Skip navigation
All Places > Products > RSA NetWitness Platform > RSA NetWitness Platform Online Documentation > Documents
Log in to create and rate content, and to follow, bookmark, and share content with other members.

UEBA Configuration: Overview

Document created by RSA Information Design and Development Employee on Oct 14, 2020Last modified by RSA Information Design and Development Employee on Oct 15, 2020
Version 2Show Document
  • View in full screen mode
 

RSA NetWitness UEBA configuration is designed for analysts to perform analytics for leveraged data collected from netwitness logs and networks to perform UEBA analytics.

Note: Mixed mode is not supported for UEBA in NetWitness Platform. The NetWitness server, and UEBA must all be installed and configured on the same NetWitness Platform version.

UEBA Supported Sources by Schema

Authentication Schema

  • Windows Logon and Authentication Activity in Version 11.2 -
    Supported Event IDs (device.type=winevent_snare|winevent_nic)
  •                   
    Authentication Models
    462446254769

    4628

  • RSASecurID Token in Version 11.3.1 - device.type = 'rsaacesrv' ec.activity = 'Logon'
  • RedHat Linux in Version 11.3.1- device.type = 'rhlinux'
  • Windows Remote Management in Version 11.3.2 - Supported Event IDs: 4624,4625,4769,4648 (device.type=windows)
  • VPN Logs and in Version 11.5 - event.type = 'vpn' ec.activity = 'logon'
  • Azure AD Logs in Version 11.5 - device.type = 'microsoft_azure_signin_events'

File Schema:

  • Windows File Servers in Version 11.2
    Supported Event IDs (device.type=winevent_snare|winevent_nic)
  •                   
    File Access Models
    4660466346705145
  • device.type=windows in Version 11.3.1

Active Directory Schema

  • Windows Active Directory in Version 11.2
    Supported Event IDs (device.type=winevent_snare|winevent_nic)
  •                                                                   

    AD Models

    46704717472047224723472447254726
    47274728472947304731473247334734
    47354737473847394740474147424743
    47544755475647574758 476447674794
    513653765377     
  • device.type=windows in Version 11.3.1

Endpoint Process Schema

  • Endpoint Process in Version 11.3 - Category = 'Process Event'

Endpoint Registry Schema

  • Endpoint Registry in Version 11.3 - Category = 'Registry Event'

Packet Schema

  • TLS in Version 11.4 - Service 443 (direction='outbound')

Note: The TLS Packet requires adding the hunting package and enabling the JA3 features as described in Add required features for UEBA Packets Schema.

You are here
Table of Contents > UEBA Configuration Overview

Attachments

    Outcomes