Skip to content

Commit

Permalink
[BUG][8.6-8.12]Fix note that describes how exceptions work with EQL r…
Browse files Browse the repository at this point in the history
…ules (#4758)

(cherry picked from commit b5bd460)
  • Loading branch information
nastasha-solomon authored and mergify[bot] committed Feb 6, 2024
1 parent 9a5b20e commit 21e8200
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion docs/detections/add-exceptions.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,7 @@ You can add exceptions to a rule from the rule details page, the Alerts table, t
==============
* To ensure an exception is successfully applied, ensure that the fields you've defined for its query are correctly and consistently mapped in their respective indices. Refer to {ecs-ref}[ECS] to learn more about supported mappings.
* Be careful when adding exceptions to <<create-eql-rule,event correlation>> rules. Exceptions are evaluated against every event in the sequence, and when the exception matches _all_ event(s) in the sequence, alerts _are not_ generated. If the exception only matches _some_ of the events in the sequence, alerts _are_ generated.
* Be careful when adding exceptions to <<create-eql-rule,event correlation>> rules. Exceptions are evaluated against every event in the sequence, and if an exception matches any events that are necessary to complete the sequence, alerts are not created.
+
To exclude values from a
specific event in the sequence, update the rule's EQL statement. For example:
Expand Down

0 comments on commit 21e8200

Please sign in to comment.