Ralph,
If I understand you correctly, then what you really want to do is improve the efficiency of the "owner" that is listed inside the incident details? Or are you trying to use the file "owner" in the actual policies that you are detecting on?
It sounds to me like ChangeAuditor is a comprable product to what Symantec's Data Insight is. Your description of the problem with File Owner not really being correct, and many times being BuiltIn\Administrator is quite common. This is why we push customers lookign for data at rest to use Data Insight to help provide better context.
To your question, is it possible, yes. Using the lookup plugin, you can approach it in 1 of 2 ways really:
- Use the CSV lookup as described above, with some sort of (for sake of easy explanation) "daily" digest or report of current file owner information. Essentially this would include information corresponding to the filename, owner, and other ancillary data you may have/want to match up. The lookup would match a variable from the incident (%filename% for example) to match the data, and then load into the custom attribute fields with the (%fileowner% for example) variable from the matching field in the CSV. Very manual process.
- Another way, would be to use the capability fo the FlexResponse plugin to run a script which can do a number fo different things, including launching some sort of script that can populate the information requested inside the incident in a similar fashion.
The last idea I would suggest, is looking at the new reporting API that has been made available in 11.6 which includes the ability to modify/update information within an incident, with data from another system. While we don't have something built for Quest ChangeAuditor, you may be able to have some sharp internal folks develop it, or even look to the trusted Symantec partners recommended by your Symantec Sales team to see if they might be able to scope out building such a connection.
Lastly, to answer the question about the Data Insight server, it's a yes and a no. While you will need another server for the management/indexing, you don't need it for the collector. The collector can usually be colocated on the Discover detection server. If it is a small architecture, you may be able to get away with a VM running the Indexer and Management server. It would be best to consult with your Symantec team though as every deployment varies.