Hello Arthur!
I will check this out. A few things to consider
Firstly, could you inform me of the Wazuh version you are currently using?
Regarding your AR configuration snippet I see that you have:
<rules_group>31106,31151,31516,31168,31104</rules_group>
I noticed these are rules ids. For correct implementation, it should be structured as follows:
<active-response>
<disabled>no</disabled>
<command>firewalld-drop</command>
<location>local</location>
<level>6</level>
<rules_id>31106,31151,31516,31168,31104</rules_id>
<timeout>600</timeout>
</active-response>
Could you please try configuring it again with this corrected format?
Does the issue of it appearing as disabled persist after this adjustment? And furthermore, is the Active Response functioning as expected?
Regards!