From d02df0fa5b665cbb1ca10c521a3c02a979494d60 Mon Sep 17 00:00:00 2001
From: Ryland Herrick <ryalnd@gmail.com>
Date: Thu, 23 Jun 2022 17:03:19 -0500
Subject: [PATCH 1/2] [DOCS] Adds warning about exceptions requiring mappings
 (#2110)

* Move callout about endpoint exceptions to more appropriate section

This not was previously at the top-level exceptions section, when it
really only applies when adding to the Endpoint rule.

* Add note about mappings being required for exceptions

Wording is subject to change; just throwing something at the wall for
now.

* Apply suggestions from code review

Co-authored-by: nastasha-solomon <79124755+nastasha-solomon@users.noreply.github.com>

Co-authored-by: nastasha-solomon <79124755+nastasha-solomon@users.noreply.github.com>
(cherry picked from commit aeb69a60c27bdf3da3acc8696d8526ee4b0aaab4)

# Conflicts:
#	docs/detections/detections-ui-exceptions.asciidoc
---
 docs/detections/detections-ui-exceptions.asciidoc | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/docs/detections/detections-ui-exceptions.asciidoc b/docs/detections/detections-ui-exceptions.asciidoc
index a3b04eb152..21ad65f482 100644
--- a/docs/detections/detections-ui-exceptions.asciidoc
+++ b/docs/detections/detections-ui-exceptions.asciidoc
@@ -8,11 +8,14 @@ processes and network activity to function without producing unnecessary noise.
 
 You can add multiple exceptions to one rule.
 
+<<<<<<< HEAD
 IMPORTANT: When you add an exception to the
 <<endpoint-rule-exceptions, Elastic Endpoint Security>> rule, you can select to
 add the exception to the Endpoint. When selected, the exception is added to
 both the detection rule *and* the Elastic Endpoint agent on your hosts.
 
+=======
+>>>>>>> aeb69a6 ([DOCS] Adds warning about exceptions requiring mappings (#2110))
 In addition to defining exception queries for source event values, you can use rule
 exceptions with value lists. Value lists are lists of items with
 the same {es} {ref}/mapping-types.html[data type]. You can create value lists
@@ -82,6 +85,8 @@ You can add exceptions to a rule via the rule details page or the Alerts table.
 When you add an exception, you can also close all alerts that meet the
 exception's criteria.
 
+IMPORTANT:  To ensure an exception is successfully applied, make sure that the fields you've defined for the exception query are correctly and consistently mapped in their respective indices. Refer to {ecs-ref}[ECS] to learn more about supported mappings.
+
 [IMPORTANT]
 ==============
 Be careful when adding exceptions to event correlation rules. Exceptions are evaluated against every event in the sequence, and when the exception matches _all_ event(s) in the sequence, alerts _are not_ generated. If the exception only matches _some_ of the events in the sequence, alerts _are_ generated. 
@@ -161,6 +166,16 @@ Like detection rule exceptions, you can add Endpoint agent exceptions either by
 
 You can also add Endpoint exceptions to rules that are associated with {elastic-endpoint} rule exceptions. To associate rules, when creating or editing a rule, select the <<rule-ui-advanced-params, *{elastic-endpoint} exceptions*>> option.
 
+[IMPORTANT]
+=====
+When you add an exception to the
+<<endpoint-rule-exceptions, Elastic Endpoint Security>> rule, you can select to
+add the exception to the endpoint. When selected, the exception is added to
+both the detection rule *and* the {elastic-endpoint} agent on your hosts.
+
+{ref}/binary.html[Binary fields] are not supported in detection rule exceptions.
+=====
+
 [IMPORTANT]
 =============
 Exceptions added to the Elastic {endpoint-sec} rule affect all alerts sent

From eed6a5e564738b7a7b6dbc7549fc0416a46656ac Mon Sep 17 00:00:00 2001
From: Ryland Herrick <ryalnd@gmail.com>
Date: Thu, 23 Jun 2022 17:29:05 -0500
Subject: [PATCH 2/2] Resolve merge conflicts with 7.16 branch.

---
 docs/detections/detections-ui-exceptions.asciidoc | 8 --------
 1 file changed, 8 deletions(-)

diff --git a/docs/detections/detections-ui-exceptions.asciidoc b/docs/detections/detections-ui-exceptions.asciidoc
index 21ad65f482..b08b76c9d9 100644
--- a/docs/detections/detections-ui-exceptions.asciidoc
+++ b/docs/detections/detections-ui-exceptions.asciidoc
@@ -8,14 +8,6 @@ processes and network activity to function without producing unnecessary noise.
 
 You can add multiple exceptions to one rule.
 
-<<<<<<< HEAD
-IMPORTANT: When you add an exception to the
-<<endpoint-rule-exceptions, Elastic Endpoint Security>> rule, you can select to
-add the exception to the Endpoint. When selected, the exception is added to
-both the detection rule *and* the Elastic Endpoint agent on your hosts.
-
-=======
->>>>>>> aeb69a6 ([DOCS] Adds warning about exceptions requiring mappings (#2110))
 In addition to defining exception queries for source event values, you can use rule
 exceptions with value lists. Value lists are lists of items with
 the same {es} {ref}/mapping-types.html[data type]. You can create value lists