diff --git a/salt/elasticfleet/config.sls b/salt/elasticfleet/config.sls
index c5be686a7..4ff284ffa 100644
--- a/salt/elasticfleet/config.sls
+++ b/salt/elasticfleet/config.sls
@@ -113,7 +113,7 @@ elasticdefendcustom:
     - mode: 600
 
 {% if ELASTICFLEETMERGED.config.defend_filters.enable_auto_configuration %}
-cronelasticdefendfilters:
+cron-elastic-defend-filters-add:
   cron.present:
     - name: python3 /sbin/so-elastic-defend-manage-filters.py -c /opt/so/conf/elasticsearch/curl.config -d /opt/so/conf/elastic-fleet/defend-exclusions/disabled-filters.yaml -i /nsm/securityonion-resources/event_filters/ -i /opt/so/conf/elastic-fleet/defend-exclusions/rulesets/custom-filters/ &>> /opt/so/log/elasticfleet/elastic-defend-manage-filters.log
     - identifier: elastic-defend-filters
@@ -123,6 +123,10 @@ cronelasticdefendfilters:
     - daymonth: '*'
     - month: '*'
     - dayweek: '*'
+{% else %}
+cron-elastic-defend-filters-remove:
+  cron.absent:
+    - identifier: elastic-defend-filters
 {% endif %}
 
 eaintegrationsdir:
diff --git a/salt/elasticfleet/enabled.sls b/salt/elasticfleet/enabled.sls
index 8cc79bf57..51d2d1430 100644
--- a/salt/elasticfleet/enabled.sls
+++ b/salt/elasticfleet/enabled.sls
@@ -154,8 +154,8 @@ so-elastic-defend-manage-filters-file-watch:
   cmd.run:
     - name: python3 /sbin/so-elastic-defend-manage-filters.py -c /opt/so/conf/elasticsearch/curl.config -d /opt/so/conf/elastic-fleet/defend-exclusions/disabled-filters.yaml -i /nsm/securityonion-resources/event_filters/ -i /opt/so/conf/elastic-fleet/defend-exclusions/rulesets/custom-filters/ &>> /opt/so/log/elasticfleet/elastic-defend-manage-filters.log
     - onchanges:
-      - file: /opt/so/conf/elastic-fleet/defend-exclusions/rulesets/custom-filters-raw
-      - file: /opt/so/conf/elastic-fleet/defend-exclusions/disabled-filters.yaml
+      - file: elasticdefendcustom
+      - file: elasticdefenddisabled
 {%    endif %}
 {%  endif %}