Detecting Exfiltration to an External Device

ObserveIT can detect files copied or downloaded to connected USB devices (including a disk-on-key, other portable USB devices and Thunderbolt connectors.

Some smart phones (primarily Android) and specific SD cards might be recognized, they are not however, fully supported as an exit point.

This feature is supported on Windows and Mac systems.

USB Device Allowed Lists

The detection mechanism enables you to distinguish between:

  • Allowed listed status:  Authorized devices, such as corporate devices

  • Unlisted status: Unauthorized devices, such as personal devices

You can create a list of allowed devices to use when setting up alerts and reports.

Use the ObserveIT lists (see Implementing Lists in ObserveIT). Select White listed USB devices from the lists (see and Managing Lists). For more information, see Maintaining a White List in the List page.

Device Identifiers

Device serial number, model name, device ID, vendor name, and label name can be used to identify the devices

USB Device Features

Using the USB devices status and its identifiers, you can:

  • Set up alerts for files copied or downloaded to USB devices: Set up alerts when files are exfiltrated to an allowed listed or unlisted USB devices. See Exfiltrated File - Did What.

  • Set up alerts for USB devices: Set up alerts when any USB device is connected or specify alerts when allowed listed USB devices or unlisted USB are connected. You can also specify an alert trigger by a USB device serial number, model name, vendor name, USB Device ID or label name. See USB Device Available.

  • View the history of USB devices: Monitor connected USB devices. The view includes the USB device status, details, and events. See USB History.

  • Create reports with USB devices details: Include columns for USB Serial Number, Device Model, Device Vendor, Device Label, Device Currently allowed listed. See File Activity Report Configuration.

  • Ignore devicesIgnore a USB device, usually for a specified time period. This option is useful when backing up to a USB device. With this option, ObserveIT does not monitor and list all the backup events.

Viewing Results in the Web Console Diaries

You can view USB device activity from the Summary and Timeline views in the Endpoint Diary and User Diary. USB details (device serial number, model name, vendor name, and label name) and details of the activities performed on the USB device are displayed.