Hi all,

a while back we had one staff member download and copy to USB 100s of files that were in our company sharepoint on the weekend before he left. In this instance it was pretty obvious it was malicious as it was outside of work hours, the weekend before he left and a bulk download.

However I know some people will also go to a sync'd sharepoint in explorer and 'make it available offline' in case they are onsite somewhere and have to work on documents when tehy don't have a fast or reliable internet connection.

Just wondering, what are some strategies or things to look for in purview (or any 365 apps) that can help spot if someone is trying to steal company data on the laptop to either copy to a USB or upload to their own google drive / personal onedrive?

for context, most of the staff laptops are enrolled in intune and have basic conditional access policies.