From 09f000b52c83a2d3a17d6286d7eb4dc2b8f7c45b Mon Sep 17 00:00:00 2001 From: "nastasha.solomon" Date: Thu, 15 Feb 2024 09:20:03 -0500 Subject: [PATCH] First draft --- docs/detections/detections-ui-exceptions.asciidoc | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/docs/detections/detections-ui-exceptions.asciidoc b/docs/detections/detections-ui-exceptions.asciidoc index 33285c7af6..0f2caa3240 100644 --- a/docs/detections/detections-ui-exceptions.asciidoc +++ b/docs/detections/detections-ui-exceptions.asciidoc @@ -121,6 +121,8 @@ The *Add Rule Exception* flyout opens (the example below was opened from the Ale image::images/add-exception-ui.png[] . Use the following settings to add conditions that define when the exception prevents alerts. In the example above, the exception prevents the rule from generating alerts when the `svchost.exe` process runs on agent hostname `siem-kibana`. ++ +IMPORTANT: Rule exceptions are case-sensitive, which means that any character that's entered as an uppercase or lowercase letter will be treated as such. In the event you _don't_ want a field evaluated as case-sensitive, some ECS fields have a `.caseless` version that you can use. .. *Field*: Select a field to identify the event being filtered. @@ -204,6 +206,8 @@ The *Add Endpoint Exception* flyout opens, from either the rule details page or image::images/endpoint-add-exp.png[] . If required, modify the conditions. + +IMPORTANT: Rule exceptions are case-sensitive, which means that any character that's entered as an uppercase or lowercase letter will be treated as such. In the event you _don't_ want a field evaluated as case-sensitive, some ECS fields have a `.caseless` version that you can use. ++ NOTE: Refer to <> for more information on when nested conditions are required. . You can select any of the following: