From 069b562baf4d2d7f54e0bab17097c076328d29f3 Mon Sep 17 00:00:00 2001 From: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com> Date: Tue, 6 Feb 2024 17:54:02 -0500 Subject: [PATCH 1/2] [BUG][7.17-8.5]Fix note that describes how exceptions work with EQL rules (#4759) (cherry picked from commit 7d74705fbdb306f552fb1cdcd275ca65f9df44d2) # Conflicts: # docs/detections/detections-ui-exceptions.asciidoc --- docs/detections/detections-ui-exceptions.asciidoc | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/docs/detections/detections-ui-exceptions.asciidoc b/docs/detections/detections-ui-exceptions.asciidoc index bd7e858f35..83a87f1d41 100644 --- a/docs/detections/detections-ui-exceptions.asciidoc +++ b/docs/detections/detections-ui-exceptions.asciidoc @@ -83,6 +83,11 @@ IMPORTANT: To ensure an exception is successfully applied, make sure that the f ============== Be careful when adding exceptions to event correlation rules. Exceptions are evaluated against every event in the sequence, and when the exception matches _all_ event(s) in the sequence, alerts _are not_ generated. If the exception only matches _some_ of the events in the sequence, alerts _are_ generated. +<<<<<<< HEAD +======= +* Be careful when adding exceptions to <> rules. Exceptions are evaluated against every event in the sequence, and if an exception matches any events that are necessary to complete the sequence, alerts are not created. ++ +>>>>>>> 7d74705 ([BUG][7.17-8.5]Fix note that describes how exceptions work with EQL rules (#4759)) To exclude values from a specific event in the sequence, update the rule's EQL statement. For example: From bf59c1e72d0d8f2659c9845b6ed31d90f3c5f726 Mon Sep 17 00:00:00 2001 From: "nastasha.solomon" Date: Tue, 6 Feb 2024 23:36:15 -0500 Subject: [PATCH 2/2] Fixed! --- docs/detections/detections-ui-exceptions.asciidoc | 10 ++-------- 1 file changed, 2 insertions(+), 8 deletions(-) diff --git a/docs/detections/detections-ui-exceptions.asciidoc b/docs/detections/detections-ui-exceptions.asciidoc index 83a87f1d41..f9b4ca104b 100644 --- a/docs/detections/detections-ui-exceptions.asciidoc +++ b/docs/detections/detections-ui-exceptions.asciidoc @@ -81,15 +81,9 @@ IMPORTANT: To ensure an exception is successfully applied, make sure that the f [IMPORTANT] ============== -Be careful when adding exceptions to event correlation rules. Exceptions are evaluated against every event in the sequence, and when the exception matches _all_ event(s) in the sequence, alerts _are not_ generated. If the exception only matches _some_ of the events in the sequence, alerts _are_ generated. +Be careful when adding exceptions to <> rules. Exceptions are evaluated against every event in the sequence, and if an exception matches any events that are necessary to complete the sequence, alerts are not created. -<<<<<<< HEAD -======= -* Be careful when adding exceptions to <> rules. Exceptions are evaluated against every event in the sequence, and if an exception matches any events that are necessary to complete the sequence, alerts are not created. -+ ->>>>>>> 7d74705 ([BUG][7.17-8.5]Fix note that describes how exceptions work with EQL rules (#4759)) -To exclude values from a -specific event in the sequence, update the rule's EQL statement. For example: +To exclude values from a specific event in the sequence, update the rule's EQL statement. For example: [source,eql] ----