You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@metron.apache.org by Laurens Vets <la...@daemon.be> on 2017/09/28 16:42:30 UTC
Error message when changing riskLevelRules
I have the following riskLevelRules:
"riskLevelRules": [
{
"name": "Not WORK",
"comment": "Checks whether the field is_work is true or false.",
"rule": "is_work == false",
"score": 20,
"reason": "FORMAT('%s is not a WORK network!', sourceIPAddress)"
},
{
"name": "MFA",
"comment": "Checks whether MFA used or not.",
"rule": "userIdentity:sessionContext:attributes:mfaAuthenticated ==
\"False\"",
"score": 20,
"reason": null
},
{
"name": "MFA2",
"comment": "Checks whether MFA used or not.",
"rule": "additionalEventData:MFAUsed == \"No\"",
"score": 20,
"reason": null
}
],
When I try to change the reason in the 2nd and 3rd from null to "No MFA
used.", I get the error message: "Modified Sensor parser config but
unable to save enrichment configuration: JSON.parse: unexpected end of
data at line 1 column 1 of the JSON data" and the reason is reverted
back to null. Changing other items in the above works fine.
Any idea what might be going on?
Re: Error message when changing riskLevelRules
Posted by Nick Allen <ni...@nickallen.org>.
Sure, I understand. I just did that so others have an example to work with
for future reference.
On Tue, Oct 3, 2017 at 11:49 AM, Laurens Vets <la...@daemon.be> wrote:
> Thanks Nick! I'm still on 0.4.1-release, so I haven't had a chance to play
> with your additional THREAT_TRIAGE_* things.
>
>
> On 2017-10-03 08:40, Nick Allen wrote:
>
>> Laurens -
>>
>> The problem is that we expect a Stellar expression for the "reason" field.
>> What you are providing is a string that is not a valid Stellar expression.
>> For it to be a valid expression you need to add another set of quotes to
>> make it a Stellar string; " 'No MFA used.' ".
>>
>> I definitely see how this can be confusing. Here is a REPL session of me
>> working through the problem. I can see that there is clearly a problem
>> using the REPL.
>>
>> (1) Create the rule set that you mentioned in your email.
>>
>> [Stellar]>>> input := SHELL_EDIT(input)
>>
>> [Stellar]>>> input
>>
>> [
>>
>> {
>>
>> "name": "Not WORK",
>>
>> "comment": "Checks whether the field is_work is true or
>> false.",
>>
>> "rule": "is_work == false",
>>
>> "score": 20,
>>
>> "reason": "FORMAT('%s is not a WORK network!',
>> sourceIPAddress)"
>>
>> },
>>
>> {
>>
>> "name": "MFA",
>>
>> "comment": "Checks whether MFA used or not.",
>>
>> "rule":
>> "userIdentity:sessionContext:attributes:mfaAuthenticated == \"False\"",
>>
>> "score": 20,
>>
>> "reason": "No MFA used."
>>
>> },
>>
>> {
>>
>> "name": "MFA2",
>>
>> "comment": "Checks whether MFA used or not.",
>>
>> "rule": "additionalEventData:MFAUsed == \"No\"",
>>
>> "score": 20,
>>
>> "reason": "No MFA used."
>>
>> }
>>
>> ]
>>
>> [Stellar]>>> rules := TO_JSON_LIST(input)
>>
>>
>> (2) Initialize the threat triage engine and add the rules.
>>
>>
>> [Stellar]>>> t := THREAT_TRIAGE_INIT()
>>
>> [Stellar]>>> THREAT_TRIAGE_ADD(t, rules)
>>
>> [!] Unable to parse No MFA used.: Unable to parse: No MFA used. due to:
>> org.apache.metron.stellar.dsl.ParseException: Syntax error @ 1:3 no
>> viable
>> alternative at input 'NoMFA'
>>
>> org.apache.metron.stellar.dsl.ParseException: Unable to parse No MFA
>> used.:
>> Unable to parse: No MFA used. due to:
>> org.apache.metron.stellar.dsl.ParseException: Syntax error @ 1:3 no
>> viable
>> alternative at input 'NoMFA'
>>
>> at
>> org.apache.metron.stellar.common.BaseStellarProcessor.valida
>> te(BaseStellarProcessor.java:240)
>>
>> at
>> org.apache.metron.stellar.common.BaseStellarProcessor.valida
>> te(BaseStellarProcessor.java:199)
>>
>> at
>> org.apache.metron.common.configuration.enrichment.threatinte
>> l.ThreatTriageConfig.setRiskLevelRules(ThreatTriageConfig.java:63)
>>
>> at
>> org.apache.metron.management.ThreatTriageFunctions$AddStella
>> rTransformation.apply(ThreatTriageFunctions.java:346)
>>
>> at
>> org.apache.metron.stellar.common.StellarCompiler.lambda$exit
>> TransformationFunc$13(StellarCompiler.java:570)
>>
>> at
>> org.apache.metron.stellar.common.StellarCompiler$Expression.
