Detecting Copy to USB
This use case detects any copy activity to USB.
Set up the Exploration to detect Web File Upload activity.
-
Open a new Exploration. From the Proofpoint Information and Cloud Security Platform, select the Analytics app.
-
From the left side-menu, select Activity > Explorations. Click New Exploration button.
-
Your new exploration opens and you see the source node with the default region, time and source. By default, a new Exploration shows all events captured for the past 24 hours, without any filtering applied.
-
Hover over this first filter and click the pencil button to edit the filter.
A pane on the right opens.
-
In the Filter by > Time area, in Over the last, select 7d. All the data over the past 7 days will display. Click Done.
-
Now, explore Web file upload activity. Click + (add filter button) to add a new filter. A pane opens on the right.
-
Select Primary Category > Copy to USB.
Type Primary Category in Search Fields to locate this field.
If Copy to USB is not available, then uploads have been captured by the Proofpoint ITM Agent in your environment. Wait for more data to be collected by the Agent or generate some events on your own.
-
Take a look at the activities. In the Activity Summary pane click Edit Columns
-
Scroll to Devices > USB Product Name. Click Done.
Activity Summary now shows all users who copied files to USB devices next to the names of these devices. This is a quick way to identify whether a user uses an unapproved USB device.
-
Click the Tree tab in the Activity Summary pane. You can now expand each username individually to easily view all devices for each user.
-
Click a device for a user. Activity view now shows only USB copies for this specific user and device.
