From a230cce90f13675f5962920e19bf994ad2071dd7 Mon Sep 17 00:00:00 2001 From: "mergify[bot]" <37929162+mergify[bot]@users.noreply.github.com> Date: Wed, 7 Feb 2024 11:45:12 -0500 Subject: [PATCH] [BUG][7.17-8.5]Fix note that describes how exceptions work with EQL rules (backport #4759) (#4771) * [BUG][7.17-8.5]Fix note that describes how exceptions work with EQL rules (#4759) (cherry picked from commit 7d74705fbdb306f552fb1cdcd275ca65f9df44d2) # Conflicts: # docs/detections/detections-ui-exceptions.asciidoc * Fixed! --------- Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com> Co-authored-by: nastasha.solomon --- docs/detections/detections-ui-exceptions.asciidoc | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/docs/detections/detections-ui-exceptions.asciidoc b/docs/detections/detections-ui-exceptions.asciidoc index 4ea3a23ed4..a4c0095c13 100644 --- a/docs/detections/detections-ui-exceptions.asciidoc +++ b/docs/detections/detections-ui-exceptions.asciidoc @@ -81,10 +81,9 @@ IMPORTANT: To ensure an exception is successfully applied, make sure that the f [IMPORTANT] ============== -Be careful when adding exceptions to event correlation rules. Exceptions are evaluated against every event in the sequence, and when the exception matches _all_ event(s) in the sequence, alerts _are not_ generated. If the exception only matches _some_ of the events in the sequence, alerts _are_ generated. +Be careful when adding exceptions to <> rules. Exceptions are evaluated against every event in the sequence, and if an exception matches any events that are necessary to complete the sequence, alerts are not created. -To exclude values from a -specific event in the sequence, update the rule's EQL statement. For example: +To exclude values from a specific event in the sequence, update the rule's EQL statement. For example: [source,eql] ----