diff --git a/docs/detections/detections-ui-exceptions.asciidoc b/docs/detections/detections-ui-exceptions.asciidoc index 7e1ebde02a..f43a53ca72 100644 --- a/docs/detections/detections-ui-exceptions.asciidoc +++ b/docs/detections/detections-ui-exceptions.asciidoc @@ -9,11 +9,6 @@ processes and network activity to function without producing unnecessary noise. You can add multiple exceptions to one rule. -IMPORTANT: When you add an exception to the -<> rule, you can select to -add the exception to the Endpoint. When selected, the exception is added to -both the detection rule *and* the Elastic Endpoint agent on your hosts. - In addition to defining exception queries for source event values, rule exceptions can be used with value lists. Value lists are lists of items with the same {es} {ref}/mapping-types.html[data type]. You can create value lists @@ -71,6 +66,11 @@ IMPORTANT: When you select to close all alerts that meet the exception's criteria, all matching alerts are closed, *including* alerts generated by other rules. +IMPORTANT: To ensure an exception is successfully applied, make sure that the +fields you've defined for the exception query are correctly and consistently +mapped in their respective indices. Refer to {ecs-ref}[ECS] to learn more about +supported mappings. + . To add an exception via the Rule details page: .. Go to the Rule details page of the rule to which you want to add the exception (*Security* -> *Detections* -> *Manage detection rules* -> @@ -134,6 +134,16 @@ with Elastic endpoint rule exceptions. To associate rules, when creating or editing a rule select the <> option. +[IMPORTANT] +===== +When you add an exception to the +<> rule, you can select to +add the exception to the endpoint. When selected, the exception is added to +both the detection rule *and* the {elastic-endpoint} agent on your hosts. + +{ref}/binary.html[Binary fields] are not supported in detection rule exceptions. +===== + [IMPORTANT] ============= Exceptions added to the Elastic Endpoint Security rule affect all alerts sent @@ -234,4 +244,4 @@ correctly: Creates an exception that excludes all LFC-signed trusted processes: [role="screenshot"] -image::images/nested-exp.png[] \ No newline at end of file +image::images/nested-exp.png[]