diff --git a/docs/detections/add-exceptions.asciidoc b/docs/detections/add-exceptions.asciidoc index 3307f95016..0b8b97f5f6 100644 --- a/docs/detections/add-exceptions.asciidoc +++ b/docs/detections/add-exceptions.asciidoc @@ -62,10 +62,12 @@ image::images/rule-exception-tab.png[Detail of rule exceptions tab] . In the *Add rule exception* flyout, name the exception. . Add conditions that define the exception. When the exception's query evaluates to `true`, rules don't generate alerts even when their criteria are met. + -NOTE: When you create a new exception from an alert, exception conditions are auto-populated with relevant alert data. A comment describing this action is also automatically added to the **Add comments** section. +IMPORTANT: Rule exceptions are case-sensitive, which means that any character that's entered as an uppercase or lowercase letter will be treated as such. In the event you _don't_ want a field evaluated as case-sensitive, some ECS fields have a `.caseless` version that you can use. ++ +NOTE: When you create a new exception from an alert, exception conditions are auto-populated with relevant alert data. Data from custom highlighted fields is listed first. A comment that describes the auto-generated exception conditions is also added to the **Add comments** section. .. *Field*: Select a field to identify the event being filtered. -+ ++ [NOTE] ======= A warning displays for fields with conflicts. Using these fields might cause unexpected exceptions behavior. Refer to <> for more information. @@ -177,10 +179,15 @@ The *Add Endpoint Exception* flyout opens. image::images/endpoint-add-exp.png[] . If required, modify the conditions. ++ +IMPORTANT: Rule exceptions are case-sensitive, which means that any character that's entered as an uppercase or lowercase letter will be treated as such. In the event you _don't_ want a field evaluated as case-sensitive, some ECS fields have a `.caseless` version that you can use. + -NOTE: Refer to <> for more information on when nested conditions are required. -+ -NOTE: Fields with conflicts are marked with a warning icon (image:images/field-warning-icon.png[Field conflict warning icon,13,13]). Using these fields might cause unexpected exceptions behavior. For more information, refer to <>. +[NOTE] +======= + +* Refer to <> for more information on when nested conditions are required. +* Fields with conflicts are marked with a warning icon (image:images/field-warning-icon.png[Field conflict warning icon,13,13]). Using these fields might cause unexpected exceptions behavior. For more information, refer to <>. +======= . You can select any of the following: