elastic · nastasha-solomon · Dec 6, 2024 · Dec 6, 2024 · Dec 6, 2024 · Dec 6, 2024
@@ -9,6 +9,67 @@ For serverless changes in Cloud Console, refer to https://www.elastic.co/guide/e
 [[serverless-changelog-12032024]]
 == December 3, 2024
 
+[discrete]
+[[known-issues-12032024]]
+=== Known issues
+
+// tag::known-issue[201820]
+[discrete]
+.In {sec-serverless}, the **Exceptions** tab won't properly load if exceptions contain comments with newline characters (`\n`)  
+[%collapsible]
+====
+*Details* +
+On December 5, 2024, it was discovered that the **Exceptions** tab will not load properly if any exceptions contain comments with newline characters (`\n`). This issue occurs when you upgrade to 8.16.0 or later. 
+
+*Workaround* + 
+
+For custom rules:
+
+. From your {sec-serverless} project, <<import-export-rules-ui,export>> the rule or rules with the affected exception lists. 
+. Modify the `.ndjson` file so `comments` no longer contain newline characters.
+. Return to your project and <<import-export-rules-ui,re-import>> the rules. Make sure to select the **Overwrite existing exception lists with conflicting "list_id"** option.
+
+For prebuilt rules: 
+
+. Fetch the affected exception list ID or IDs that are associated with the rule. 
+.. Find the affected rule's ID (`id`). From your {sec-serverless} project, open the rule's details page, go to the page URL, and copy the string at the end. For example, the URL http://host.name/app/security/rules/id/167a5f6f-2148-4792-8226-b5e7a58ef46e contains the `id` `167a5f6f-2148-4792-8226-b5e7a58ef46e` at the end.
+.. Use the `id` to fetch the rule's details using the {api-kibana}/operation/operation-readrule[Retrieve a detection rule API]. Here is an example request that includes the rule ID:
++
+[source,console]
+----
+curl -H 'kbn-xsrf: true' -H 'elastic-api-version: 2023-10-31' http://localhost:5601/api/detection_engine/rules?id=167a5f6f-2148-4792-8226-b5e7a58ef46e -u elastic:changeme
+----
++
+.. The JSON response will contain the `id`, `list_id`, and `namespace_type` values within the `exceptions_list` key (as shown below). You will need these values to retrieve the exception list using the Exception list API. 
++
+[source,console]
+----
+{
+  "id": "167a5f6f-2148-4792-8226-b5e7a58ef46e",
+  "exceptions_list": [
+    {
+      "id": "490525a2-eb66-4320-95b5-88bdd1302dc4",
+      "list_id": "f75aae6f-0229-413f-881d-81cb3abfbe2d",
+      "namespace_type": "single"
+    }
+  ]
+}
+----
++
+. Retrieve the affected exception list using the export exceptions API. Insert the values for the `id`, `list_id`, and `namespace_type` parameters into the following API call:
++
+[source,console]
+----
+curl -XPOST -u elastic:changeme -H 'kbn-xsrf: true' -H 'elastic-api-version: 2023-10-31' 'http://localhost:5601/api/exception_lists/_export?list_id=f75aae6f-0229-413f-881d-81cb3abfbe2d&id=490525a2-eb66-4320-95b5-88bdd1302dc4&namespace_type=single' -o list.ndjson
+----
++
+. Modify the exception list's `.ndjson` file to ensure that no `comments[].comment` values contain newline characters (`\n`).
+. From your {sec-serverless} project, re-import the modified exception list using **Import exception lists** option on the **Shared Exception Lists** page (find the page in the navigation menu or by using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]).
++
+The import will initially fail because the exception list already exists. After the failure, an option to overwrite the existing list appears. Select the option, then resubmit the request to import the updated exception list.
+====
+// end::known-issue[201820]
+
 [discrete]
 [[features-enhancements-12032024]]
 === Features and enhancements