Sounds like you are using strictly device control functionality with DLPe. To monitor files being transferred you will need to use a removable storage protection rule (as opposed to a removable storage device rule) and set the classification to [is any data (all)] if you wish to capture all files being transferred (if you want an actual copy of the file then you will need to configure evidence storage and an evidence share as well).
If you are unsure how to configure it you can use the built-in rule set examples as a reference point ([Sample Monitor US PII content]).
Hi Hhoang, you were absolutely spot on. I was only using the device control functionality. I have since followed your instructions and created a removal storage protection rule. On my test device I can see Removable Storage Protection events but found that the name of the copied file is not included in the log. Is there a way that this can be recorded? I am aware that I can specify a share where file copies can be stored but at this moment in time we do not want to implement this.
Above is a screenshot of the threat event in question.
Any help would be appreciated!
You need to go to the DLP Incident Manager to see DLP details.