Playbook rules still generating alerts after set to inactive or disabled #1951

0nnyx · 2020-11-17T11:59:45Z

0nnyx
Nov 17, 2020

After initially activating critical & high playbook rules, I wanted to filter some generating false positives like Renamed Powershell & Highly Relevant Renamed Binary.
Setting these 2 rules to inactive for a day, then to disabled the next day, I was still getting alerts for both. Also tried a reboot without success.
What Is the proper method to disable playbook rules ?

Answered by defensivedepth

Nov 17, 2020

We recently fixed a bug that was causing inactive Plays to continue to alert - that fix will be available in our next release.

For now, you can delete the yaml files in /opt/so/rules/elastalert/playbook/ and then run sudo so-playbook-sync - this will manually turn off the alerting for Plays that are currently inactive.

View full answer

defensivedepth · 2020-11-17T14:30:54Z

defensivedepth
Nov 17, 2020
Maintainer

We recently fixed a bug that was causing inactive Plays to continue to alert - that fix will be available in our next release.

For now, you can delete the yaml files in /opt/so/rules/elastalert/playbook/ and then run sudo so-playbook-sync - this will manually turn off the alerting for Plays that are currently inactive.

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Playbook rules still generating alerts after set to inactive or disabled #1951

Uh oh!

{{title}}

Uh oh!

Replies: 1 comment

Uh oh!

{{title}}

Uh oh!

Select a reply

Uh oh!

Playbook rules still generating alerts after set to inactive or disabled #1951

Uh oh!

0nnyx Nov 17, 2020

Replies: 1 comment

Uh oh!

defensivedepth Nov 17, 2020 Maintainer

0nnyx
Nov 17, 2020

defensivedepth
Nov 17, 2020
Maintainer