[DE][Exceptions] Allow duplicate case sensitive values for match_any (#…

…4023) Co-authored-by: natasha-moore-elastic <[email protected]> (cherry picked from commit c2f5854)
elastic · Oct 25, 2023 · de92361 · de92361
1 parent a930bae
commit de92361
Showing 1 changed file with 10 additions and 7 deletions.
diff --git a/docs/detections/add-exceptions.asciidoc b/docs/detections/add-exceptions.asciidoc
@@ -89,13 +89,13 @@ NOTE: Some characters must be escaped with a backslash, such as `\\` for a liter
 +
 IMPORTANT: Using wildcards can impact performance. To create a more efficient exception using wildcards, use multiple conditions and make them as specific as possible. For example, adding conditions using `process.name` or `file.name` can help limit the scope of wildcard matching.
 
-  .. *Value*: Enter the value associated with the *Field*. To enter multiple values (when using `is one of` or `is not one of`), enter each value, then press **Return**.
-
-+
+.. *Value*: Enter the value associated with the *Field*. To enter multiple values (when using `is one of` or `is not one of`), enter each value, then press **Return**. 
 +
-In the example below, the exception was created from the Rules page and prevents the rule from generating alerts when the `svchost.exe` process runs on hostname `siem-kibana`.
+NOTE: The `is one of` and `is not one of` operators support identical, case-sensitive values. For example, if you want to match the values `Windows` and `windows`, add both values to the **Value** field. 
 +
+In the following example, the exception was created from the Rules page and prevents the rule from generating alerts when the `svchost.exe` process runs on hostname `siem-kibana`.
 +
+
 [role="screenshot"]
 image::images/add-exception-ui.png[]
 
@@ -178,10 +178,13 @@ image::images/endpoint-add-exp.png[]
 
 . If required, modify the conditions.
 +
-NOTE: Refer to <<ex-nested-conditions>> for more information on when nested conditions are required.
-+
-NOTE: Fields with conflicts are marked with a warning icon (image:images/field-warning-icon.png[Field conflict warning icon,13,13]). Using these fields might cause unexpected exceptions behavior. For more information, refer to <<rule-exceptions-field-conflicts, Troubleshooting type conflicts and unmapped fields>>.
+[NOTE] 
+======
+* Fields with conflicts are marked with a warning icon (image:images/field-warning-icon.png[Field conflict warning icon,13,13]). Using these fields might cause unexpected exceptions behavior. For more information, refer to <<rule-exceptions-field-conflicts, Troubleshooting type conflicts and unmapped fields>>.
+* The `is one of` and `is not one of` operators support identical, case-sensitive values. For example, if you want to match the values `Windows` and `windows`, add both values to the **Value** field. 
+======
 
+. (Optional) Add a comment to the exception.
 . You can select any of the following:
 
 * *Close this alert*: Closes the alert when the exception is added. This option