UEBA: Appendix: NetWitness UEBA Windows Audit Policy

Document created by RSA Information Design and Development Employee on Nov 11, 2020
Version 1Show Document
  • View in full screen mode

To achieve maximum benefit from RSA NetWitness UEBA, RSA recommends that you implement the Windows audit policies described here.

For a base set of policies to audit, see the "Windows Server 2016, Windows Server 2012 R2, Windows Server 2012, Windows Server 2008 R2, and Windows Server 2008 Audit Settings Recommendations" section of this article from Microsoft: Audit Policy Recommendations.

The policies under "Stronger Recommendation" are required, and the following policies, to ensure that all of the required Authentication and Active Directory events are audited:

  • Audit Detailed File Share
  • Audit File Share
  • Audit File System

RSA recommends that you enable auditing for both success and failures.

The following Windows events must be audited:

                  
Authentication Models
462446254769

4628

                                                                  

AD Models

46704717472047224723472447254726
47274728472947304731473247334734
47354737473847394740474147424743
47544755475647574758 476447674794
513653765377     
                  
File Access Models
4660466346705145
Previous Topic:User Profile View
You are here
Table of Contents > Appendix: UEBA Windows Audit Policy

Attachments

    Outcomes