Introduction

NetWitness® UEBA configuration is designed for analysts to perform analytics for leveraged data collected from netwitness logs and networks to perform UEBA analytics.

Note: Mixed mode is not supported for UEBA in NetWitness Platform. The NetWitness server, and UEBA must all be installed and configured on the same NetWitness Platform version.

UEBA Supported Sources by Schema

Note: Please deploy the latest parsers from NetWitness Live to enable support for all the models and VPN devices.

Authentication Schema 

  • Windows Logon and Authentication Activity - Supported Event IDs: 4624, 4625, 4769, 4648 (device.type=winevent_snare|winevent_nic)
  • RSASecurID Token - device.type = 'rsaacesrv' ec.activity = 'Logon'
  • RedHat Linux - device.type = 'rhlinux'
  • Windows Remote Management - Supported Event IDs: 4624,4625,4769,4648 (device.type=windows)
  • VPN Logs - event.type = 'vpn' ec.activity = 'logon'

Note: NetWitness has tested and verified the functionality of Juniper, Citrix NetScaler, Palo Alto Networks, Cisco Adaptive Security Appliance (ASA) and Fortinet VPNs under the Authentication schema of UEBA. For any VPN to be considered under the Authentication module, the following metadata must be present in the respective VPN vendor’s logs:
(event.type = 'vpn' && country.src exists && user.dst exists && ec.activity = 'logon')

  • Azure AD Logs - device.type = 'microsoft_azure_signin_events'

Note: Make sure you have configured the Azure Monitor plugin in your deployment. This enables UEBA to run a query for Azure AD log events for monitoring purposes in the correct format. For more information on how to configure the Azure Monitor plugin, see the Azure Monitor Event Source Configuration Guide.

File Schema

  • Windows File Servers - Supported Event IDs: 4663,4660,4670,5145 (device.type=winevent_snare|winevent_nic)
  • device.type=windows

Active Directory Schema 

  • Windows Active Directory - Supported Event IDs: 4741,4742,4733,4734,4740,4794,5376,5377,5136,4764,4743,4739,4727,4728,4754,4756,4757,4758,4720,4722,4723,4724,4725,4726,4738,4767,4717,4729,4730,4731,4732 (device.type=winevent_snare|winevent_nic)
  • device.type=windows

Endpoint Process Schema 

  • Endpoint Process - Category = 'Process Event'

Endpoint Registry Schema

  • Endpoint Registry - Category = 'Registry Event'

Packet Schema 

  • TLS - Service 443 (direction='outbound')

Note: The TLS Packet requires adding the hunting package and enabling the JA3 features as described in Add required features for UEBA Packets Schema.