Forum Discussion
Catch all rule
Can anyone suggest a rule that would basically capture and alert for any File copied to removable media?
We have people approved to use external storage but I want to get a log of anything copied to removable media, not just specific file.
1 Reply
- You Can Enable Auditing To see Such Activities
Open the Local Group Policy Editor on Your Computer by Pressing Win + R, type gpedit.msc, and press Enter. - Go to Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> Object Access, And Enable Auditing for Removable Storage:
- Double-click Audit Removable Storage.
Check both Success and Failure to track successful and failed access attempts.
Click Apply and OK. - Open File Explorer, right-click on the drive or folder you want to audit and select Properties.
- Go to the Security tab and click Advanced.
Go to the Auditing tab and click Add.
Select a principal (e.g., Everyone), choose Full Control in the permissions, and specify the auditing conditions, Usually Everyone too - View the Logs:
- Open the Event Viewer
- Navigate to Windows Logs -> Security.
- Look for events with the ID 4663, which indicate file access attempts
- You Can Enable Auditing To see Such Activities