>> apply(StellarCompiler.java:169)
>>
>> at
>> org.apache.metron.stellar.common.BaseStellarProcessor.parse(
>> BaseStellarProcessor.java:152)
>>
>> at
>> org.apache.metron.stellar.common.shell.StellarExecutor.execu
>> te(StellarExecutor.java:292)
>>
>> at
>> org.apache.metron.stellar.common.shell.StellarShell.handleSt
>> ellar(StellarShell.java:277)
>>
>> at
>> org.apache.metron.stellar.common.shell.StellarShell.execute(
>> StellarShell.java:509)
>>
>> at org.jboss.aesh.console.AeshProcess.run(AeshProcess.java:53)
>>
>> at
>> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPool
>> Executor.java:1142)
>>
>> at
>> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoo
>> lExecutor.java:617)
>>
>> at java.lang.Thread.run(Thread.java:745)
>>
>> Caused by: org.apache.metron.stellar.dsl.ParseException: Unable to parse:
>> No MFA used. due to: org.apache.metron.stellar.dsl.ParseException: Syntax
>> error @ 1:3 no viable ...
>>
>>
>> (3) Clearly there is a problem. I then edited the input to add the quotes
>> as I suggested.
>>
>>
>> [Stellar]>>> input := SHELL_EDIT(input)
>>
>> [Stellar]>>> input
>>
>> [
>>
>> {
>>
>> "name": "Not WORK",
>>
>> "comment": "Checks whether the field is_work is true or
>> false.",
>>
>> "rule": "is_work == false",
>>
>> "score": 20,
>>
>> "reason": "FORMAT('%s is not a WORK network!',
>> sourceIPAddress)"
>>
>> },
>>
>> {
>>
>> "name": "MFA",
>>
>> "comment": "Checks whether MFA used or not.",
>>
>> "rule":
>> "userIdentity:sessionContext:attributes:mfaAuthenticated == \"False\"",
>>
>> "score": 20,
>>
>> "reason": "'No MFA used.'"
>>
>> },
>>
>> {
>>
>> "name": "MFA2",
>>
>> "comment": "Checks whether MFA used or not.",
>>
>> "rule": "additionalEventData:MFAUsed == \"No\"",
>>
>> "score": 20,
>>
>> "reason": "'No MFA used.'"
>>
>> }
>>
>> ]
>>
>> [Stellar]>>> rules := TO_JSON_LIST(input)
>>
>>
>>
>> (4)
>> Again, i
>> nitialize the threat triage engine and add the rules.
>>
>>
>> [Stellar]>>> t := THREAT_TRIAGE_INIT()
>>
>> [Stellar]>>> THREAT_TRIAGE_ADD(t, rules)
>>
>> {
>>
>> "enrichment" : {
>>
>> "fieldMap" : { },
>>
>> "fieldToTypeMap" : { },
>>
>> "config" : { }
>>
>> },
>>
>> "threatIntel" : {
>>
>> "fieldMap" : { },
>>
>> "fieldToTypeMap" : { },
>>
>> "config" : { },
>>
>> "triageConfig" : {
>>
>> "riskLevelRules" : [ {
>>
>> "name" : "Not WORK",
>>
>> "comment" : "Checks whether the field is_work is true or false.",
>>
>> "rule" : "is_work == false",
>>
>> "score" : 20.0,
>>
>> "reason" : "FORMAT('%s is not a WORK network!', sourceIPAddress)"
>>
>> }, {
>>
>> "name" : "MFA",
>>
>> "comment" : "Checks whether MFA used or not.",
>>
>> "rule" : "userIdentity:sessionContext:attributes:mfaAuthenticated
>> == \"False\"",
>>
>> "score" : 20.0,
>>
>> "reason" : "'No MFA used.'"
