How to track files copied to USB drives with DataSecurity Plus

1. Download and install DataSecurity Plus.
2. Open the DataSecurity Plus console.
3. Navigate to the Endpoints tab. Go to Configuration → Sources → Devices.
4. In the Configured Workstation(s) page, select Add Workstation(s) in the top-right corner.

5. Select your Domain.
6. Select the + symbol next to the Select Workstation(s) text box, and add the workstations that you want to audit and secure.
7. Choose Removable Device Auditing.
8. Select Install Agent and Finish.

9. Navigate to Reports. Under Source Based Reports, choose Removable Storage File Activity Report.
10. Use the Period drop-down to select the desired time range over which file activities on removable storage devices such as USBs are to be monitored.
11. The report displays all file activities made on removable storage media.

1. Go to Endpoint → Configuration → Settings → Audit Configuration.
2. Choose Removable Storage from the available audit profiles.
3. Select Edit for the Removable Device Auditing audit profile.
4. The audit profile is predefined with an appropriate Name, Source, and Description.
5. Navigate to the Criteria section, and add these filters under the Include tab:
   • Actions: Files pasted.
   • Users: All.
6. Use the Exclude option to exempt trusted users, groups, or nonessential files from the File copied report.

1. In the DataSecurity Plus console, navigate to the Endpoints tab.
2. Go to Configuration → Settings → Alert Configuration.
3. Choose Removable Storage from the available Alert Profiles.
4. Select the Edit option for the Data Leak Prevention alert profile.
5. The alert profile is predefined with an appropriate Name, Source, Description, and Severity.
6. Navigate to the criteria section, and add these filters under the Include tab:
   • Actions: Files pasted.
   • Users: All.
   • File classification*: Restricted.
   Note: Use other criteria such as File Type, File Size, File Name, and more to selectively monitor critical data being copied.
7. Use the Exclude option to exempt trusted users, groups, or nonessential files from the File copied report.

8. Under the Threshold tab: 
   • Check Enable.
   • Specify the desired threshold value (e.g., configuring "100 events in 1 minute by any source" will raise an alert when 100 or more files are copied/pasted in under a minute.)
   Note: The threshold limit can be customized to your organization's needs.

8. Under the Response tab:
   • Select Email, and check Enable email notification.
     • Specify one or more email addresses you would like to send alerts to.
     • Set the email Priority to High.
   • Add an appropriate Subject and Message for your email.
   • Select Block USB and check Enable Block USB.
9. Click Save.

You have now successfully configured DataSecurity Plus to audit, alert, and respond to sensitive files being copied.