USB device connected
Trigger USB drive connection in DLP policies
Trigger USB drive connection enables management and monitoring of activities related to connecting USB devices to computers within the organization. Through detailed rule configuration, you can control USB device availability and define conditions for their use.
Configuration steps
USB device groups
Device group
Selection of USB device groups to be monitored.
Groups are created based on previously detected USB devices in the system.
Requirements:
Device identification by ID – a unique number assigned by the manufacturer that cannot be changed by the user (unlike the device name, which can be modified during formatting).
Behavior:
If a device is in a blocked group, its connection will be blocked even if the device name has been changed.
For devices not available on the list, it is possible to manually add the device to a group.
Event parameterization
Applies on selected days: Selection of days on which the rule should be active (checkboxes for each day of the week). Option: If the rule should operate all week, select all days.
Applies during selected hours: Definition of the time interval during which the rule should be active. Two modes are available:
24h Corresponds to the “asterisk” behavior – the rule operates around the clock on selected days.
Custom Allows specifying a custom time interval, e.g., 08:00 - 17:00. The possible range is from 00:00 to 23:59.
Additional parameters
NTFS (all partitions)
Checkbox YES/IGNORE/NO, which specifies whether devices with the NTFS file system should be monitored/blocked.
Encryption
A checkbox allowing specification of the USB device encryption status (ENCRYPTED/IGNORE/UNENCRYPTED). The rule allows blocking or allowing devices depending on whether they are encrypted.
Creating a new USB device group – step by step
Practical application
Example: The organization wants to allow only authorized USB devices.
Configuration:
Create a group containing authorized USB devices based on ID.
Block all other devices outside this group.
Activate the rule for all days of the week and in a 24-hour mode.
Effect: Only the defined USB devices will be accepted, and any unauthorized connection will be blocked.
Monitoring USB flash drives
By default the system does not monitor USB flash drive-type devices.
If you want to enable monitoring - even without blocking - you should activate the appropriate policy for all devices, leaving the default settings:
device group - All
no exclusions
full time range
This will cause the system to start recording events related to connecting USB media.
If you are only interested in monitoring without taking blocking actions, in the next step:
deactivate the “Perform these actions” option
in the “Send notification” section enable only event logging
optionally enable user notification
It is advisable to clearly inform the user in the message content that connecting USB devices is being monitored. Building awareness among employees is a good practice.
Summary
Trigger USB drive connection is a key tool in enforcing security policies regarding data media. It enables precise control over USB device availability, minimizing the risk of unauthorized data access within the organization. With flexible configuration options, adapting rules to organizational needs is fast and effective.
Last updated
Was this helpful?