>>
>> }, {
>>
>> "name" : "MFA2",
>>
>> "comment" : "Checks whether MFA used or not.",
>>
>> "rule" : "additionalEventData:MFAUsed == \"No\"",
>>
>> "score" : 20.0,
>>
>> "reason" : "'No MFA used.'"
>>
>> } ],
>>
>> "aggregator" : "MAX",
>>
>> "aggregationConfig" : { }
>>
>> }
>>
>> },
>>
>> "configuration" : { }
>>
>> }
>>
>>
>> (5) As you can see the rules are now valid; no more exceptions. From here
>> you could score some mock telemetry to validate your rule set further.
>>
>>
>> Hope this helps.
>>
>> On Thu, Sep 28, 2017 at 12:42 PM, Laurens Vets <la...@daemon.be> wrote:
>>
>> I have the following riskLevelRules:
>>>
>>> "riskLevelRules": [
>>> {
>>> "name": "Not WORK",
>>> "comment": "Checks whether the field is_work is true or
>>> false.",
>>> "rule": "is_work == false",
>>> "score": 20,
>>> "reason": "FORMAT('%s is not a WORK network!',
>>> sourceIPAddress)"
>>> },
>>> {
>>> "name": "MFA",
>>> "comment": "Checks whether MFA used or not.",
>>> "rule": "userIdentity:sessionContext:a
>>> ttributes:mfaAuthenticated
>>> == \"False\"",
>>> "score": 20,
>>> "reason": null
>>> },
>>> {
>>> "name": "MFA2",
>>> "comment": "Checks whether MFA used or not.",
>>> "rule": "additionalEventData:MFAUsed == \"No\"",
>>> "score": 20,
>>> "reason": null
>>> }
>>> ],
>>>
>>> When I try to change the reason in the 2nd and 3rd from null to "No MFA
>>> used.", I get the error message: "Modified Sensor parser config but
>>> unable
>>> to save enrichment configuration: JSON.parse: unexpected end of data at
>>> line 1 column 1 of the JSON data" and the reason is reverted back to
>>> null.
>>> Changing other items in the above works fine.
>>>
>>> Any idea what might be going on?
>>>
>>>
Re: Error message when changing riskLevelRules
Posted by Laurens Vets <la...@daemon.be>.
Thanks Nick! I'm still on 0.4.1-release, so I haven't had a chance to
play with your additional THREAT_TRIAGE_* things.
On 2017-10-03 08:40, Nick Allen wrote:
> Laurens -
>
> The problem is that we expect a Stellar expression for the "reason"
> field.
> What you are providing is a string that is not a valid Stellar
> expression.
> For it to be a valid expression you need to add another set of quotes
> to
> make it a Stellar string; " 'No MFA used.' ".
>
> I definitely see how this can be confusing. Here is a REPL session of
> me
> working through the problem. I can see that there is clearly a problem
> using the REPL.
>
> (1) Create the rule set that you mentioned in your email.
>
> [Stellar]>>> input := SHELL_EDIT(input)
>
> [Stellar]>>> input
>
> [
>
> {
>
> "name": "Not WORK",
>
> "comment": "Checks whether the field is_work is true or
> false.",
>
> "rule": "is_work == false",
>
> "score": 20,
>
> "reason": "FORMAT('%s is not a WORK network!',
> sourceIPAddress)"
>
> },
>
> {
>
> "name": "MFA",
>
> "comment": "Checks whether MFA used or not.",
>
> "rule":
> "userIdentity:sessionContext:attributes:mfaAuthenticated == \"False\"",
>
> "score": 20,
>
> "reason": "No MFA used."
>
> },
>
> {
>
> "name": "MFA2",
>
> "comment": "Checks whether MFA used or not.",
>
> "rule": "additionalEventData:MFAUsed == \"No\"",
>
> "score": 20,
>
> "reason": "No MFA used."
>
> }
>
> ]
>
> [Stellar]>>> rules := TO_JSON_LIST(input)
>
>
> (2) Initialize the threat triage engine and add the rules.
