Question

Lots of violated fields in UEBA Dashboard

  • 4 May 2021
  • 1 reply
  • 40 views

Badge

I am currently onboarding a logpoint instance on UEBA, and I have completed the entity selection. However, I am seeing a lot of “violated logs” in the UEBA Dashboard. What should I do about this?


1 reply

Userlevel 1
Badge +3

Hi Sandesh,

This is something the UEBA onboarding usually could help you to understand better. 

But to summarize, all of the logs that are expected to be sent to UEBA should meet the mandatory field constraints i.e. for a log to be valid to be sent to UEBA, it must have all of the mandatory fields present in the format that is expected. To get more info on this, refer to the Appendix section of the UEBA Manual that provides you info on this.

Any log that fails to meet these criteria  is a “violated log” and wont be forwarded to UEBA as it runs the risk of offsetting the model by unknown margins. What is recommended now is to make sure all of your UEBA enrichments are working properly and you are using the latest normalizers for the sources. 

There could be minor volume of logs that are still invalid yet, but these can be ignored if it’s very few number of logs. However, if the volume of invalid logs is still high, its recommended that you contact the UEBA onboarding team through support ticket.

Reply