Appendix: NetWitness UEBA Windows Audit Policy

To achieve maximum benefit from RSA NetWitness UEBA, RSA recommends that you implement the Windows audit policies described here.

For a base set of policies to audit, see the "Windows Server 2016, Windows Server 2012 R2, Windows Server 2012, Windows Server 2008 R2, and Windows Server 2008 Audit Settings Recommendations" section of this article from Microsoft: Audit Policy Recommendations.

The policies under "Stronger Recommendation" are required, and the following policies, to ensure that all of the required Authentication and Active Directory events are audited:

  • Audit Detailed File Share
  • Audit File Share
  • Audit File System

RSA recommends that you enable auditing for both success and failures.

The following Windows events must be audited:

For the Authentication models:

4624 4625 4769

4628

For the AD models:

4670 4717 4720 4722 4723 4724 4725 4726
4727 4728 4729 4730 4731 4732 4733 4734
4735 4737 4738 4739 4740 4741 4742 4743
4754 4755 4756 4757 4758 4764 4767 4794
5136 5376 5377

For File Access Models:

4660 4663 4670 5145