I need a solution
I need to setup a rule, or response, so that if a user is copying over a large amount of data to a USB we can flag that user. For example, we have a rule that tag drawings. If the end user move a couple of drawings, it may or may not be a big deal. However if that same user is copying over gigs of data in drawings, we would want to know that was happening.
I know that I can view the correlations in the incidents, but I would like to automate the process, so we can be alerted that it is happening instead of discovering it later.
Any ideas?