The Data Loss Defender (DLD) feature of the Windows System Monitor Agent independently monitors and logs the connection and disconnection of external data devices to the host computer where the Agent is running. It also monitors and logs the transmission of files to an external storage device. You can configure DLD to protect against external data device connections by ejecting specified devices upon detection. External USB drive storage devices include Flash/RAM drives and CD/DVD drives.
You must configure Data Loss Defender from both these locations:
- The Data Loss Defender Policy Manager
- System Monitor Agent DLD Properties
A LogRhythm DLD log message source type is automatically created for each agent on first connection to the Mediator. The Log Message Source Name is WinDataDefender. It is associated with the LogRhythm Default policy which contains all available MPE rules. For information on accessing and modifying the log source type, see Modify a Single Log Source.
A LogRhythm Default policy exists for Data Loss Defender in the Knowledge Base file. To access the Log Processing Policy and its associated MPE Rules, see Modify Log Processing Policies.
MPE Rules exist for DLD in the MPE Rule Builder. Specific settings can be viewed and modified from within the DLD Log Processing Policy.
DLD logs can be queried using Investigator, monitored in Personal Dashboard and Tail, and restored using LogRhythm’s Archive Restoration tool SecondLook.