Skip to content

Commit

Permalink
[BUG][7.17-8.5]Fix note that describes how exceptions work with EQL r…
Browse files Browse the repository at this point in the history
…ules (backport #4759) (#4767)

(cherry picked from commit eb08ead)

Co-authored-by: Nastasha Solomon <[email protected]>
  • Loading branch information
mergify[bot] and nastasha-solomon authored Feb 6, 2024
1 parent 14f36cb commit 2e36906
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion docs/detections/detections-ui-exceptions.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -81,7 +81,7 @@ exception's criteria.
==============
* To ensure an exception is successfully applied, make sure that the fields you've defined for the exception query are correctly and consistently mapped in their respective indices. Refer to {ecs-ref}[ECS] to learn more about supported mappings.
* Be careful when adding exceptions to <<create-eql-rule,event correlation>> rules. Exceptions are evaluated against every event in the sequence, and when the exception matches _all_ event(s) in the sequence, alerts _are not_ generated. If the exception only matches _some_ of the events in the sequence, alerts _are_ generated.
* Be careful when adding exceptions to <<create-eql-rule,event correlation>> rules. Exceptions are evaluated against every event in the sequence, and if an exception matches any events that are necessary to complete the sequence, alerts are not created.
+
To exclude values from a
specific event in the sequence, update the rule's EQL statement. For example:
Expand Down

0 comments on commit 2e36906

Please sign in to comment.