I am currently onboarding a logpoint instance on UEBA, and I have completed the entity selection. However, I am seeing a lot of “violated logs” in the UEBA Dashboard. What should I do about this?
Lots of violated fields in UEBA Dashboard
Userlevel 1
+3
Hi Sandesh,
This is something the UEBA onboarding usually could help you to understand better.
But to summarize, all of the logs that are expected to be sent to UEBA should meet the mandatory field constraints i.e. for a log to be valid to be sent to UEBA, it must have all of the mandatory fields present in the format that is expected. To get more info on this, refer to the Appendix section of the UEBA Manual that provides you info on this.
Any log that fails to meet these criteria is a “violated log” and wont be forwarded to UEBA as it runs the risk of offsetting the model by unknown margins. What is recommended now is to make sure all of your UEBA enrichments are working properly and you are using the latest normalizers for the sources.
There could be minor volume of logs that are still invalid yet, but these can be ignored if it’s very few number of logs. However, if the volume of invalid logs is still high, its recommended that you contact the UEBA onboarding team through support ticket.
Reply
Sign up
Already have an account? Login
Already a Partner or Customer? Login with your LogPoint Support credentials. Don‘t have a LogPoint Support account? Ask your local LogPoint Representative. Only visiting? Login with LinkedIn to gain read–access.
LOGIN AS PARTNER OR CUSTOMER Login with LinkedInLogin to the community
Already a Partner or Customer? Login with your LogPoint Support credentials. Don‘t have a LogPoint Support account? Ask your local LogPoint Representative. Only visiting? Login with LinkedIn to gain read–access.
LOGIN AS PARTNER OR CUSTOMER Login with LinkedInEnter your username or e-mail address. We'll send you an e-mail with instructions to reset your password.