7 Replies Latest reply on Jul 16, 2014 11:08 AM by vimalnavis

    DLP - removable Storage - Rules - definition question

    ninjaneer68

      I am building a rule to monitor only USB removeable storage monitor only right now.

       

      Bellow is the make up of the rule

       

      I made up of 3 removable storage device definitions

       

      1DEVDEF - RS_filesystem = contains all the windows file ssytems, fat, NTFS etc

      2DEVDEF - RS File system access = read-write

      3DEVDEF - bus type - USB

       

       

      created a remove storage device rule to monitor only with all above definitions attached. UAG with the domain Users AD object for many different domains

       

      When I due a query to show me all the machines that popped for this device rule i get ALOT of things that aren't bus type USB

       

      GenFloppyDisk comes up alot. For the floppy the device details has no bus type only match in the details to my rule is the device file-system = read-write

      I keep getting back floppy drivers and its not considered bus type of USB.

       

      The question I have, should I not build out the device definitions serpatly like that. Should I build out the above Removable storage device definitions all into ONE definition with all the above selected in the one defintion.

      The only reason I have split them out I heard the results are better (don't know how true that is)

       

      building out a test rule now that is made up of ONE definition that has all the above selected and will post results. Might have to let it sit over night and see what happens

       

      Message was edited by: sstretchh on 7/9/14 10:07:16 AM CDT