Appendix: NetWitness UEBA Windows Audit PolicyAppendix: NetWitness UEBA Windows Audit Policy
To achieve maximum benefit from NetWitness UEBA, NetWitness recommends that you implement the Windows audit policies described here.
For a base set of policies to audit, see the "Windows Server 2016, Windows Server 2012 R2, Windows Server 2012, Windows Server 2008 R2, and Windows Server 2008 Audit Settings Recommendations" section of this article from Microsoft: Audit Policy Recommendations.
The policies under "Stronger Recommendation" are required, and the following policies, to ensure that all of the required Authentication and Active Directory events are audited:
- Audit Detailed File Share
- Audit File Share
- Audit File System
NetWitness recommends that you enable auditing for both success and failures.
The following Windows events must be audited:
For the Authentication models:
| 4624 | 4625 | 4769 |
4628 |
For the AD models:
| 4670 | 4717 | 4720 | 4722 | 4723 | 4724 | 4725 | 4726 |
| 4727 | 4728 | 4729 | 4730 | 4731 | 4732 | 4733 | 4734 |
| 4735 | 4737 | 4738 | 4739 | 4740 | 4741 | 4742 | 4743 |
| 4754 | 4755 | 4756 | 4757 | 4758 | 4764 | 4767 | 4794 |
| 5136 | 5376 | 5377 |
For File Access Models:
| 4660 | 4663 | 4670 | 5145 |
