USB Write monitoring issue
I have a policy to monitor USB Write attempts but Allow Read access.
This one policy has just one Rule using Protocol - (Protocol or Endpoint Monitoring) and the following Condition:
Detect when users move data on the endpoint to these places: Removable Storage
Although it is picking up all Files moving to removable storage, My issue occurs with those cases where someone is READing data from a USB device. My console is filling up with Temp file writes that seem application generated, and numerous ~ files. It also seems that someone using 'portable apps' running from a USB stick triggers multiple incidents. I would like to (actually need to) filter out all these 'non-user itiated' Writes from producing incidents so that I can actually determine if someone attempted a Write attempt or not.
Now I know, a Write attempt is still occurring so it is working correctly.....But is there a way or an additional setting that I can utilize to determine if the User generated the Write or the System or generally just obtain more detail on the incident.