window, I can also see data and events with information, but the "device Name" and "Device IP Address" columns are empty.
Are any events from DLP being collected?
Is it just certain incident types that aren't showing up those Fields?
if you run the SQL provided against the DLP db do those fields have data populated?
Configuring Symantec Data Loss Prevention collectors https://help.symantec.com/cs/ICDX_1.3.1/ICDX/v126919648_v133313422/Configuring-Symantec-Data-Loss-Prevention-collectors?locale=EN_US
Are there any indepth look into the DLP collector? We have set up the DLP collector (and a Json forwarder) but we seem to be missing information from the DLP collector. In particular we were trying to find the user_name and device_name attributes, which should be available. However, our DLP collector does not seem to be pulling this information.
There are no filter or inclusion/ exclusion at this point for our collectors.