UEBA Install: NetWitness UEBA Standalone Installation Windows Audit Policy

Document created by RSA Information Design and Development Employee on Apr 11, 2019Last modified by RSA Information Design and Development Employee on Dec 20, 2019
Version 5Show Document
  • View in full screen mode

In order to achieve the maximum benefit from RSA NetWitness UEBA, RSA recommends that you implement the Windows audit policies described here.

For a base set of policies to audit, refer to the "Windows Server 2016, Windows Server 2012 R2, Windows Server 2012, Windows Server 2008 R2, and Windows Server 2008 Audit Settings Recommendations" section of this article from Microsoft: Audit Policy Recommendations.

The policies under "Stronger Recommendation" are required, as well as the following policies, to ensure that all of the required Authentication and Active Directory events are audited:

  • Audit Detailed File Share
  • Audit File Share
  • Audit File System

RSA recommends that you enable auditing for both success and failures.

The following Windows events must be audited:

For the Authentication models:


For the AD models:

47544755475647574758 476447674794

For File Access Models:


Next Topic:Troubleshooting
You are here
Table of Contents > Appendix: Connect NetWitness Logs to an Existing Windows Audit Log Repository