Monitoring sensitive files moved to USB

jpcapone 1,616 Reputation points
2024-11-14T21:34:36.8033333+00:00

Is there a way to use DLP policies to monitor when sensitive labeled files are moved to a USB drive on a users laptop or PC? Is this capability available using DLP policies and Activity explorer? Would we have to onboard the devices to DLP endpoint for this to happen or can it be done without it?

Azure Information Protection
Azure Information Protection
An Azure service that is used to control and help secure email, documents, and sensitive data that are shared outside the company.
551 questions
Microsoft Purview
Microsoft Purview
A Microsoft data governance service that helps manage and govern on-premises, multicloud, and software-as-a-service data. Previously known as Azure Purview.
1,300 questions
0 comments No comments
{count} votes

Accepted answer
  1. Smaran Thoomu 18,710 Reputation points Microsoft Vendor
    2024-11-15T12:35:43.0766667+00:00

    Hi @jpcapone

    Welcome to Microsoft Q&A platform and thanks for posting your query here.

    Yes, you can use Data Loss Prevention (DLP) policies to monitor when sensitive files are moved to a USB drive on a user's laptop or PC.

    Here’s what you need to do:

    1. Set Up DLP on Devices: You need to set up DLP on the devices (laptops and PCs) you want to monitor. This will give you the ability to see and control what happens to sensitive files on those devices.
    2. Create DLP Rules: Make rules in the DLP settings that will watch for and possibly block sensitive files from being moved to a USB drive. These rules can alert you or stop the action if someone tries to do this.
    3. Label Sensitive Files: Make sure your sensitive files are marked with special labels that identify them as important. This helps the DLP rules know which files to watch.
    4. Use Activity Explorer: Use the Activity Explorer tool to see what users are doing with sensitive files. This tool will show you if someone tries to move a labeled file to a USB drive.

    Without onboarding devices, DLP policies will not be able to monitor or enforce restrictions for file movements on endpoints, including USB drives.

    The policies can still work for files stored or moved within cloud services, SharePoint, OneDrive, and Exchange activities, but USB monitoring requires Endpoint DLP.

    For reference: https://learn.microsoft.com/en-us/purview/dlp-policy-reference

    I hope this helps. Please let me know if you have any questions.


0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.