From de9236122096bb6da956c1d5036f7f693333e832 Mon Sep 17 00:00:00 2001
From: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com>
Date: Wed, 25 Oct 2023 16:44:33 -0400
Subject: [PATCH] [DE][Exceptions] Allow duplicate case sensitive values for
 match_any (#4023)

Co-authored-by: natasha-moore-elastic <137783811+natasha-moore-elastic@users.noreply.github.com>
(cherry picked from commit c2f58546479d420eab3d974a023edefa532f36d4)
---
 docs/detections/add-exceptions.asciidoc | 17 ++++++++++-------
 1 file changed, 10 insertions(+), 7 deletions(-)

diff --git a/docs/detections/add-exceptions.asciidoc b/docs/detections/add-exceptions.asciidoc
index 832558947e..25b1d0b39f 100644
--- a/docs/detections/add-exceptions.asciidoc
+++ b/docs/detections/add-exceptions.asciidoc
@@ -89,13 +89,13 @@ NOTE: Some characters must be escaped with a backslash, such as `\\` for a liter
 +
 IMPORTANT: Using wildcards can impact performance. To create a more efficient exception using wildcards, use multiple conditions and make them as specific as possible. For example, adding conditions using `process.name` or `file.name` can help limit the scope of wildcard matching.
 
-  .. *Value*: Enter the value associated with the *Field*. To enter multiple values (when using `is one of` or `is not one of`), enter each value, then press **Return**.
-
-+
+.. *Value*: Enter the value associated with the *Field*. To enter multiple values (when using `is one of` or `is not one of`), enter each value, then press **Return**. 
 +
-In the example below, the exception was created from the Rules page and prevents the rule from generating alerts when the `svchost.exe` process runs on hostname `siem-kibana`.
+NOTE: The `is one of` and `is not one of` operators support identical, case-sensitive values. For example, if you want to match the values `Windows` and `windows`, add both values to the **Value** field. 
 +
+In the following example, the exception was created from the Rules page and prevents the rule from generating alerts when the `svchost.exe` process runs on hostname `siem-kibana`.
 +
+
 [role="screenshot"]
 image::images/add-exception-ui.png[]
 
@@ -178,10 +178,13 @@ image::images/endpoint-add-exp.png[]
 
 . If required, modify the conditions.
 +
-NOTE: Refer to <<ex-nested-conditions>> for more information on when nested conditions are required.
-+
-NOTE: Fields with conflicts are marked with a warning icon (image:images/field-warning-icon.png[Field conflict warning icon,13,13]). Using these fields might cause unexpected exceptions behavior. For more information, refer to <<rule-exceptions-field-conflicts, Troubleshooting type conflicts and unmapped fields>>.
+[NOTE] 
+======
+* Fields with conflicts are marked with a warning icon (image:images/field-warning-icon.png[Field conflict warning icon,13,13]). Using these fields might cause unexpected exceptions behavior. For more information, refer to <<rule-exceptions-field-conflicts, Troubleshooting type conflicts and unmapped fields>>.
+* The `is one of` and `is not one of` operators support identical, case-sensitive values. For example, if you want to match the values `Windows` and `windows`, add both values to the **Value** field. 
+======
 
+. (Optional) Add a comment to the exception.
 . You can select any of the following:
 
 * *Close this alert*: Closes the alert when the exception is added. This option