I have the following riskLevelRules:
"riskLevelRules": [
{
"name": "Not WORK",
"comment": "Checks whether the field is_work is true or false.",
"rule": "is_work == false",
"score": 20,
"reason": "FORMAT('%s is not a WORK network!', sourceIPAddress)"
},
{
"name": "MFA",
"comment": "Checks whether MFA used or not.",
"rule": "userIdentity:sessionContext:attributes:mfaAuthenticated ==
\"False\"",
"score": 20,
"reason": null
},
{
"name": "MFA2",
"comment": "Checks whether MFA used or not.",
"rule": "additionalEventData:MFAUsed == \"No\"",
"score": 20,
"reason": null
}
],
When I try to change the reason in the 2nd and 3rd from null to "No MFA
used.", I get the error message: "Modified Sensor parser config but
unable to save enrichment configuration: JSON.parse: unexpected end of
data at line 1 column 1 of the JSON data" and the reason is reverted
back to null. Changing other items in the above works fine.
Any idea what might be going on?