Skip to content

[7.9] [DOCS] Adds warning about exceptions requiring mappings (backport #2110) #2123

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 3 commits into from
Jun 23, 2022
Merged

[7.9] [DOCS] Adds warning about exceptions requiring mappings (backport #2110) #2123

Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
93d001b
[DOCS] Adds warning about exceptions requiring mappings (#2110)
rylnd Jun 23, 2022
24ca1a9
Fix conflicts with 7.9 branch
rylnd Jun 23, 2022
df06e03
Adds back the new callout
rylnd Jun 23, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
22 changes: 16 additions & 6 deletions docs/detections/detections-ui-exceptions.asciidoc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,11 +9,6 @@ processes and network activity to function without producing unnecessary noise.

You can add multiple exceptions to one rule.

IMPORTANT: When you add an exception to the
<<endpoint-rule-exceptions, Elastic Endpoint Security>> rule, you can select to
add the exception to the Endpoint. When selected, the exception is added to
both the detection rule *and* the Elastic Endpoint agent on your hosts.

In addition to defining exception queries for source event values, rule
exceptions can be used with value lists. Value lists are lists of items with
the same {es} {ref}/mapping-types.html[data type]. You can create value lists
Expand Down Expand Up @@ -71,6 +66,11 @@ IMPORTANT: When you select to close all alerts that meet the exception's
criteria, all matching alerts are closed, *including* alerts generated by other
rules.

IMPORTANT: To ensure an exception is successfully applied, make sure that the
fields you've defined for the exception query are correctly and consistently
mapped in their respective indices. Refer to {ecs-ref}[ECS] to learn more about
supported mappings.

. To add an exception via the Rule details page:
.. Go to the Rule details page of the rule to which you want to add the
exception (*Security* -> *Detections* -> *Manage detection rules* ->
Expand Down Expand Up @@ -134,6 +134,16 @@ with Elastic endpoint rule exceptions. To associate rules, when creating or
editing a rule select the
<<rule-ui-advanced-params, _Elastic endpoint exceptions_>> option.

[IMPORTANT]
=====
When you add an exception to the
<<endpoint-rule-exceptions, Elastic Endpoint Security>> rule, you can select to
add the exception to the endpoint. When selected, the exception is added to
both the detection rule *and* the {elastic-endpoint} agent on your hosts.

{ref}/binary.html[Binary fields] are not supported in detection rule exceptions.
=====

[IMPORTANT]
=============
Exceptions added to the Elastic Endpoint Security rule affect all alerts sent
Expand Down Expand Up @@ -234,4 +244,4 @@ correctly:
Creates an exception that excludes all LFC-signed trusted processes:

[role="screenshot"]
image::images/nested-exp.png[]
image::images/nested-exp.png[]