diff --git a/docs/detections/detections-ui-exceptions.asciidoc b/docs/detections/detections-ui-exceptions.asciidoc index 4ea3a23ed4..b7f62c2c5d 100644 --- a/docs/detections/detections-ui-exceptions.asciidoc +++ b/docs/detections/detections-ui-exceptions.asciidoc @@ -83,6 +83,11 @@ IMPORTANT: To ensure an exception is successfully applied, make sure that the f ============== Be careful when adding exceptions to event correlation rules. Exceptions are evaluated against every event in the sequence, and when the exception matches _all_ event(s) in the sequence, alerts _are not_ generated. If the exception only matches _some_ of the events in the sequence, alerts _are_ generated. +<<<<<<< HEAD +======= +* Be careful when adding exceptions to <> rules. Exceptions are evaluated against every event in the sequence, and if an exception matches any events that are necessary to complete the sequence, alerts are not created. ++ +>>>>>>> 7d74705 ([BUG][7.17-8.5]Fix note that describes how exceptions work with EQL rules (#4759)) To exclude values from a specific event in the sequence, update the rule's EQL statement. For example: