What is the step to create a policy to block the usb from DLP and how it can generate the incidents?
I believe you can use SEP for this, not DLP
How to block USB Devices, Excluding the Mouse and Keyboard, in the SEP Manager
You want to block USB Storage Devices using an Application policy
"Fine words! I wonder where you stole 'em." - Johnathan Swift
Yes i have already blocked with SEPM but i have heard from one of my engineer that we can able to create a policy which can block the usb and when anyone can tried to connect the usb, it's create the incident report.
for incident to be created the policy needs to be violated and DLP will monitor the content.
Help Link: http://www.symantec.com/business/support/overview.jsp?pid=54619
Configuring the Endpoint Prevent: Block action
The Endpoint Prevent: Block response rule action blocks the movement of confidential data on the endpoint computer and optionally displays an on-screen notification to the endpoint user.
This response rule action is specific to Endpoint Prevent incidents. This response rule is not applicable to two-tiered detection methods requiring a Data Profile.
If you combine multiple endpoint response rules in a single policy, make sure that you understand the order of precedence for such rules.
The block action is not triggered for a copy of sensitive data to a local drive.
To configure the Endpoint Prevent: Block response rule action
1] Configure a response rule at the Configure Response Rule screen.
You configure response rules at the Manage > Policies > Response Rules > Configure Response Rule screen.
2] Add the Endpoint Prevent: Block action type from the Actions list.
You must configure at least one action for the response rule to be valid. You can configure multiple response rule actions. Each action is evaluated independently.
To define a response rule action
Configure a response rule at the Configure Response Rule screen.
Choose an action type from the Actions list and click Add Action.
For example, add the All: Add Note action to the response rule. This action lets the remediator annotate the incident.
Configure the action type by specifying the expected parameters for the chosen action type.
Repeat these steps for each action you want to add.