From 6079f609812acdb69a31546a70511d959af7d66b Mon Sep 17 00:00:00 2001 From: "nastasha.solomon" Date: Tue, 20 Feb 2024 11:27:47 -0500 Subject: [PATCH] Creating backport --- docs/detections/detections-ui-exceptions.asciidoc | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/docs/detections/detections-ui-exceptions.asciidoc b/docs/detections/detections-ui-exceptions.asciidoc index f9b4ca104b..3aa91de51e 100644 --- a/docs/detections/detections-ui-exceptions.asciidoc +++ b/docs/detections/detections-ui-exceptions.asciidoc @@ -123,10 +123,11 @@ the exception prevents the rule from generating alerts when the + [IMPORTANT] ============ + +* Rule exceptions are case-sensitive, which means that any character that's entered as an uppercase or lowercase letter will be treated as such. In the event you _don't_ want a field evaluated as case-sensitive, some ECS fields have a `.caseless` version that you can use. * You can use nested conditions. However, this is only required for <>. For all other fields, nested conditions should not be used. - * Wildcards are not supported in rule exceptions or value lists. Values must be literal values. ============ + @@ -196,6 +197,8 @@ The *Add Endpoint Exception* flyout opens, from either the rule details page or image::images/endpoint-add-exp.png[] . If required, modify the conditions. + +IMPORTANT: Rule exceptions are case-sensitive, which means that any character that's entered as an uppercase or lowercase letter will be treated as such. In the event you _don't_ want a field evaluated as case-sensitive, some ECS fields have a `.caseless` version that you can use. ++ NOTE: See <> for more information on when nested conditions are required. . You can select any of the following: