Symantec ICA Release Notes


About These Release Notes

These release notes provide information about the new features, capabilities, and fixes in version
( and version
Maintenance Pack 1 (
. These notes provide an overview of the new features including, where appropriate, details to help you understand how the feature is used in
Symantec ICA
(Symantec Information Centric Analytics). These notes do not contain implementation or configuration details for the new features.

What's New in
Symantec ICA
Maintenance Pack 1 (MP1)

The following improvements are new in
Symantec ICA
  • Added support in global search for the following elements:
    • Event identifiers for authentication events, web activity, and endpoints
    • Vulnerabilities for computer endpoints, web applications, code, and configuration issues
    • Risk model instance identifiers
  • Improved name matching when determining sender likelihood. For example,
    Symantec ICA
    analyzes the addresses [email protected] and [email protected] to determine if they belong to the same person.
  • Improved performance when using filters in the analyzer.
  • Made the ability to load and save column layout independent of the Can Administer Settings privileges.
  • Added the ability to delete data integrations, import rules, and data sources in the integration wizard.
  • The Microsoft AD importer now removes users from the
    Symantec ICA
    group member table when the user is removed from the group. The importer must be upgraded to use this feature. A new version of the importer is included with this maintenance pack.

Upgrade Information

Symantec ICA
environment must be at version or later to upgrade to 6.5.4 and 6.5.4. MP1. If the environment is not at, then upgrade to and ensure that the Post Deploy job running in the SQL server agent has completed before starting the upgrade to 6.5.4 or 6.5.4 MP1.

What's New in
Symantec ICA

The following features are new in
Symantec ICA

Documentation Features

The following documentation features were added to
Symantec ICA
  • Documentation is now in HTML format, providing easier navigation and access to information than PDF guides.
  • You can now do a full-text search across all
    Symantec ICA
  • PDFs are not available for this release; however, you can access PDFs for earlier versions of
    Symantec ICA
    from the version menu on the
    Symantec ICA
    Tech Docs page.

Dashboard Features

Key new dashboard feature is:
  • Ability to preview an exported dashboard.
    Preview is not available with Microsoft Internet Explorer 11.

Action Plan Features

Key new action plan features are:
  • Deleted action plans can be restored by the
    Symantec ICA
  • Notifications are sent to the users in the Created By, Queue, and Assigned To fields when an action plan is deleted.
  • Ability to include attachments with action plans.

Event Response Features

Key new features of event responses are:
  • Improved name matching when determining sender likelihood For example,
    Symantec ICA
    analyzes the addresses [email protected] and [email protected] to determine if they belong to the same person.
  • Ability to search for DIM incidents assigned to "Me." Setting this filter shows the DIM incidents for the logged-in user. The search can be saved, and used with an aging view widget on a dashboard.
  • Source, Destination, and Action Taken columns added to event details pages.
  • Masked PII fields appear in exported Microsoft Excel spreadsheets.
  • Ability to use rich-text format in Comments, such as carriage returns. Previously, only plain text was allowed, which caused readability issues.

Assets and Identities Features

Key new features of
Symantec ICA
assets and identities are:
  • More details, such as Environment and Tier, are shown on the Application Details pages.
  • Region and country information added to User and Person pages.

