Symantec ICA Release Notes

Version
6.5.4

About These Release Notes

These release notes provide information about the new features, capabilities, and fixes in version
6.5.4
(6.5.4.400) and version
Maintenance Pack 1 (6.5.4.40100)
. These notes provide an overview of the new features including, where appropriate, details to help you understand how the feature is used in
Symantec ICA
(Symantec Information Centric Analytics). These notes do not contain implementation or configuration details for the new features.

What's New in
Symantec ICA
Version
6.5.4
Maintenance Pack 1 (MP1)

The following improvements are new in
Symantec ICA
version
6.5.4
MP1:
  • Added support in global search for the following elements:
    • Event identifiers for authentication events, web activity, and endpoints
    • Vulnerabilities for computer endpoints, web applications, code, and configuration issues
    • Risk model instance identifiers
  • Improved name matching when determining sender likelihood. For example,
    Symantec ICA
    analyzes the addresses [email protected] and [email protected] to determine if they belong to the same person.
  • Improved performance when using filters in the analyzer.
  • Made the ability to load and save column layout independent of the Can Administer Settings privileges.
  • Added the ability to delete data integrations, import rules, and data sources in the integration wizard.
  • The Microsoft AD importer now removes users from the
    Symantec ICA
    group member table when the user is removed from the group. The importer must be upgraded to use this feature. A new version of the importer is included with this maintenance pack.

Upgrade Information

The
Symantec ICA
environment must be at version 6.5.2.2 or later to upgrade to 6.5.4 and 6.5.4. MP1. If the environment is not at 6.5.2.2, then upgrade to 6.5.2.2 and ensure that the 6.5.2.2 Post Deploy job running in the SQL server agent has completed before starting the upgrade to 6.5.4 or 6.5.4 MP1.

What's New in
Symantec ICA
Version
6.5.4

The following features are new in
Symantec ICA
version
6.5.4
:

Documentation Features

The following documentation features were added to
Symantec ICA
:
  • Documentation is now in HTML format, providing easier navigation and access to information than PDF guides.
  • You can now do a full-text search across all
    Symantec ICA
    content.
  • PDFs are not available for this release; however, you can access PDFs for earlier versions of
    Symantec ICA
    from the version menu on the
    Symantec ICA
    Tech Docs page.

Dashboard Features

Key new dashboard feature is:
  • Ability to preview an exported dashboard.
    Preview is not available with Microsoft Internet Explorer 11.

Action Plan Features

Key new action plan features are:
  • Deleted action plans can be restored by the
    Symantec ICA
    administrator.
  • Notifications are sent to the users in the Created By, Queue, and Assigned To fields when an action plan is deleted.
  • Ability to include attachments with action plans.

Event Response Features

Key new features of event responses are:
  • Improved name matching when determining sender likelihood For example,
    Symantec ICA
    analyzes the addresses [email protected] and [email protected] to determine if they belong to the same person.
  • Ability to search for DIM incidents assigned to "Me." Setting this filter shows the DIM incidents for the logged-in user. The search can be saved, and used with an aging view widget on a dashboard.
  • Source, Destination, and Action Taken columns added to event details pages.
  • Masked PII fields appear in exported Microsoft Excel spreadsheets.
  • Ability to use rich-text format in Comments, such as carriage returns. Previously, only plain text was allowed, which caused readability issues.

Assets and Identities Features

Key new features of
Symantec ICA
assets and identities are:
  • More details, such as Environment and Tier, are shown on the Application Details pages.
  • Region and country information added to User and Person pages.