>
>
> [Stellar]>>> t := THREAT_TRIAGE_INIT()
>
> [Stellar]>>> THREAT_TRIAGE_ADD(t, rules)
>
> [!] Unable to parse No MFA used.: Unable to parse: No MFA used. due to:
> org.apache.metron.stellar.dsl.ParseException: Syntax error @ 1:3 no
> viable
> alternative at input 'NoMFA'
>
> org.apache.metron.stellar.dsl.ParseException: Unable to parse No MFA
> used.:
> Unable to parse: No MFA used. due to:
> org.apache.metron.stellar.dsl.ParseException: Syntax error @ 1:3 no
> viable
> alternative at input 'NoMFA'
>
> at
> org.apache.metron.stellar.common.BaseStellarProcessor.validate(BaseStellarProcessor.java:240)
>
> at
> org.apache.metron.stellar.common.BaseStellarProcessor.validate(BaseStellarProcessor.java:199)
>
> at
> org.apache.metron.common.configuration.enrichment.threatintel.ThreatTriageConfig.setRiskLevelRules(ThreatTriageConfig.java:63)
>
> at
> org.apache.metron.management.ThreatTriageFunctions$AddStellarTransformation.apply(ThreatTriageFunctions.java:346)
>
> at
> org.apache.metron.stellar.common.StellarCompiler.lambda$exitTransformationFunc$13(StellarCompiler.java:570)
>
> at
> org.apache.metron.stellar.common.StellarCompiler$Expression.apply(StellarCompiler.java:169)
>
> at
> org.apache.metron.stellar.common.BaseStellarProcessor.parse(BaseStellarProcessor.java:152)
>
> at
> org.apache.metron.stellar.common.shell.StellarExecutor.execute(StellarExecutor.java:292)
>
> at
> org.apache.metron.stellar.common.shell.StellarShell.handleStellar(StellarShell.java:277)
>
> at
> org.apache.metron.stellar.common.shell.StellarShell.execute(StellarShell.java:509)
>
> at org.jboss.aesh.console.AeshProcess.run(AeshProcess.java:53)
>
> at
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
>
> at
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
>
> at java.lang.Thread.run(Thread.java:745)
>
> Caused by: org.apache.metron.stellar.dsl.ParseException: Unable to
> parse:
> No MFA used. due to: org.apache.metron.stellar.dsl.ParseException:
> Syntax
> error @ 1:3 no viable ...
>
>
> (3) Clearly there is a problem. I then edited the input to add the
> quotes
> as I suggested.
>
>
> [Stellar]>>> input := SHELL_EDIT(input)
>
> [Stellar]>>> input
>
> [
>
> {
>
> "name": "Not WORK",
>
> "comment": "Checks whether the field is_work is true or
> false.",
>
> "rule": "is_work == false",
>
> "score": 20,
>
> "reason": "FORMAT('%s is not a WORK network!',
> sourceIPAddress)"
>
> },
>
> {
>
> "name": "MFA",
>
> "comment": "Checks whether MFA used or not.",
>
> "rule":
> "userIdentity:sessionContext:attributes:mfaAuthenticated == \"False\"",
>
> "score": 20,
>
> "reason": "'No MFA used.'"
>
> },
>
> {
>
> "name": "MFA2",
>
> "comment": "Checks whether MFA used or not.",
>
> "rule": "additionalEventData:MFAUsed == \"No\"",
>
> "score": 20,
>
> "reason": "'No MFA used.'"
>
> }
>
> ]
>
> [Stellar]>>> rules := TO_JSON_LIST(input)
>
>
>
> (4)
> Again, i
> nitialize the threat triage engine and add the rules.
>
>
> [Stellar]>>> t := THREAT_TRIAGE_INIT()
>
> [Stellar]>>> THREAT_TRIAGE_ADD(t, rules)
>
> {
>
> "enrichment" : {
>
> "fieldMap" : { },
>
> "fieldToTypeMap" : { },
>
> "config" : { }
>
> },
>
> "threatIntel" : {
>
> "fieldMap" : { },
>
> "fieldToTypeMap" : { },
>
> "config" : { },
>
> "triageConfig" : {
>
> "riskLevelRules" : [ {
>
> "name" : "Not WORK",
>
> "comment" : "Checks whether the field is_work is true or
> false.",
>
> "rule" : "is_work == false",
>
> "score" : 20.0,
>
> "reason" : "FORMAT('%s is not a WORK network!',
> sourceIPAddress)"
>
> }, {
>
> "name" : "MFA",
>
> "comment" : "Checks whether MFA used or not.",
>
> "rule" :
> "userIdentity:sessionContext:attributes:mfaAuthenticated
> == \"False\"",
>
> "score" : 20.0,
>
> "reason" : "'No MFA used.'"
>
> }, {
>
> "name" : "MFA2",
>
> "comment" : "Checks whether MFA used or not.",
>
> "rule" : "additionalEventData:MFAUsed == \"No\"",
>
> "score" : 20.0,
>
> "reason" : "'No MFA used.'"