Administration Features

Key new features of
Symantec ICA
administration are:
  • Ability to delete data integrations, import rules, and data sources in the integration wizard.
  • The following user and role privileges have been added to
    Symantec ICA
    • Privilege to designate a
      Symantec ICA
      user as a
      Symantec ICA
    • Privileges for viewing entity collections and risk models added to Events Scoping.
    • Privileges for who can view and export dashboards and pages.
  • Ability to set the number of days to retain event scenario instances in the General Event Scenarios section. The default is 90 days.
  • Ability to set requirements for action plan fields, such as Comment and Status. Requirements are Before Saving, Before Closing, and Never. These settings do not affect draft action plans.
  • Ability to restore deleted actions plans.
  • Setting to keep data in motion incidents in action plans after the incidents are removed from the source system. Previously, the data at rest incidents were marked as archived.
  • Ability to disable import from a Microsoft Directory server. The Servers table has an IsEnabled column. The importer does not pull from servers that have set
    . Refer to the Microsoft Active Directory import utility readme file for additional information.
  • Updated the Symantec DLP watermarking process to bypass any dynamic SQL calls that use
    as a watermark when the following conditions are true:
    • When the linked server has
      in the DetailXml column of the LinkedServers table.
    • There are no enabled policies for the linked server.
  • Ability to convert date and time values when creating a mapping from a source data field to destination data field using the integration wizard. The new formulas are as follows:
    • Convert epoch time (in s) to server TZ offset date
    • Convert epoch time (in s) to server TZ offset time
    • Convert epoch time (in s) to server TZ offset datetime
  • Ability to integrate Elasticsearch data using the integration wizard.
  • The following import utilities were updated. If your environment uses them, then you should upgrade your environment with the latest import utilities.
    • Microsoft Active Directory
    • QualysGuard
    • Splunk
    • Symantec CloudSOC
    • Symantec WSS
  • Oracle Database Client 19
    has been tested and verified to work with
    Symantec ICA
    using Oracle Database 12

Symantec ICA
Fixed Issues

The following fixes were made in
Symantec ICA
Fixed Issues for
Symantec ICA
Symantec ICA
Ticket Title
OpenQuery string length limitation affecting event scenario set view
20126, 20875
Data source Job Start time shifts on query save when there is a timezone mismatch between console user and ICA server
Update spUpdateStg_AD to use NULL for Stg_AD_Computer.DistinguishedName
20601, 20612
Users are unable to access a public saved search
20685, 20698
fnLDW_GetDIMIncidentStatusMappings sets incident mitigation value to 0 when incident status IsEventMitigated value is NULL
Event Scenario: Users e-mailing themselves fails to export
Risk Fabric Health dashboard: Health Summary tab returns errors
The following fixes were made in
Symantec ICA
Fixed Issues for
Symantec ICA
Symantec ICA
Ticket Title
Viewing multiple DIM Incidents and payloads, get blank page
Scheduled email export of PDF comes out truncated
Web Activity: Date Issues (Server Time vs Local Time)
Risk Models: Cannot Save Changes to Risk Model Column Display
Analyzer:  Drill through set doesn't allow you to drill through to Dim Incidents
Scheduled Emails: Reports are blank
RF Health Dashboard>RF-SQLJob Status Detail Dashboard Not Displaying Data
Data Integration:  Dim Incidents does not associate Files
Comments Made in Action Plans are Not Visible on Refresh or When viewing on a separate client
When there are multiple destination domains only the first is masked in 6.5.3 environment
spUpdateStg_SymantecDAR is not populating DAR Stg_SymantecDAR_Incident
The data in analyzer is showing less data than when we look at it in the Database
spNormality_UpdateNormalityScores is deadlocking
Incident ID Search Does Not Return Results Initially
Subject field missing from DIM Event Search Export
Intermittent SQL blocking involving the LDW_Users table
DIM Incident 'Changed By' field does not update when an incident's status is updated with changes from DLP
Lost export functionality after upgrade to 653
Agent Coverage dashboard (out of the box) is not displaying similar information to what DLP is showing
Mapping Symantec DLP Agent Response names to DIM Incident Action Name
DIM incidents with matching source IDs from different linked servers
Leave MeasureValue null for entity collection that do not have an Event Count measure
MeasureValue for Risk Model entity collection not defined on an incident count does not update during processing
Privileges assigned to new portal user do not reflect inherited privileges of portal role via portal group association
Drillthrough incident from Analyzer is very slow for Entity Collections
The mitigation filter for the Risk Model Instances view does not filter Mitigated instances when set to 'No'
Cube Processing Bottleneck
Troubleshooting index data type mismatch errors