i know dlp can track when a file is moved to/from a usb.
if a file is opened, viewed and then closed, can it be tracked?
the action does NOT involve a save.
Yes, you can do that with an Application File Access Protection rule - however, you'll need to know which applications are going to be used to access the files. You should also be aware that this might cause a lot of false positives so proper tuning might be required using trusted processes. The following articles should be helpful:
thanks for the follow up.
i do not see a way to target only USB devices (or just trying to test with E drive).
i can select adobe and ms apps but classification is confusing. do you know if i am able to target/select by usb device?
Selecting all, i can put an exception on the next tab but unable to say 'No C Drive'...rather, how can i exclude that location?
Looks like I got the wrong idea initially. In this case, do you have Device Control license active? If so, then you should be able in a rule set to go to the Device Control tab and create a Removable Storage File Access Device Rule:
The bad news here are that you have to define specific file extensions you want to monitor.
Alternatively, you could try using Removable Storage Protection rule and set the monitored Copy Direction to "Incoming - Copy to local drive", but I am not sure if this is going to work according to your expectations.
As for the Application File Access Protection rule, I believe you should be able to also create a new classification using "Location content fingerprinting Criteria", select "Mass storage devices and Floppy Disks" and enter any relevant data - if you want to capture as many files as possible, I believe you could use a "File Information" definition specifying file size greater than 1 KB.
Please let me know if any of the options above worked for you.
@McADOC1 Sorry for the delayed response.
In simple, DLP can not track file Opened, Viewed and closed actions.
If you wish, use Application File Access Protection Rule which can monitor the files accessed / opened. Please be informed, this would trigger plenty of incidents.