From f73c4fe36e81c677cced347a6047c1e99cf4bf75 Mon Sep 17 00:00:00 2001 From: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com> Date: Thu, 15 Feb 2024 20:55:10 -0500 Subject: [PATCH 1/2] [Redo][8.6-8.13] Highlight that rule exceptions are case-sensitive (#4805) (cherry picked from commit 4d78e7736f9d2faf333e5601613d9603628391df) # Conflicts: # docs/detections/add-exceptions.asciidoc --- docs/detections/add-exceptions.asciidoc | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/docs/detections/add-exceptions.asciidoc b/docs/detections/add-exceptions.asciidoc index 1f417daaf1..e61c13c78c 100644 --- a/docs/detections/add-exceptions.asciidoc +++ b/docs/detections/add-exceptions.asciidoc @@ -57,14 +57,22 @@ image::images/rule-exception-tab.png[Detail of rule exceptions tab] + In the example below, the exception was created from the Rules page and prevents the rule from generating alerts when the `svchost.exe` process runs on hostname `siem-kibana`. + +<<<<<<< HEAD [role="screenshot"] image::images/add-exception-ui.png[] + Add conditions that define when the exception prevents alerts: +======= +IMPORTANT: Rule exceptions are case-sensitive, which means that any character that's entered as an uppercase or lowercase letter will be treated as such. In the event you _don't_ want a field evaluated as case-sensitive, some ECS fields have a `.caseless` version that you can use. ++ +NOTE: When you create a new exception from an alert, exception conditions are auto-populated with relevant alert data. Data from custom highlighted fields is listed first. A comment that describes the auto-generated exception conditions is also added to the **Add comments** section. +>>>>>>> 4d78e773 ([Redo][8.6-8.13] Highlight that rule exceptions are case-sensitive (#4805)) .. *Field*: Select a field to identify the event being filtered. + +IMPORTANT: Rule exceptions are case-sensitive, which means that any character that's entered as an uppercase or lowercase letter will be treated as such. In the event you _don't_ want a field evaluated as case-sensitive, some ECS fields have a `.caseless` version that you can use. ++ [NOTE] ======= Fields with conflicts are marked with a warning icon (image:images/field-warning-icon.png[Field conflict warning icon,13,13]). Using these fields and might cause unexpected exceptions behavior. For more information, refer to <>. From 4f525caafd9ab1de6f52d4d9c58b084791089cdf Mon Sep 17 00:00:00 2001 From: "nastasha.solomon" Date: Sun, 18 Feb 2024 23:32:19 -0500 Subject: [PATCH 2/2] Fixed conflict --- docs/detections/add-exceptions.asciidoc | 17 ++++++++--------- 1 file changed, 8 insertions(+), 9 deletions(-) diff --git a/docs/detections/add-exceptions.asciidoc b/docs/detections/add-exceptions.asciidoc index e61c13c78c..f4e0510bc0 100644 --- a/docs/detections/add-exceptions.asciidoc +++ b/docs/detections/add-exceptions.asciidoc @@ -57,21 +57,15 @@ image::images/rule-exception-tab.png[Detail of rule exceptions tab] + In the example below, the exception was created from the Rules page and prevents the rule from generating alerts when the `svchost.exe` process runs on hostname `siem-kibana`. + -<<<<<<< HEAD [role="screenshot"] image::images/add-exception-ui.png[] + Add conditions that define when the exception prevents alerts: -======= -IMPORTANT: Rule exceptions are case-sensitive, which means that any character that's entered as an uppercase or lowercase letter will be treated as such. In the event you _don't_ want a field evaluated as case-sensitive, some ECS fields have a `.caseless` version that you can use. + -NOTE: When you create a new exception from an alert, exception conditions are auto-populated with relevant alert data. Data from custom highlighted fields is listed first. A comment that describes the auto-generated exception conditions is also added to the **Add comments** section. ->>>>>>> 4d78e773 ([Redo][8.6-8.13] Highlight that rule exceptions are case-sensitive (#4805)) +IMPORTANT: Rule exceptions are case-sensitive, which means that any character that's entered as an uppercase or lowercase letter will be treated as such. In the event you _don't_ want a field evaluated as case-sensitive, some ECS fields have a `.caseless` version that you can use. .. *Field*: Select a field to identify the event being filtered. -+ -IMPORTANT: Rule exceptions are case-sensitive, which means that any character that's entered as an uppercase or lowercase letter will be treated as such. In the event you _don't_ want a field evaluated as case-sensitive, some ECS fields have a `.caseless` version that you can use. + [NOTE] ======= @@ -177,9 +171,14 @@ image::images/endpoint-add-exp.png[] . If required, modify the conditions. + -NOTE: Refer to <> for more information on when nested conditions are required. +IMPORTANT: Rule exceptions are case-sensitive, which means that any character that's entered as an uppercase or lowercase letter will be treated as such. In the event you _don't_ want a field evaluated as case-sensitive, some ECS fields have a `.caseless` version that you can use. + -NOTE: Fields with conflicts are marked with a warning icon (image:images/field-warning-icon.png[Field conflict warning icon,13,13]). Using these fields might cause unexpected exceptions behavior. For more information, refer to <>. +[NOTE] +======= + +* Refer to <> for more information on when nested conditions are required. +* Fields with conflicts are marked with a warning icon (image:images/field-warning-icon.png[Field conflict warning icon,13,13]). Using these fields might cause unexpected exceptions behavior. For more information, refer to <>. +======= . You can select any of the following: