From 564d614b230f245ffeb1b9d518663bdf5804678e Mon Sep 17 00:00:00 2001 From: "mergify[bot]" <37929162+mergify[bot]@users.noreply.github.com> Date: Tue, 6 Feb 2024 18:37:34 -0500 Subject: [PATCH] [8.10] [BUG][8.6-8.12]Fix note that describes how exceptions work with EQL rules (backport #4758) (#4762) (cherry picked from commit b5bd460226678253a623b246f4bc0eec4ad23f6c) Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com> --- docs/detections/add-exceptions.asciidoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/detections/add-exceptions.asciidoc b/docs/detections/add-exceptions.asciidoc index 832558947e..6981ecb51b 100644 --- a/docs/detections/add-exceptions.asciidoc +++ b/docs/detections/add-exceptions.asciidoc @@ -12,7 +12,7 @@ You can add exceptions to a rule from the rule details page, the Alerts table, t ============== * To ensure an exception is successfully applied, ensure that the fields you've defined for its query are correctly and consistently mapped in their respective indices. Refer to {ecs-ref}[ECS] to learn more about supported mappings. -* Be careful when adding exceptions to <> rules. Exceptions are evaluated against every event in the sequence, and when the exception matches _all_ event(s) in the sequence, alerts _are not_ generated. If the exception only matches _some_ of the events in the sequence, alerts _are_ generated. +* Be careful when adding exceptions to <> rules. Exceptions are evaluated against every event in the sequence, and if an exception matches any events that are necessary to complete the sequence, alerts are not created. + To exclude values from a specific event in the sequence, update the rule's EQL statement. For example: