About Symantec ICA Integration
Symantec ICAuses security and user data gathered by your organization's monitoring tools to provide an up-to-date, unified view of the prioritized risks and threats to your organization. The data is imported to
Symantec ICAusing predefined integration packs, user-defined integration packs, and solution accelerators. The imported data is then compared to and analyzed with data already collected in
Data import is configured using the Integration section of the administration section. The Integration section has the following sections:
- Integration Packs: Allows you to import predefinedSymantec ICAintegration packs.Symantechas several predefined integration packs for use withSymantec ICA.
- Data Sources: Defines where to pull data, and how to query that data.
- Data Integrations: Maps data from the data source tables to theSymantec ICAtables. More than one rule and mapping can be created for an integration pack.
- Job Status: Lists the status of integration jobs including run times and outcomes.
Together, the Data Sources and Data Integrations sections are known as the "integration wizard." If your organization uses sources that are not included in the
Symantecset of predefined integration packs, then you can create integration packs using the integration wizard.
The following terms are used when discussing
The relationships between the data source fields and the
The servers that have the data you want to pull into
Symantec ICA. They are databases, files or API sources, and are sometimes referred to as the integration platforms.
Symantec ICAuses queries to retrieve data from your organization's data sources.
Symantec ICAhas pulled data from a data source, its settings should not be changed or reset. Changing the settings can cause data loss. If a different data source is needed, then it should be added to
Data source processing jobs
The processes that move the data from the data source tables to the
Symantec ICApreprocessing tables.
The transfer of data from the
Symantec ICApreprocessing tables to the
Symantec ICAlogical data warehouse (LDW) tables.
The import rule associated with an integration. An import rule can have multiple import rule mappings. For example, an import rule for DLP data could have a mapping for computer endpoints, another mapping for applications, and another mapping for users.
Import rule mappings
The column mappings from the data source tables to the
Symantec ICAtables. Each mapping identifies the query to use, and the entity data to import into the
The processes and queries that move data from a data source, such as Microsoft Active Directory or Symantec DLP, to tables in
Symantec ICA. The data is then mapped to the appropriate
Symantec ICALDW table.
LDW loading tables
Symantec ICAtables that receive the imported data after it has been processed by
Symantec ICA. The loading table names use the format
componentName, such as
Nightly processing job
Symantec ICAprocessing job that imports and processes the data collected from the data sources.
The tables that check that imported data has an identifier for each row, and that imported columns use names similar to column names in
Symantec ICA. Preprocessing table names use the format
entityName, such as
The transfer of data from a data source to the
Symantec ICAstaging tables.
The tables where pulled data is stored before processing. The staging tables are defined in the data queries. Staging table names use the format
Source_componentName, such as
Best practice is to pull data in the following order:
- Vendors to users
- Application contacts
- Computer endpoints
- Computer endpoints to vulnerabilities
- Applications to vulnerabilities
- Endpoint events
- Authentication events
- Web activity
- Web applications
- Web applications to vulnerabilities
- Data in motion (DIM) events
- DIM event destinations
- DIM event files