From 0cfe0db987cf69f2005b62d432ebe147681c20b3 Mon Sep 17 00:00:00 2001 From: "mergify[bot]" <37929162+mergify[bot]@users.noreply.github.com> Date: Sun, 18 Feb 2024 23:49:54 -0500 Subject: [PATCH] [8.13] [Redo][8.6-8.13] Highlight that rule exceptions are case-sensitive (backport #4805) (#4825) * [Redo][8.6-8.13] Highlight that rule exceptions are case-sensitive (#4805) (cherry picked from commit 4d78e7736f9d2faf333e5601613d9603628391df) * Fixed ordering --------- Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com> Co-authored-by: nastasha.solomon --- docs/detections/add-exceptions.asciidoc | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/docs/detections/add-exceptions.asciidoc b/docs/detections/add-exceptions.asciidoc index 296ce34aaa..5536474939 100644 --- a/docs/detections/add-exceptions.asciidoc +++ b/docs/detections/add-exceptions.asciidoc @@ -62,10 +62,12 @@ image::images/rule-exception-tab.png[Detail of rule exceptions tab] . In the *Add rule exception* flyout, name the exception. . Add conditions that define the exception. When the exception's query evaluates to `true`, rules don't generate alerts even when their criteria are met. + +IMPORTANT: Rule exceptions are case-sensitive, which means that any character that's entered as an uppercase or lowercase letter will be treated as such. In the event you _don't_ want a field evaluated as case-sensitive, some ECS fields have a `.caseless` version that you can use. ++ NOTE: When you create a new exception from an alert, exception conditions are auto-populated with relevant alert data. Data from custom highlighted fields is listed first. A comment that describes the auto-generated exception conditions is also added to the **Add comments** section. .. *Field*: Select a field to identify the event being filtered. -+ ++ [NOTE] ======= A warning displays for fields with conflicts. Using these fields might cause unexpected exceptions behavior. Refer to <> for more information. @@ -178,6 +180,8 @@ image::images/endpoint-add-exp.png[] . If required, modify the conditions. + +IMPORTANT: Rule exceptions are case-sensitive, which means that any character that's entered as an uppercase or lowercase letter will be treated as such. In the event you _don't_ want a field evaluated as case-sensitive, some ECS fields have a `.caseless` version that you can use. ++ [NOTE] ====== * Fields with conflicts are marked with a warning icon (image:images/field-warning-icon.png[Field conflict warning icon,13,13]). Using these fields might cause unexpected exceptions behavior. For more information, refer to <>.