[DOCS] Value list exceptions for all rule types (#2562) (#2596)

mergify[bot] · joepeeples · web-flow · commit 19ddcc1fd433 · 2022-10-18T15:36:55.000-04:00
* Update detections-ui-exceptions.asciidoc * Smol edits * Apply suggestions from Janeen's review Co-authored-by: Janeen Mikell-Straughn <57149392+jmikell821@users.noreply.github.com> * Apply suggestions from Marshall's review Co-authored-by: Marshall Main <55718608+marshallmain@users.noreply.github.com> Co-authored-by: Janeen Mikell-Straughn <57149392+jmikell821@users.noreply.github.com> Co-authored-by: Marshall Main <55718608+marshallmain@users.noreply.github.com> (cherry picked from commit c85062b) Co-authored-by: Joe Peeples <joe.peeples@elastic.co>
diff --git a/docs/detections/detections-ui-exceptions.asciidoc b/docs/detections/detections-ui-exceptions.asciidoc
@@ -21,15 +21,18 @@ with these types:
 After creating value lists, you can use `is in list` and `is not in list`
 operators to define exceptions.
 
-IMPORTANT: Operators `is in list` and `is not in list` are not available for
-threshold and event correlation rules.
-
 TIP: You can also use value lists as the <<indicator-value-lists,indicator match index>> when creating an indicator match rule.
 
 [float]
 [[manage-value-lists]]
 == Create value lists
 
+When creating a value list for a rule exception, be mindful of the list's size and data type. In general, all rule types support value list exceptions, but there are some limitations for especially large lists or certain data types. The following value list types can _only_ be used with custom query, machine learning, and indicator match rule types:
+
+* Keyword or IP address lists with more than 65,536 values
+* IP range lists with more than 200 dash notation values (for example, `127.0.0.1-127.0.0.4` is one value) or more than 65,536 CIDR notation values
+* Text data type lists of any size
+
 To create a value list:
 
 . Prepare a `txt` or `csv` file with all the values you want to use for
@@ -129,8 +132,9 @@ image::images/add-exception-ui.png[]
 +
 [NOTE]
 =======
-*  An exception defined by a value list must use `is in list` or `is not in list` in all conditions.
+* An exception defined by a value list must use `is in list` or `is not in list` in all conditions.
 * Wildcards are not supported in value lists.
+* If a value list can't be used due to <<manage-value-lists,size or data type>>, it'll be unavailable in the *Value* menu.
 =======
     * `matches` | `does not match` — Allows you to use wildcards in *Value*, such as `C:\path\*\app.exe`. Available wildcards are `?` (match one character) and `*` (match zero or more characters). The selected *Field* data type must be {ref}/keyword.html#keyword-field-type[keyword], {ref}/text.html#text-field-type[text], or {ref}/keyword.html#wildcard-field-type[wildcard].
 +
