From bc1e8af2ce1018416ab3396f5b9955c8fe1058d7 Mon Sep 17 00:00:00 2001 From: "mergify[bot]" <37929162+mergify[bot]@users.noreply.github.com> Date: Mon, 19 Feb 2024 00:10:38 -0500 Subject: [PATCH] [8.9] [Redo][8.6-8.13] Highlight that rule exceptions are case-sensitive (backport #4805) (#4829) * [Redo][8.6-8.13] Highlight that rule exceptions are case-sensitive (#4805) (cherry picked from commit 99658d98c36cd5a798eb66bd20ae2ad819468d2f) # Conflicts: # docs/detections/add-exceptions.asciidoc * Fixed conflict * Removed extra content * note formatting --------- Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com> Co-authored-by: nastasha.solomon --- docs/detections/add-exceptions.asciidoc | 17 ++++++++++++----- 1 file changed, 12 insertions(+), 5 deletions(-) diff --git a/docs/detections/add-exceptions.asciidoc b/docs/detections/add-exceptions.asciidoc index 3307f95016..0b8b97f5f6 100644 --- a/docs/detections/add-exceptions.asciidoc +++ b/docs/detections/add-exceptions.asciidoc @@ -62,10 +62,12 @@ image::images/rule-exception-tab.png[Detail of rule exceptions tab] . In the *Add rule exception* flyout, name the exception. . Add conditions that define the exception. When the exception's query evaluates to `true`, rules don't generate alerts even when their criteria are met. + -NOTE: When you create a new exception from an alert, exception conditions are auto-populated with relevant alert data. A comment describing this action is also automatically added to the **Add comments** section. +IMPORTANT: Rule exceptions are case-sensitive, which means that any character that's entered as an uppercase or lowercase letter will be treated as such. In the event you _don't_ want a field evaluated as case-sensitive, some ECS fields have a `.caseless` version that you can use. ++ +NOTE: When you create a new exception from an alert, exception conditions are auto-populated with relevant alert data. Data from custom highlighted fields is listed first. A comment that describes the auto-generated exception conditions is also added to the **Add comments** section. .. *Field*: Select a field to identify the event being filtered. -+ ++ [NOTE] ======= A warning displays for fields with conflicts. Using these fields might cause unexpected exceptions behavior. Refer to <> for more information. @@ -177,10 +179,15 @@ The *Add Endpoint Exception* flyout opens. image::images/endpoint-add-exp.png[] . If required, modify the conditions. ++ +IMPORTANT: Rule exceptions are case-sensitive, which means that any character that's entered as an uppercase or lowercase letter will be treated as such. In the event you _don't_ want a field evaluated as case-sensitive, some ECS fields have a `.caseless` version that you can use. + -NOTE: Refer to <> for more information on when nested conditions are required. -+ -NOTE: Fields with conflicts are marked with a warning icon (image:images/field-warning-icon.png[Field conflict warning icon,13,13]). Using these fields might cause unexpected exceptions behavior. For more information, refer to <>. +[NOTE] +======= + +* Refer to <> for more information on when nested conditions are required. +* Fields with conflicts are marked with a warning icon (image:images/field-warning-icon.png[Field conflict warning icon,13,13]). Using these fields might cause unexpected exceptions behavior. For more information, refer to <>. +======= . You can select any of the following: