diff --git a/docs/detections/add-exceptions.asciidoc b/docs/detections/add-exceptions.asciidoc index 4539c7e222..62633f98f7 100644 --- a/docs/detections/add-exceptions.asciidoc +++ b/docs/detections/add-exceptions.asciidoc @@ -53,15 +53,10 @@ image::images/rule-exception-tab.png[Detail of rule exceptions tab] .. Click *Create shared exception list* -> *Create exception item*. -- -. In the *Add rule exception* flyout, name the exception and add conditions that define the exception. When the exception's query conditions are met (the query evaluates to `true`), rules do not generate alerts even when other rule criteria are met. -+ -In the example below, the exception was created from the Rules page and prevents the rule from generating alerts when the `svchost.exe` process runs on hostname `siem-kibana`. +. In the *Add rule exception* flyout, name the exception. +. Add conditions that define the exception. When the exception's query evaluates to `true`, rules don't generate alerts even when their criteria are met. + -[role="screenshot"] -image::images/add-exception-ui.png[] - -+ -Add conditions that define when the exception prevents alerts: +NOTE: When you create a new exception from an alert, exception conditions are auto-populated with relevant alert data. A comment describing this action is also automatically added to the **Add comments** section. .. *Field*: Select a field to identify the event being filtered. + @@ -90,6 +85,14 @@ IMPORTANT: Using wildcards can impact performance. To create a more efficient ex .. *Value*: Enter the value associated with the *Field*. To enter multiple values (when using `is one of` or `is not one of`), enter each value, then press **Return**. ++ ++ +In the example below, the exception was created from the Rules page and prevents the rule from generating alerts when the `svchost.exe` process runs on hostname `siem-kibana`. ++ ++ +[role="screenshot"] +image::images/add-exception-ui.png[] + . Click *AND* or *OR* to create multiple conditions and define their relationships. . Click *Add nested condition* to create conditions using nested fields. This is only required for