Devices investigation provides advanced tool to search, analyze, and obtain the device usage insights based on the correlation of users and endpoints.​

This view gives a holistic view for user’s activities based on device usage, IOBs, and Enterprise DLP incidents.

Thereby, gaining visibility on file transferred metadata for the files that were copied from and to the removable storage devices, without any performance impact to the endpoint.

Use the Devices tab on the Investigation view for a selected time frame (24 hours, 7 days, and 30 days) to view details on specific devices like the associated permissions, custom rules applied, unique users who connected using the device, unique endpoints the device was connected to, volume of read or write that happened to the device along with device identifiers like the serial number, vendor ID (VID), and product ID (PID).

Filtering capability allows for filtering based on each column in the Devices tab.

Device friendly name: Displays the device friendly name.
Access permission: Displays the associated device access permissions, can be Allow, Block, or Read only as per applied custom rule set permissions.
Custom rules: Displays the applied custom rule for the listed removable device. Click each rule to view details under the Policy view.
Unique users: Lists the unique users who connected the removable device to transfer data.
Unique endpoints: Lists the unique endpoints where the removable device was connected to transfer data.
Total read: Specifies the volume of data read from the specified removable device.
Total write: Specifies the volume of data written to from the specified removable device.
Serial number: Device serial number.
VID: Vendor ID of the device.
PID: Product ID of the device
Last activity: The last read or write activity done on the device.

For users logged in as analyst, the Unique endpoints field will be anonymized.

Export Devices details as a CSV report using the icon. For more details refer the section Export data from Forcepoint Neo portal.