Describe the bug
When a detection which has throttling enabled, is edited with ES Content Management, the value for alert.suppress will be set to 1, instead to true which the jinja2 template sets here.
As a result, the parameter is set in local/savedsearches.conf which locks why further updates that might come through default/savedsearches.conf, using DaC methodology.
Expected behavior
contentctl should follow the "preferences" of whatever the Spunk GUI wants to set.
contentctl Version:
v5.5.9
ES Version:
v7.3.4
Describe the bug
When a detection which has throttling enabled, is edited with ES Content Management, the value for
alert.suppresswill be set to1, instead totruewhich the jinja2 template sets here.As a result, the parameter is set in local/savedsearches.conf which locks why further updates that might come through default/savedsearches.conf, using DaC methodology.
Expected behavior
contentctlshould follow the "preferences" of whatever the Spunk GUI wants to set.contentctl Version:
v5.5.9
ES Version:
v7.3.4