UEBA: Appendix: NetWitness UEBA Windows Audit Policy

Document created by RSA Information Design and Development on Sep 11, 2018
Version 1Show Document
  • View in full screen mode

In order to achieve the maximum benefit from RSA NetWitness UEBA, RSA recommends that you implement the Windows audit policies described here.

For a base set of policies to audit, refer to the "Windows Server 2016, Windows Server 2012 R2, Windows Server 2012, Windows Server 2008 R2, and Windows Server 2008 Audit Settings Recommendations" section of this article from Microsoft: Audit Policy Recommendations.

The policies under "Stronger Recommendation" are required, as well as the following policies, to ensure that all of the required Authentication and Active Directory events are audited:

  • Audit Detailed File Share
  • Audit File Share
  • Audit File System

RSA recommends that you enable auditing for both success and failures.

The following Windows events must be audited:

For the Authentication models:

           
462446254769

For the AD models:

                                                             
46704717472047224723472447254726
47274728472947304731473247334734
47354737473847394740474147424743
47544755475647574758 476447674794
513653765377     

For File Access Models:

             
4660466346705145
Previous Topic:User Profile View
You are here
Table of Contents > Appendix: NetWitness UEBA Windows Audit Policy

Attachments

    Outcomes