email alerts for items not baselined (if baselining is possible?)
I am looking to receive email alerts from DLP.
Is there a way to 1) baseline the current system and then 2) get alerted on any new item that is connected?
I want to be able to still record all incidents but only receive emails for new connected items.
an example is some ultra small form factors have the cd drive connected with usb. Also, the 'usb mass storage device', 'Generic Bluetooth Adapter', and 'Microsoft Bluetooth Enumerator' get recorded each time the system is rebooted. (eventually i will filter these out provided i can still capture incidents of new devices). But I am unable to create an email alert to exclude these. (probably just doing it wrong)
I am looking to get email alerts of new items that are not in a "baseline" (if a baseline can be done?)
Is this possible or am i looking at this the wrong way?