From 9d67ba5cba402d36f96b0a3e901faee77d7a22d8 Mon Sep 17 00:00:00 2001 From: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com> Date: Tue, 20 Feb 2024 11:51:21 -0500 Subject: [PATCH] [Redo][8.2] Highlight that rule exceptions are case-sensitive (#4839) * Creating backport * Update docs/detections/detections-ui-exceptions.asciidoc --- docs/detections/detections-ui-exceptions.asciidoc | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/docs/detections/detections-ui-exceptions.asciidoc b/docs/detections/detections-ui-exceptions.asciidoc index 72b3b3c7df..8882a399a1 100644 --- a/docs/detections/detections-ui-exceptions.asciidoc +++ b/docs/detections/detections-ui-exceptions.asciidoc @@ -123,10 +123,10 @@ the exception prevents the rule from generating alerts when the + [IMPORTANT] ============ +* Rule exceptions are case-sensitive, which means that any character that's entered as an uppercase or lowercase letter will be treated as such. In the event you _don't_ want a field evaluated as case-sensitive, some ECS fields have a `.caseless` version that you can use. * You can use nested conditions. However, this is only required for <>. For all other fields, nested conditions should not be used. - * Wildcards are not supported in rule exceptions or value lists. Values must be literal values. ============ + @@ -196,6 +196,8 @@ The *Add Endpoint Exception* flyout opens, from either the rule details page or image::images/endpoint-add-exp.png[] . If required, modify the conditions. + +IMPORTANT: Rule exceptions are case-sensitive, which means that any character that's entered as an uppercase or lowercase letter will be treated as such. In the event you _don't_ want a field evaluated as case-sensitive, some ECS fields have a `.caseless` version that you can use. ++ NOTE: See <> for more information on when nested conditions are required. . You can select any of the following: