3 Replies Latest reply on Dec 16, 2016 10:21 AM by taziegma

    DLP auditing

    jlph

      We are currently using DLP 10.0 to manage the devices that are used within our organisation. We have a requirement to audit files that are transferred to removal media. I've read articles that suggest this capability exists but can't seem to find anywhere to configure the DLP logging policy. Currently the DLP events record that a device was plugged into the device and the subsequent action that was taken.

       

      How do we go about logging the filenames that are transferred to removable media?

       

      Thanks in advance.

        • 1. Re: DLP auditing
          hhoang

          Sounds like you are using strictly device control functionality with DLPe.  To monitor files being transferred you will need to use a removable storage protection rule (as opposed to a removable storage device rule) and set the classification to [is any data (all)] if you wish to capture all files being transferred (if you want an actual copy of the file then you will need to configure evidence storage and an evidence share as well). 

           

          If you are unsure how to configure it you can use the built-in rule set examples as a reference point ([Sample Monitor US PII content]).

          • 2. Re: DLP auditing
            jlph

            Hi Hhoang, you were absolutely spot on. I was only using the device control functionality. I have since followed your instructions and created a removal storage protection rule. On my test device I can see Removable Storage Protection events but found that the name of the copied file is not included in the log. Is there a way that this can be recorded? I am aware that I can specify a share where file copies can be stored but at this moment in time we do not want to implement this.

             

            threatEvent.png

             

            Above is a screenshot of the threat event in question.

             

            Any help would be appreciated!

            • 3. Re: DLP auditing
              taziegma

              You need to go to the DLP Incident Manager to see DLP details.