Introduction

NetWitness® UEBA configuration is designed for analysts to perform analytics for leveraged data collected from netwitness logs and networks to perform UEBA analytics.

Note: Mixed mode is not supported for UEBA in NetWitness Platform. The NetWitness server, and UEBA must all be installed and configured on the same NetWitness Platform version.

UEBA Supported Sources by Schema

Authentication Schema 

  • Windows Logon and Authentication Activity in Version 11.2 - Supported Event IDs: 4624, 4625, 4769, 4648 (device.type=winevent_snare|winevent_nic)
  • RSASecurID Token in Version 11.3.1 - device.type = 'rsaacesrv' ec.activity = 'Logon'
  • RedHat Linux in Version 11.3.1- device.type = 'rhlinux'
  • Windows Remote Management in Version 11.3.2 - Supported Event IDs: 4624,4625,4769,4648 (device.type=windows)
  • VPN Logs and in Version 11.5 - event.type = 'vpn' ec.activity = 'logon'

Note: NetWitness has tested and verified the functionality of Juniper VPN under the Authentication schema of UEBA. For any VPN to be considered under the Authentication module, the following metadata must be present in the respective VPN vendor’s logs:
(event.type = 'vpn' && country.src exists && user.src exists && ec.activity = 'logon')

  • Azure AD Logs in Version 11.5 - device.type = 'microsoft_azure_signin_events'

Note: Make sure you have configured the Azure Monitor plugin in your deployment. This enables UEBA to run a query for Azure AD log events for monitoring purposes in the correct format. For more information on how to configure the Azure Monitor plugin, see the Azure Monitor Event Source Configuration Guide.

File Schema

  • Windows File Servers in Version 11.2 - Supported Event IDs: 4663,4660,4670,5145 (device.type=winevent_snare|winevent_nic)
  • device.type=windows in Version 11.3.1

Active Directory Schema 

  • Windows Active Directory in Version 11.2 - Supported Event IDs: 4741,4742,4733,4734,4740,4794,5376,5377,5136,4764,4743,4739,4727,4728,4754,4756,4757,4758,4720,4722,4723,4724,4725,4726,4738,4767,4717,4729,4730,4731,4732 (device.type=winevent_snare|winevent_nic)
  • device.type=windows in Version 11.3.1

Endpoint Process Schema 

  • Endpoint Process in Version 11.3 - Category = 'Process Event'

Endpoint Registry Schema

  • Endpoint Registry in Version 11.3 - Category = 'Registry Event'

Packet Schema 

  • TLS in Version 11.4 - Service 443 (direction='outbound')

Note: The TLS Packet requires adding the hunting package and enabling the JA3 features as described in Add required features for UEBA Packets Schema.