elastic · nastasha-solomon · Sep 11, 2023 · Sep 11, 2023
diff --git a/docs/detections/add-exceptions.asciidoc b/docs/detections/add-exceptions.asciidoc
@@ -62,7 +62,7 @@ image::images/rule-exception-tab.png[Detail of rule exceptions tab]
 . In the *Add rule exception* flyout, name the exception. 
 . Add conditions that define the exception. When the exception's query evaluates to `true`, rules don't generate alerts even when their criteria are met.
 +
-NOTE: When you create a new exception from an alert, exception conditions are auto-populated with relevant alert data. A comment describing this action is also automatically added to the **Add comments** section.
+NOTE: When you create a new exception from an alert, exception conditions are auto-populated with relevant alert data. Data from custom highlighted fields is listed first. A comment that describes the auto-generated exception conditions is also added to the **Add comments** section.
 
   .. *Field*: Select a field to identify the event being filtered.
 +  

diff --git a/docs/detections/api/rules/rules-api-create.asciidoc b/docs/detections/api/rules/rules-api-create.asciidoc
@@ -329,6 +329,10 @@ Required when `actions` are used to send notifications.
 
 |version |Integer |The rule's version number. Defaults to `1`.
 
+|investigation_fields |Object a| Specify highlighted fields for personalized alert investigation flows:
+
+* `field_names`: String, required
+
 |==============================================
 
 [[opt-fields-query-eql]]

diff --git a/docs/detections/rules-ui-create.asciidoc b/docs/detections/rules-ui-create.asciidoc
@@ -316,6 +316,9 @@ the rule. For example, links to background information.
 .. *False positive examples* (optional): List of common scenarios that may produce
 false-positive alerts.
 .. *MITRE ATT&CK^TM^ threats* (optional): Add relevant https://attack.mitre.org/[MITRE] framework tactics, techniques, and subtechniques.
+.. *Custom highlighted fields* (optional): Specify highlighted fields for personalized alert investigation flows. Fields with values are added to the <<investigation-section,Highlighted fields>> section within the alert details flyout. Fields without values aren't added. After you create the rule, you can find all custom highlighted fields in the About section of the rule details page.
++
+NOTE: There's no limit to the number of custom highlighted fields you can add.  
 .. *Investigation guide* (optional): Information for analysts investigating
 alerts created by the rule. You can also add action buttons to <<invest-guide-run-osquery, run Osquery>> or <<interactive-investigation-guides, launch Timeline investigations>> using alert data.
 .. *Author* (optional): The rule's authors.