>
> } ],
>
> "aggregator" : "MAX",
>
> "aggregationConfig" : { }
>
> }
>
> },
>
> "configuration" : { }
>
> }
>
>
> (5) As you can see the rules are now valid; no more exceptions. From
> here
> you could score some mock telemetry to validate your rule set further.
>
>
> Hope this helps.
>
> On Thu, Sep 28, 2017 at 12:42 PM, Laurens Vets <la...@daemon.be>
> wrote:
>
>> I have the following riskLevelRules:
>>
>> "riskLevelRules": [
>> {
>> "name": "Not WORK",
>> "comment": "Checks whether the field is_work is true
>> or
>> false.",
>> "rule": "is_work == false",
>> "score": 20,
>> "reason": "FORMAT('%s is not a WORK network!',
>> sourceIPAddress)"
>> },
>> {
>> "name": "MFA",
>> "comment": "Checks whether MFA used or not.",
>> "rule":
>> "userIdentity:sessionContext:attributes:mfaAuthenticated
>> == \"False\"",
>> "score": 20,
>> "reason": null
>> },
>> {
>> "name": "MFA2",
>> "comment": "Checks whether MFA used or not.",
>> "rule": "additionalEventData:MFAUsed == \"No\"",
>> "score": 20,
>> "reason": null
>> }
>> ],
>>
>> When I try to change the reason in the 2nd and 3rd from null to "No
>> MFA
>> used.", I get the error message: "Modified Sensor parser config but
>> unable
>> to save enrichment configuration: JSON.parse: unexpected end of data
>> at
>> line 1 column 1 of the JSON data" and the reason is reverted back to
>> null.
>> Changing other items in the above works fine.
>>
>> Any idea what might be going on?
>>
Re: Error message when changing riskLevelRules
Posted by Nick Allen <ni...@nickallen.org>.
Laurens -
The problem is that we expect a Stellar expression for the "reason" field.
What you are providing is a string that is not a valid Stellar expression.
For it to be a valid expression you need to add another set of quotes to
make it a Stellar string; " 'No MFA used.' ".
I definitely see how this can be confusing. Here is a REPL session of me
working through the problem. I can see that there is clearly a problem
using the REPL.
(1) Create the rule set that you mentioned in your email.
[Stellar]>>> input := SHELL_EDIT(input)
[Stellar]>>> input
[
{
"name": "Not WORK",
"comment": "Checks whether the field is_work is true or
false.",
"rule": "is_work == false",
"score": 20,
"reason": "FORMAT('%s is not a WORK network!',
sourceIPAddress)"
},
{
"name": "MFA",
"comment": "Checks whether MFA used or not.",
"rule":
"userIdentity:sessionContext:attributes:mfaAuthenticated == \"False\"",
"score": 20,
"reason": "No MFA used."
},
{
"name": "MFA2",
"comment": "Checks whether MFA used or not.",
"rule": "additionalEventData:MFAUsed == \"No\"",
"score": 20,
"reason": "No MFA used."
}
]
[Stellar]>>> rules := TO_JSON_LIST(input)
(2) Initialize the threat triage engine and add the rules.
[Stellar]>>> t := THREAT_TRIAGE_INIT()
[Stellar]>>> THREAT_TRIAGE_ADD(t, rules)
[!] Unable to parse No MFA used.: Unable to parse: No MFA used. due to:
org.apache.metron.stellar.dsl.ParseException: Syntax error @ 1:3 no viable
alternative at input 'NoMFA'
org.apache.metron.stellar.dsl.ParseException: Unable to parse No MFA used.:
Unable to parse: No MFA used. due to:
org.apache.metron.stellar.dsl.ParseException: Syntax error @ 1:3 no viable
alternative at input 'NoMFA'
at
org.apache.metron.stellar.common.BaseStellarProcessor.validate(BaseStellarProcessor.java:240)
at
org.apache.metron.stellar.common.BaseStellarProcessor.validate(BaseStellarProcessor.java:199)
at
org.apache.metron.common.configuration.enrichment.threatintel.ThreatTriageConfig.setRiskLevelRules(ThreatTriageConfig.java:63)
at
org.apache.metron.management.ThreatTriageFunctions$AddStellarTransformation.apply(ThreatTriageFunctions.java:346)
at
org.apache.metron.stellar.common.StellarCompiler.lambda$exitTransformationFunc$13(StellarCompiler.java:570)
at
org.apache.metron.stellar.common.StellarCompiler$Expression.apply(StellarCompiler.java:169)
at
org.apache.metron.stellar.common.BaseStellarProcessor.parse(BaseStellarProcessor.java:152)
at
org.apache.metron.stellar.common.shell.StellarExecutor.execute(StellarExecutor.java:292)
at
org.apache.metron.stellar.common.shell.StellarShell.handleStellar(StellarShell.java:277)
at
org.apache.metron.stellar.common.shell.StellarShell.execute(StellarShell.java:509)
at org.jboss.aesh.console.AeshProcess.run(AeshProcess.java:53)
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)
Caused by: org.apache.metron.stellar.dsl.ParseException: Unable to parse:
No MFA used. due to: org.apache.metron.stellar.dsl.ParseException: Syntax
error @ 1:3 no viable ...
