Advanced UEBA Troubleshooting
Advanced UEBA Troubleshooting
If there is a large amount of users with low UCI scores and the cause seems to be something upstream, like a DLP policy that is raising a large amount of violations, then the solution is to tune the upstream policy.
If this does not appear to be an upstream issue but rather an issue in the UEBA policy itself – for example, an ML-based unusual user agent detection that is raising a large amount of alerts – then there are two possible courses of action.
-
If the volume is acceptable but the impact to the UCI is large, the recommended next step is tuning the score and severity down to a range that does not result in a large number of users with low UCI scores.
-
If the volume and UCI impact are both unacceptable, then the remaining solution is to disable this policy and file a support ticket. This should be a rare course of action, since the policies have been pre-tuned so an average organization does not have a lot of alerts.