Skip to content

Commit

Permalink
[8.7] [BUG][8.6-8.12]Fix note that describes how exceptions work with…
Browse files Browse the repository at this point in the history
… EQL rules (backport #4758) (#4765)

(cherry picked from commit b5bd460)

Co-authored-by: Nastasha Solomon <[email protected]>
  • Loading branch information
mergify[bot] and nastasha-solomon authored Feb 6, 2024
1 parent f91d7e3 commit 9ec644e
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion docs/detections/add-exceptions.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@ You can add exceptions to a rule from the rule details page, the Alerts table, t
==============
* To ensure an exception is successfully applied, ensure that the fields you've defined for its query are correctly and consistently mapped in their respective indices. Refer to {ecs-ref}[ECS] to learn more about supported mappings.
* Be careful when adding exceptions to <<create-eql-rule,event correlation>> rules. Exceptions are evaluated against every event in the sequence, and when the exception matches _all_ event(s) in the sequence, alerts _are not_ generated. If the exception only matches _some_ of the events in the sequence, alerts _are_ generated.
* Be careful when adding exceptions to <<create-eql-rule,event correlation>> rules. Exceptions are evaluated against every event in the sequence, and if an exception matches any events that are necessary to complete the sequence, alerts are not created.
+
To exclude values from a
specific event in the sequence, update the rule's EQL statement. For example:
Expand Down

0 comments on commit 9ec644e

Please sign in to comment.