I like the LEM and it has been used to identify and troubleshoot a number of issues. 
USB logging though has created a major issue and unfortunately generates what I would call as false positives 
. The LEM itself is capturing the logs accurately, but unfortunately Windows itself isn't telling the truth. 
Normal use of plugging a USB device in copying files and pulling the USB out again is all recorded very accurately.
However if you leave an attached USB disk in for several hours, Windows or Antivirus would appear to randomly change a file attribute on all files on any attached USB media. This action is recorded as a " FileWrite".
From a SOC perspective it gave the impression that 22,000 new files were copied to a USB mass storage device and it was treated as a major security incident. Unfortunately this random process has undermined the Senior Managements trust in the interpretation of the logs that were generated and it created huge embarrassment for all those involved after the incident management process discovered it was a false positive.
Please could some intelligence be put onto the agent that can verify that a file was copied to USB before reporting the event. This would benefit all customers as it would reduce white logging noise, improvie performance of the WAN and the LEM and would create a truly reliable Data Loss Prevention and Audit tool.
Thanks
Charles Hindmarsh
