metron-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Laurens Vets <laur...@daemon.be>
Subject Error message when changing riskLevelRules
Date Thu, 28 Sep 2017 16:42:30 GMT
I have the following riskLevelRules:

"riskLevelRules": [
	{
		"name": "Not WORK",
		"comment": "Checks whether the field is_work is true or false.",
		"rule": "is_work == false",
		"score": 20,
		"reason": "FORMAT('%s is not a WORK network!', sourceIPAddress)"
	},
	{
		"name": "MFA",
		"comment": "Checks whether MFA used or not.",
		"rule": "userIdentity:sessionContext:attributes:mfaAuthenticated == 
\"False\"",
		"score": 20,
		"reason": null
	},
	{
		"name": "MFA2",
		"comment": "Checks whether MFA used or not.",
		"rule": "additionalEventData:MFAUsed == \"No\"",
		"score": 20,
		"reason": null
	}
],

When I try to change the reason in the 2nd and 3rd from null to "No MFA 
used.", I get the error message: "Modified Sensor parser config but 
unable to save enrichment configuration: JSON.parse: unexpected end of 
data at line 1 column 1 of the JSON data" and the reason is reverted 
back to null. Changing other items in the above works fine.

Any idea what might be going on?

Mime
View raw message