I need to find a way to have Device Control report/email/alert when a blocked event has happened.
We had a lot of machines and use Device Control in a white list format. Basically, we block EVERYTHING unless we have approved the device.
Currently I am having to run a SQL query to pull any decent info out, mainly PID and VID of blocked devce. It also it easier to filter out the duplicates but I need realtime reporting , not manual efforts.
The email aerting you can configure via the DLP Incident Manager is ok but you cannot see PID/VID infoor filter out on PID/VID. There is also no way to just pull out the unique alerts over the last 15 minutes for example.
Can anyone shed some light on what they use for Devcie COntrol event alerting ?