Hi Abumo,
I wouldn't consider it a best practice to enable and configure every violation type that ASM can perform for every application. Ideally, the policy should be tuned to the application. For example, if the application performs proper session enforcement, there isn't a need to track that every request a client makes has gone through a successful authentication attempt. I would speak with the person that built the policy and possibly the people that built or administer the application to get a better understanding of what the application's security requirements are and why the policy was set up as it was.
Aaron