diff --git a/docs/detections/add-exceptions.asciidoc b/docs/detections/add-exceptions.asciidoc index 296ce34aaa..105934b2d2 100644 --- a/docs/detections/add-exceptions.asciidoc +++ b/docs/detections/add-exceptions.asciidoc @@ -62,10 +62,12 @@ image::images/rule-exception-tab.png[Detail of rule exceptions tab] . In the *Add rule exception* flyout, name the exception. . Add conditions that define the exception. When the exception's query evaluates to `true`, rules don't generate alerts even when their criteria are met. + +IMPORTANT: Rule exceptions are case-sensitive, which means that any character that's entered as an uppercase or lowercase letter will be treated as such. In the event you _don't_ want a field evaluated as case-sensitive, some ECS fields have a `.caseless` version that you can use. ++ NOTE: When you create a new exception from an alert, exception conditions are auto-populated with relevant alert data. Data from custom highlighted fields is listed first. A comment that describes the auto-generated exception conditions is also added to the **Add comments** section. .. *Field*: Select a field to identify the event being filtered. -+ ++ [NOTE] ======= A warning displays for fields with conflicts. Using these fields might cause unexpected exceptions behavior. Refer to <> for more information. @@ -178,6 +180,8 @@ image::images/endpoint-add-exp.png[] . If required, modify the conditions. + +IMPORTANT: Rule exceptions are case-sensitive, which means that any character that's entered as an uppercase or lowercase letter will be treated as such. In the event you _don't_ want a field evaluated as case-sensitive, some ECS fields have a `.caseless` version that you can use. ++ [NOTE] ====== * Fields with conflicts are marked with a warning icon (image:images/field-warning-icon.png[Field conflict warning icon,13,13]). Using these fields might cause unexpected exceptions behavior. For more information, refer to <>.