Administration Features

Key new features of
Symantec ICA
administration are:
  • Ability to delete data integrations, import rules, and data sources in the integration wizard.
  • The following user and role privileges have been added to
    Symantec ICA
    :
    • Privilege to designate a
      Symantec ICA
      user as a
      Symantec ICA
      administrator.
    • Privileges for viewing entity collections and risk models added to Events Scoping.
    • Privileges for who can view and export dashboards and pages.
  • Ability to set the number of days to retain event scenario instances in the General Event Scenarios section. The default is 90 days.
  • Ability to set requirements for action plan fields, such as Comment and Status. Requirements are Before Saving, Before Closing, and Never. These settings do not affect draft action plans.
  • Ability to restore deleted actions plans.
  • Setting to keep data in motion incidents in action plans after the incidents are removed from the source system. Previously, the data at rest incidents were marked as archived.
  • Ability to disable import from a Microsoft Directory server. The Servers table has an IsEnabled column. The importer does not pull from servers that have set
    IsEnabled=0
    . Refer to the Microsoft Active Directory import utility readme file for additional information.
  • Updated the Symantec DLP watermarking process to bypass any dynamic SQL calls that use
    IncidentID
    or
    IncidentDate
    as a watermark when the following conditions are true:
    • When the linked server has
      IsPolicyEnabled="false"
      in the DetailXml column of the LinkedServers table.
    • There are no enabled policies for the linked server.
  • Ability to convert date and time values when creating a mapping from a source data field to destination data field using the integration wizard. The new formulas are as follows:
    • Convert epoch time (in s) to server TZ offset date
    • Convert epoch time (in s) to server TZ offset time
    • Convert epoch time (in s) to server TZ offset datetime
  • Ability to integrate Elasticsearch data using the integration wizard.
  • The following import utilities were updated. If your environment uses them, then you should upgrade your environment with the latest import utilities.
    • Microsoft Active Directory
    • QualysGuard
    • Splunk
    • Symantec CloudSOC
    • Symantec WSS
  • Oracle Database Client 19
    c
    has been tested and verified to work with
    Symantec ICA
    using Oracle Database 12
    c
    server.

Symantec ICA
Fixed Issues

The following fixes were made in
Symantec ICA
6.5.4
MP1:
Fixed Issues for
Symantec ICA
6.5.4
MP1
Symantec ICA
Number
Ticket Title
19727
OpenQuery string length limitation affecting event scenario set view
20126, 20875
Data source Job Start time shifts on query save when there is a timezone mismatch between console user and ICA server
20502
Update spUpdateStg_AD to use NULL for Stg_AD_Computer.DistinguishedName
20601, 20612
Users are unable to access a public saved search
20685, 20698
fnLDW_GetDIMIncidentStatusMappings sets incident mitigation value to 0 when incident status IsEventMitigated value is NULL
20945
Event Scenario: Users e-mailing themselves fails to export
21093
Risk Fabric Health dashboard: Health Summary tab returns errors
The following fixes were made in
Symantec ICA
6.5.4
:
Fixed Issues for
Symantec ICA
6.5.4
Symantec ICA
Number
Ticket Title
16850
Viewing multiple DIM Incidents and payloads, get blank page
18274
Scheduled email export of PDF comes out truncated
19170
Web Activity: Date Issues (Server Time vs Local Time)
19198
Risk Models: Cannot Save Changes to Risk Model Column Display
19243
Analyzer:  Drill through set doesn't allow you to drill through to Dim Incidents
19345
Scheduled Emails: Reports are blank
19365
RF Health Dashboard>RF-SQLJob Status Detail Dashboard Not Displaying Data
19374
Data Integration:  Dim Incidents does not associate Files
19404
Comments Made in Action Plans are Not Visible on Refresh or When viewing on a separate client
19436
When there are multiple destination domains only the first is masked in 6.5.3 environment
19515
spUpdateStg_SymantecDAR is not populating DAR Stg_SymantecDAR_Incident
19540
The data in analyzer is showing less data than when we look at it in the Database
19593
spNormality_UpdateNormalityScores is deadlocking
19636
Incident ID Search Does Not Return Results Initially
19704
Subject field missing from DIM Event Search Export
19869
Intermittent SQL blocking involving the LDW_Users table
19901
DIM Incident 'Changed By' field does not update when an incident's status is updated with changes from DLP
19951
Lost export functionality after upgrade to 653
19952
Agent Coverage dashboard (out of the box) is not displaying similar information to what DLP is showing
20057
Mapping Symantec DLP Agent Response names to DIM Incident Action Name
20088
DIM incidents with matching source IDs from different linked servers
20120
Leave MeasureValue null for entity collection that do not have an Event Count measure
20121
MeasureValue for Risk Model entity collection not defined on an incident count does not update during processing
20157
Privileges assigned to new portal user do not reflect inherited privileges of portal role via portal group association
20158
Drillthrough incident from Analyzer is very slow for Entity Collections
20160
The mitigation filter for the Risk Model Instances view does not filter Mitigated instances when set to 'No'
20251
Cube Processing Bottleneck
20332
Troubleshooting index data type mismatch errors