Skip navigation
All Places > Products > RSA NetWitness Platform > RSA NetWitness Platform Online Documentation > Documents
Log in to create and rate content, and to follow, bookmark, and share content with other members.

UEBA Configuration: Overview

Document created by RSA Information Design and Development Employee on Nov 11, 2020Last modified by RSA Information Design and Development Employee on Jan 6, 2021
Version 4Show Document
  • View in full screen mode

RSA NetWitness UEBA configuration is designed for analysts to perform analytics for leveraged data collected from netwitness logs and networks to perform UEBA analytics.

Note: Mixed mode is not supported for UEBA in NetWitness Platform. The NetWitness server, and UEBA must all be installed and configured on the same NetWitness Platform version.

UEBA Supported Sources by Schema

Authentication Schema

  • Windows Logon and Authentication Activity in Version 11.2
    Supported Event IDs (device.type=winevent_snare|winevent_nic)
    Authentication Models


  • Windows Remote Management in Version 11.3.2
    Supported Event IDs (device.type=windows)
    Remote Management


  • RSASecurID Token in Version 11.3.1 - device.type = 'rsaacesrv' ec.activity = 'Logon'
  • RedHat Linux in Version 11.3.1- device.type = 'rhlinux'
  • VPN Logs and in Version 11.5 - event.type = 'vpn' ec.activity = 'logon'
  • Azure AD Logs in Version - device.type = 'azure' or 'azuremonitor' category = 'SignInLogs'

File Schema:

  • Windows File Servers in Version 11.2
    Supported Event IDs (device.type=winevent_snare|winevent_nic)
    File Access Models
  • device.type=windows in Version 11.3.1

Active Directory Schema

  • Windows Active Directory in Version 11.2
    Supported Event IDs (device.type=winevent_snare|winevent_nic)

    AD Models

    47544755475647574758 476447674794
  • device.type=windows in Version 11.3.1

Endpoint Process Schema

  • Endpoint Process in Version 11.3 - Category = 'Process Event'

Endpoint Registry Schema

  • Endpoint Registry in Version 11.3 - Category = 'Registry Event'

Packet Schema

  • TLS in Version 11.4 - Service 443 (direction='outbound')

Note: The TLS Packet requires adding the hunting package and enabling the JA3 features as described in Add required features for UEBA Packets Schema.

You are here
Table of Contents > UEBA Configuration Overview