Greetings Daniel: If an existing alert has a level lower than the value, it will not be a part of active response.
Personally, I don't like the active-response level approach as who knows if it will block a false positive, or something that should be further investigated. That stated, we use the sid approach where I list out the rules for which blocks should apply. If you do need to change levels, place the rules in /var/ossec/rules/ local_rules.xml and use the overwrite="yes" flag (on the same line as the <rule> Thank you.
