From 235ece81b444a84e04981e6499e7de36924c8207 Mon Sep 17 00:00:00 2001 From: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com> Date: Tue, 6 Feb 2024 17:54:02 -0500 Subject: [PATCH 1/2] [BUG][7.17-8.5]Fix note that describes how exceptions work with EQL rules (#4759) (cherry picked from commit 7d74705fbdb306f552fb1cdcd275ca65f9df44d2) # Conflicts: # docs/detections/detections-ui-exceptions.asciidoc --- docs/detections/detections-ui-exceptions.asciidoc | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/docs/detections/detections-ui-exceptions.asciidoc b/docs/detections/detections-ui-exceptions.asciidoc index 4ea3a23ed4..b7f62c2c5d 100644 --- a/docs/detections/detections-ui-exceptions.asciidoc +++ b/docs/detections/detections-ui-exceptions.asciidoc @@ -83,6 +83,11 @@ IMPORTANT: To ensure an exception is successfully applied, make sure that the f ============== Be careful when adding exceptions to event correlation rules. Exceptions are evaluated against every event in the sequence, and when the exception matches _all_ event(s) in the sequence, alerts _are not_ generated. If the exception only matches _some_ of the events in the sequence, alerts _are_ generated. +<<<<<<< HEAD +======= +* Be careful when adding exceptions to <> rules. Exceptions are evaluated against every event in the sequence, and if an exception matches any events that are necessary to complete the sequence, alerts are not created. ++ +>>>>>>> 7d74705 ([BUG][7.17-8.5]Fix note that describes how exceptions work with EQL rules (#4759)) To exclude values from a specific event in the sequence, update the rule's EQL statement. For example: From 1d1b1ec1f2ede81901869daf1541946da9562d46 Mon Sep 17 00:00:00 2001 From: "nastasha.solomon" Date: Tue, 6 Feb 2024 23:35:44 -0500 Subject: [PATCH 2/2] Fixed! --- docs/detections/detections-ui-exceptions.asciidoc | 10 ++-------- 1 file changed, 2 insertions(+), 8 deletions(-) diff --git a/docs/detections/detections-ui-exceptions.asciidoc b/docs/detections/detections-ui-exceptions.asciidoc index b7f62c2c5d..a4c0095c13 100644 --- a/docs/detections/detections-ui-exceptions.asciidoc +++ b/docs/detections/detections-ui-exceptions.asciidoc @@ -81,15 +81,9 @@ IMPORTANT: To ensure an exception is successfully applied, make sure that the f [IMPORTANT] ============== -Be careful when adding exceptions to event correlation rules. Exceptions are evaluated against every event in the sequence, and when the exception matches _all_ event(s) in the sequence, alerts _are not_ generated. If the exception only matches _some_ of the events in the sequence, alerts _are_ generated. +Be careful when adding exceptions to <> rules. Exceptions are evaluated against every event in the sequence, and if an exception matches any events that are necessary to complete the sequence, alerts are not created. -<<<<<<< HEAD -======= -* Be careful when adding exceptions to <> rules. Exceptions are evaluated against every event in the sequence, and if an exception matches any events that are necessary to complete the sequence, alerts are not created. -+ ->>>>>>> 7d74705 ([BUG][7.17-8.5]Fix note that describes how exceptions work with EQL rules (#4759)) -To exclude values from a -specific event in the sequence, update the rule's EQL statement. For example: +To exclude values from a specific event in the sequence, update the rule's EQL statement. For example: [source,eql] ----