In order to achieve the maximum benefit from RSA NetWitness UEBA, RSA recommends that you implement the Windows audit policies described here.
For a base set of policies to audit, refer to the "Windows Server 2016, Windows Server 2012 R2, Windows Server 2012, Windows Server 2008 R2, and Windows Server 2008 Audit Settings Recommendations" section of this article from Microsoft: Audit Policy Recommendations.
The policies under "Stronger Recommendation" are required, as well as the following policies, to ensure that all of the required Authentication and Active Directory events are audited:
- Audit Detailed File Share
- Audit File Share
- Audit File System
RSA recommends that you enable auditing for both success and failures.
The following Windows events must be audited:
For the Authentication models:
For the AD models:
For File Access Models: