Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

CSA 5.2: Logging removable media

We are currently using CSA 5.2 and I'm trying to figure out a way to log whenever a user attempts to use removable media on the network. Specifically, USB flash drives. I know there is already a data theft prevention module that protects sensitive data and applications, but I'm trying to log any and all access, even if they just plug the drive in and do nothing with it. Is this even possible? If not, is it possible with newer versions?

Thank you,



Re: CSA 5.2: Logging removable media

Create a file set called USB







Create a File Access Control rule and set it to monitor this file set and you should see all USB drives plugged in to your hosts.


Community Member

Re: CSA 5.2: Logging removable media

Thanks Tom,

I'm pretty sure I tried something similar before, but I tried it exactly as you've shown here and I still get nothing. I tried plugging a usb drive into a pc while logged in as a regular user and CSA still didn't pick anything up. I've attached a screenshot of the rule as I created it. What I was unsure of was what I should set the enforcement action as and what to set the Application Class as:

In this case I've set the Application Class as "All Applications" and "Applications on Removable Media" . In both cases, I couldn't get CSA to detect anything for USB drives.

Thanks again,



Re: CSA 5.2: Logging removable media

It would need to be and the fileset would need to be as I described it.

It is working for me on 5.2.262.

Here are screenshots of my rule and fileset.

Community Member

Re: CSA 5.2: Logging removable media

I set mine up exactly as your screenshots show. Still nothing. I'm using 5.2.203. I think it may be that I need to update our version.


Re: CSA 5.2: Logging removable media

Well, I can't explain it.

You can check the release notes to see if something like that was fixed in later versions.

You may also have something else stepping on it.

CreatePlease to create content