Hello,

In the Data Control Event Viewer in SEC, there is a column for the size of the file so the data is in the database along with the other values you can see, i.e. the known user, file type, computer, rule, time, filename, path and destination type.

It would therefore be feasible (with the data control events you require to monitor reported to SEC) to write a script (simple VBS or Powershell, whatever you're most familiar with) that queries the 'core' Sophos database say every 5 minutes and email one or more addresses if a new item was found matching the criteria required. This would provide almost realtime alerts of new copies you're interested in by size.



The values you need, including "Filesize" are exposed by the Sophos Reporting Interface (SRI) - https://www.sophos.com/en-us/medialibrary/PDFs/documentation/sec_52_sriugeng.pdf so it shouldn't change under you.



select * from [Sophos Reporting Interface].VEventsDataControlData

Will give you a starter as to what is available in your database and you can see filesize.



It would also be possible and to some degree easier (the previous method would need to persist in some way the alerts already alerted to) to email a daily report of all files larger than x size moved to a removable storage device, by which user on which device for while rule etc. The script could just run as a scheduled task and as the query would just be all events in the last 24 hours for example you wouldn't need to worry about keeping track of those alerted to.



I would probably use CDO to send an email with a HTML file (table of required data) generated attachment of the data as a report.

Hope it helps.



Regards,

Jak