Understand Sources Supported by Schema in UEBA Cloud

The topic provides a list of the various sources supported by schema in UEBA Cloud.

Authentication Schema

  • Windows Logon and Authentication Activity - Supported Event IDs: 4624, 4625, 4769, 4648 (device.type=winevent_snare|winevent_nic)

  • RSASecurID Token - device.type = ‘rsaacesrv’ ec.activity = ‘Logon’

  • RedHat Linux - device.type = ‘rhlinux’

  • Windows Remote Management - Supported Event IDs: 4624,4625,4769,4648 (device.type=windows)

  • VPN Logs - event.type = ‘vpn’ ec.activity = ’logon’

Note

  • Please deploy the latest parsers from NetWitness Live to enable support for all the VPN devices.
  • To support all VPN devices, ensure that the NetWitness Platform and Cloud Link Sensor versions are in 12.4 or later.
  • NetWitness has tested and verified the functionality of Juniper, Citrix NetScaler, Palo Alto Networks, Cisco Adaptive Security Appliance (ASA) and Fortinet VPNs under the Authentication schema of UEBA. For any VPN to be considered under the Authentication module, the following metadata must be present in the respective VPN vendor’s logs:(event.type = ‘vpn’ && country.src exists && user.dst exists && ec.activity = ’logon’)

  • Azure AD Logs - device.type = ‘microsoft_azure_signin_events’

Note

Make sure you have configured the Azure Monitor plugin in your deployment. This enables UEBA to run a query for Azure AD log events for monitoring purposes in the correct format. For more information on how to configure the Azure Monitor plugin, see the Azure Monitor Event Source Configuration Guide.

File Schema

  • Windows File Servers - Supported Event IDs: 4663,4660,4670,5145 (device.type=winevent_snare|winevent_nic)

  • device.type=windows

Active Directory Schema

  • Windows Active Directory - Supported Event IDs:  

    4670,4741,4742,4733,4734,4740,4794,5376,5377,5136,4764,4743,4739,4727,4728,4754,4756,4757,4758,4720,4722,4723,4724,4725,4726,4738,4767,
    4717,4729,4730,4731,4732 (device.type=winevent_snare|winevent_nic)

  • device.type=windows

Endpoint Process Schema

  • Endpoint Process - Category=‘Process Event’

Endpoint Registry Schema

  • Endpoint Registry - Category=‘Registry Event’

See also

Identify Top Risky Users