From 8d55a76703e8544d23d68cea65757e10da746a18 Mon Sep 17 00:00:00 2001 From: Ryland Herrick Date: Thu, 23 Jun 2022 17:03:19 -0500 Subject: [PATCH 1/2] [DOCS] Adds warning about exceptions requiring mappings (#2110) * Move callout about endpoint exceptions to more appropriate section This not was previously at the top-level exceptions section, when it really only applies when adding to the Endpoint rule. * Add note about mappings being required for exceptions Wording is subject to change; just throwing something at the wall for now. * Apply suggestions from code review Co-authored-by: nastasha-solomon <79124755+nastasha-solomon@users.noreply.github.com> Co-authored-by: nastasha-solomon <79124755+nastasha-solomon@users.noreply.github.com> (cherry picked from commit aeb69a60c27bdf3da3acc8696d8526ee4b0aaab4) # Conflicts: # docs/detections/detections-ui-exceptions.asciidoc --- .../detections-ui-exceptions.asciidoc | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/docs/detections/detections-ui-exceptions.asciidoc b/docs/detections/detections-ui-exceptions.asciidoc index 1e1161988f..526291ab25 100644 --- a/docs/detections/detections-ui-exceptions.asciidoc +++ b/docs/detections/detections-ui-exceptions.asciidoc @@ -15,6 +15,7 @@ processes and network activity to function without producing unnecessary noise. You can add multiple exceptions to one rule. +<<<<<<< HEAD IMPORTANT: When you add an exception to the <> rule, you can select to add the exception to the Endpoint. When selected, the exception is added to @@ -22,6 +23,10 @@ both the detection rule *and* the Elastic Endpoint agent on your hosts. In addition to defining exception queries for source event values, rule exceptions can be used with value lists. Value lists are lists of items with +======= +In addition to defining exception queries for source event values, you can use rule +exceptions with value lists. Value lists are lists of items with +>>>>>>> aeb69a6 ([DOCS] Adds warning about exceptions requiring mappings (#2110)) the same {es} {ref}/mapping-types.html[data type]. You can create value lists with these types: @@ -74,6 +79,8 @@ You can add exceptions to a rule via the Rule details page or the Alerts table. When you add an exception, you can also close all alerts that meet the exception's criteria. +IMPORTANT: To ensure an exception is successfully applied, make sure that the fields you've defined for the exception query are correctly and consistently mapped in their respective indices. Refer to {ecs-ref}[ECS] to learn more about supported mappings. + [IMPORTANT] ============== Be careful when adding exceptions to EQL sequence rules. Exceptions are @@ -156,6 +163,16 @@ with Elastic endpoint rule exceptions. To associate rules, when creating or editing a rule select the <> option. +[IMPORTANT] +===== +When you add an exception to the +<> rule, you can select to +add the exception to the endpoint. When selected, the exception is added to +both the detection rule *and* the {elastic-endpoint} agent on your hosts. + +{ref}/binary.html[Binary fields] are not supported in detection rule exceptions. +===== + [IMPORTANT] ============= Exceptions added to the Elastic Endpoint Security rule affect all alerts sent From add0c15d3a45bcc9d633dfa7035d4270267d9b9b Mon Sep 17 00:00:00 2001 From: Ryland Herrick Date: Thu, 23 Jun 2022 17:48:42 -0500 Subject: [PATCH 2/2] Fix conflicts on 7.11 branch --- docs/detections/detections-ui-exceptions.asciidoc | 10 ---------- 1 file changed, 10 deletions(-) diff --git a/docs/detections/detections-ui-exceptions.asciidoc b/docs/detections/detections-ui-exceptions.asciidoc index 526291ab25..92fcd5bb41 100644 --- a/docs/detections/detections-ui-exceptions.asciidoc +++ b/docs/detections/detections-ui-exceptions.asciidoc @@ -15,18 +15,8 @@ processes and network activity to function without producing unnecessary noise. You can add multiple exceptions to one rule. -<<<<<<< HEAD -IMPORTANT: When you add an exception to the -<> rule, you can select to -add the exception to the Endpoint. When selected, the exception is added to -both the detection rule *and* the Elastic Endpoint agent on your hosts. - In addition to defining exception queries for source event values, rule exceptions can be used with value lists. Value lists are lists of items with -======= -In addition to defining exception queries for source event values, you can use rule -exceptions with value lists. Value lists are lists of items with ->>>>>>> aeb69a6 ([DOCS] Adds warning about exceptions requiring mappings (#2110)) the same {es} {ref}/mapping-types.html[data type]. You can create value lists with these types: