This is my current set up: I have two overall "classes" of removable storage devices Authorized and Unauthorized, I determine which class a device belongs to by its serial number.
What I am looking for is a way to monitor file access on devices belonging it to the Unauthorized class, I can't seem to find any way of doing this with either the Protection Rules or the Device control rules.
Is there any way of doing this?
Protection Rules can be set up to show which files are being copied off to the Removable Storage....I take it both the Authorized and Unauthorized are in Monitor mode.
However, as far as file access, I dont think DLP will log that.....
However, there is a Removable Storage File Access rule...this may only track/block only executable types....but maybe you can do your own file definition for a bunch of file types and leverage this.