Skip to content

Commit

Permalink
[BUG][7.17-8.5]Fix note that describes how exceptions work with EQL r…
Browse files Browse the repository at this point in the history
…ules (backport #4759) (#4769)

* [BUG][7.17-8.5]Fix note that describes how exceptions work with EQL rules (#4759)

(cherry picked from commit eb08ead)

# Conflicts:
#	docs/detections/detections-ui-exceptions.asciidoc

* Fixed!

---------

Co-authored-by: Nastasha Solomon <[email protected]>
Co-authored-by: nastasha.solomon <[email protected]>
  • Loading branch information
3 people authored Feb 7, 2024
1 parent c8fb8d7 commit 05d1981
Showing 1 changed file with 2 additions and 3 deletions.
5 changes: 2 additions & 3 deletions docs/detections/detections-ui-exceptions.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -81,10 +81,9 @@ IMPORTANT: To ensure an exception is successfully applied, make sure that the f

[IMPORTANT]
==============
Be careful when adding exceptions to event correlation rules. Exceptions are evaluated against every event in the sequence, and when the exception matches _all_ event(s) in the sequence, alerts _are not_ generated. If the exception only matches _some_ of the events in the sequence, alerts _are_ generated.
Be careful when adding exceptions to <<create-eql-rule,event correlation>> rules. Exceptions are evaluated against every event in the sequence, and if an exception matches any events that are necessary to complete the sequence, alerts are not created.
To exclude values from a
specific event in the sequence, update the rule's EQL statement. For example:
To exclude values from a specific event in the sequence, update the rule's EQL statement. For example:
[source,eql]
----
Expand Down

0 comments on commit 05d1981

Please sign in to comment.