cancel
Showing results for 
Search instead for 
Did you mean: 
jlph
Level 8
Report Inappropriate Content
Message 1 of 4

DLP auditing

We are currently using DLP 10.0 to manage the devices that are used within our organisation. We have a requirement to audit files that are transferred to removal media. I've read articles that suggest this capability exists but can't seem to find anywhere to configure the DLP logging policy. Currently the DLP events record that a device was plugged into the device and the subsequent action that was taken.

How do we go about logging the filenames that are transferred to removable media?

Thanks in advance.

3 Replies
McAfee Employee hhoang
McAfee Employee
Report Inappropriate Content
Message 2 of 4

Re: DLP auditing

Sounds like you are using strictly device control functionality with DLPe.  To monitor files being transferred you will need to use a removable storage protection rule (as opposed to a removable storage device rule) and set the classification to [is any data (all)] if you wish to capture all files being transferred (if you want an actual copy of the file then you will need to configure evidence storage and an evidence share as well). 

If you are unsure how to configure it you can use the built-in rule set examples as a reference point ([Sample Monitor US PII content]).

jlph
Level 8
Report Inappropriate Content
Message 3 of 4

Re: DLP auditing

Hi Hhoang, you were absolutely spot on. I was only using the device control functionality. I have since followed your instructions and created a removal storage protection rule. On my test device I can see Removable Storage Protection events but found that the name of the copied file is not included in the log. Is there a way that this can be recorded? I am aware that I can specify a share where file copies can be stored but at this moment in time we do not want to implement this.

threatEvent.png

Above is a screenshot of the threat event in question.

Any help would be appreciated!

Highlighted

Re: DLP auditing

You need to go to the DLP Incident Manager to see DLP details.

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community