We woud like to be able to monitor for changes to the sudoers file on Jamf Pro devices, via Jamf Protect.

We tried creating a new custom analytic, but it does not seem to work during our testing - no events are logged in the Alerts tab. Anyone know if there is an issue with our setup? 

It wont let me add a screenshot, so here is the 'predicate' in the Summary tab for the analytic:

( $event.isModified == 1 AND
$event.path ==[cd] "/private/etc/sudoers" )

The 'Event Type' is 'File System Event'