We are currently using CSA 5.2 and I'm trying to figure out a way to log whenever a user attempts to use removable media on the network. Specifically, USB flash drives. I know there is already a data theft prevention module that protects sensitive data and applications, but I'm trying to log any and all access, even if they just plug the drive in and do nothing with it. Is this even possible? If not, is it possible with newer versions?
I'm pretty sure I tried something similar before, but I tried it exactly as you've shown here and I still get nothing. I tried plugging a usb drive into a pc while logged in as a regular user and CSA still didn't pick anything up. I've attached a screenshot of the rule as I created it. What I was unsure of was what I should set the enforcement action as and what to set the Application Class as:
In this case I've set the Application Class as "All Applications" and "Applications on Removable Media" . In both cases, I couldn't get CSA to detect anything for USB drives.
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...