About
Symantec ICA
Integration

Symantec ICA
uses security and user data gathered by your organization's monitoring tools to provide an up-to-date, unified view of the prioritized risks and threats to your organization. The data is imported to
Symantec ICA
using predefined integration packs, user-defined integration packs, and solution accelerators. The imported data is then compared to and analyzed with data already collected in
Symantec ICA
.
Data import is configured using the Integration section of the administration section. The Integration section has the following sections:
  • Integration Packs: Allows you to import predefined
    Symantec ICA
    integration packs.
    Symantec
    has several predefined integration packs for use with
    Symantec ICA
    .
  • Data Sources: Defines where to pull data, and how to query that data.
  • Data Integrations: Maps data from the data source tables to the
    Symantec ICA
    tables. More than one rule and mapping can be created for an integration pack.
  • Job Status: Lists the status of integration jobs including run times and outcomes.
Together, the Data Sources and Data Integrations sections are known as the "integration wizard." If your organization uses sources that are not included in the
Symantec
set of predefined integration packs, then you can create integration packs using the integration wizard.
The following terms are used when discussing
Symantec ICA
integration:
Integration Wizard Terms
Term
Description
Data mappings
The relationships between the data source fields and the
Symantec ICA
fields.
Data sources
The servers that have the data you want to pull into
Symantec ICA
. They are databases, files or API sources, and are sometimes referred to as the integration platforms.
Symantec ICA
uses queries to retrieve data from your organization's data sources.
After
Symantec ICA
has pulled data from a data source, its settings should not be changed or reset. Changing the settings can cause data loss. If a different data source is needed, then it should be added to
Symantec ICA
.
Data source processing jobs
The processes that move the data from the data source tables to the
Symantec ICA
preprocessing tables.
Import
The transfer of data from the
Symantec ICA
preprocessing tables to the
Symantec ICA
logical data warehouse (LDW) tables.
Import rules
The import rule associated with an integration. An import rule can have multiple import rule mappings. For example, an import rule for DLP data could have a mapping for computer endpoints, another mapping for applications, and another mapping for users.
Import rule mappings
The column mappings from the data source tables to the
Symantec ICA
tables. Each mapping identifies the query to use, and the entity data to import into the
Symantec ICA
tables.
Integration packs
The processes and queries that move data from a data source, such as Microsoft Active Directory or Symantec DLP, to tables in
Symantec ICA
. The data is then mapped to the appropriate
Symantec ICA
LDW table.
LDW loading tables
The
Symantec ICA
tables that receive the imported data after it has been processed by
Symantec ICA
. The loading table names use the format
LDW_
componentName
, such as
LDW_Domains
.
Nightly processing job
The
Symantec ICA
processing job that imports and processes the data collected from the data sources.
Preprocessing tables
The tables that check that imported data has an identifier for each row, and that imported columns use names similar to column names in
Symantec ICA
. Preprocessing table names use the format
Stg_PreProcess_
entityName
, such as
Stg_PreProcess_EPEvents
.
Pull
The transfer of data from a data source to the
Symantec ICA
staging tables.
Staging tables
The tables where pulled data is stored before processing. The staging tables are defined in the data queries. Staging table names use the format
Stg_
Source_componentName
, such as
Stg_SEP_Event
.
Best practice is to pull data in the following order:
  1. Organizations
  2. Countries
  3. Regions
  4. Users
  5. Vendors
  6. Vendors to users
  7. Applications
  8. Application contacts
  9. Computer endpoints
  10. Vulnerabilities
  11. Computer endpoints to vulnerabilities
  12. Applications to vulnerabilities
  13. Endpoint events
  14. Authentication events
  15. Web activity
  16. Web applications
  17. Web applications to vulnerabilities
  18. Data in motion (DIM) events
  19. DIM event destinations
  20. DIM event files