(3) Clearly there is a problem. I then edited the input to add the quotes
as I suggested.
[Stellar]>>> input := SHELL_EDIT(input)
[Stellar]>>> input
[
{
"name": "Not WORK",
"comment": "Checks whether the field is_work is true or
false.",
"rule": "is_work == false",
"score": 20,
"reason": "FORMAT('%s is not a WORK network!',
sourceIPAddress)"
},
{
"name": "MFA",
"comment": "Checks whether MFA used or not.",
"rule":
"userIdentity:sessionContext:attributes:mfaAuthenticated == \"False\"",
"score": 20,
"reason": "'No MFA used.'"
},
{
"name": "MFA2",
"comment": "Checks whether MFA used or not.",
"rule": "additionalEventData:MFAUsed == \"No\"",
"score": 20,
"reason": "'No MFA used.'"
}
]
[Stellar]>>> rules := TO_JSON_LIST(input)
(4)
Again, i
nitialize the threat triage engine and add the rules.
[Stellar]>>> t := THREAT_TRIAGE_INIT()
[Stellar]>>> THREAT_TRIAGE_ADD(t, rules)
{
"enrichment" : {
"fieldMap" : { },
"fieldToTypeMap" : { },
"config" : { }
},
"threatIntel" : {
"fieldMap" : { },
"fieldToTypeMap" : { },
"config" : { },
"triageConfig" : {
"riskLevelRules" : [ {
"name" : "Not WORK",
"comment" : "Checks whether the field is_work is true or false.",
"rule" : "is_work == false",
"score" : 20.0,
"reason" : "FORMAT('%s is not a WORK network!', sourceIPAddress)"
}, {
"name" : "MFA",
"comment" : "Checks whether MFA used or not.",
"rule" : "userIdentity:sessionContext:attributes:mfaAuthenticated
== \"False\"",
"score" : 20.0,
"reason" : "'No MFA used.'"
}, {
"name" : "MFA2",
"comment" : "Checks whether MFA used or not.",
"rule" : "additionalEventData:MFAUsed == \"No\"",
"score" : 20.0,
"reason" : "'No MFA used.'"
} ],
"aggregator" : "MAX",
"aggregationConfig" : { }
}
},
"configuration" : { }
}
(5) As you can see the rules are now valid; no more exceptions. From here
you could score some mock telemetry to validate your rule set further.
Hope this helps.
On Thu, Sep 28, 2017 at 12:42 PM, Laurens Vets <la...@daemon.be> wrote:
> I have the following riskLevelRules:
>
> "riskLevelRules": [
> {
> "name": "Not WORK",
> "comment": "Checks whether the field is_work is true or
> false.",
> "rule": "is_work == false",
> "score": 20,
> "reason": "FORMAT('%s is not a WORK network!',
> sourceIPAddress)"
> },
> {
> "name": "MFA",
> "comment": "Checks whether MFA used or not.",
> "rule": "userIdentity:sessionContext:attributes:mfaAuthenticated
> == \"False\"",
> "score": 20,
> "reason": null
> },
> {
> "name": "MFA2",
> "comment": "Checks whether MFA used or not.",
> "rule": "additionalEventData:MFAUsed == \"No\"",
> "score": 20,
> "reason": null
> }
> ],
>
> When I try to change the reason in the 2nd and 3rd from null to "No MFA
> used.", I get the error message: "Modified Sensor parser config but unable
> to save enrichment configuration: JSON.parse: unexpected end of data at
> line 1 column 1 of the JSON data" and the reason is reverted back to null.
> Changing other items in the above works fine.
>
> Any idea what might be going on?
>