[Redo][8.6-8.13] Highlight that rule exceptions are case-sensitive (#…

…4805) (cherry picked from commit 4d78e77)
elastic · Feb 16, 2024 · fe05820 · fe05820
1 parent f510b38
commit fe05820
Showing 1 changed file with 4 additions and 0 deletions.
diff --git a/docs/detections/add-exceptions.asciidoc b/docs/detections/add-exceptions.asciidoc
@@ -62,10 +62,14 @@ image::images/rule-exception-tab.png[Detail of rule exceptions tab]
 . In the *Add rule exception* flyout, name the exception. 
 . Add conditions that define the exception. When the exception's query evaluates to `true`, rules don't generate alerts even when their criteria are met.
 +
+IMPORTANT: Rule exceptions are case-sensitive, which means that any character that's entered as an uppercase or lowercase letter will be treated as such. In the event you _don't_ want a field evaluated as case-sensitive, some ECS fields have a `.caseless` version that you can use.
++
 NOTE: When you create a new exception from an alert, exception conditions are auto-populated with relevant alert data. Data from custom highlighted fields is listed first. A comment that describes the auto-generated exception conditions is also added to the **Add comments** section.
 
   .. *Field*: Select a field to identify the event being filtered.
 +  
+IMPORTANT: Rule exceptions are case-sensitive, which means that any character that's entered as an uppercase or lowercase letter will be treated as such. In the event you _don't_ want a field evaluated as case-sensitive, some ECS fields have a `.caseless` version that you can use.
++
 [NOTE] 
 =======
 A warning displays for fields with conflicts. Using these fields might cause unexpected exceptions behavior. Refer to <<rule-exceptions-field-conflicts,Troubleshooting type conflicts and unmapped fields>> for more information.