Clearing Alerts Only

[DrOnionMaster]

In the beginning I believe I took the wrong approach by enabling all the playbook alerts available. The thought was that I could tune as they came in, but now I've run into the problem of alert fatigue. I have millions of alerts, and literally cannot acknowledge them fast enough. I've turned off some of the extremely noisy ones and have it under control now. But the problem I am looking for a solution for is: now that I've acknowledged millions of these alerts, I want them deleted permanently. However, I don't want the associated logs to be deleted, as many of them are part of active investigations. I'm aware of commands like: so-elastic-clear and sudo so-sensor-clean but as far as I know these will clear out all the logs that I need to keep.

Is there a way to delete the "Alerts" instead of just acknowledging them? But also not delete all the data/logs?

[cm-ops]

When you say delete "alerts" but not all data/logs, do you mean remove the alerts from the Suricata index and keep the metadata in Zeek (or Suricata if you are using it as metadata)?

When you acknowledge an alert it will have the event.acknowledged field set to true. If you want to remove those from the Suricata index you could use delete by query API https://www.elastic.co/guide/en/elasticsearch/reference/current/docs-delete-by-query.html. If not please expand on what you want to keep versus delete.

[DrOnionMaster]

I am talking about the alerts populated within the "Alerts" tab of the SOC. All of them are coming from the playbook plays I implemented. Is that that same as the Suricata Index? This is my first run with security onion, so I am still getting familiar with the tools.

[cm-ops]

Look for your playbook indices then .ds-logs-playbook.alerts-so-2024.04.02-000001 (as an example) and delete them if you want the playbook data removed. If you only want acknowledged data removed, then use the delete by query API.