From 3f805937c820f8f0500656543edb8b41db0c8220 Mon Sep 17 00:00:00 2001 From: Ryland Herrick Date: Thu, 23 Jun 2022 17:03:19 -0500 Subject: [PATCH 1/2] [DOCS] Adds warning about exceptions requiring mappings (#2110) * Move callout about endpoint exceptions to more appropriate section This not was previously at the top-level exceptions section, when it really only applies when adding to the Endpoint rule. * Add note about mappings being required for exceptions Wording is subject to change; just throwing something at the wall for now. * Apply suggestions from code review Co-authored-by: nastasha-solomon <79124755+nastasha-solomon@users.noreply.github.com> Co-authored-by: nastasha-solomon <79124755+nastasha-solomon@users.noreply.github.com> (cherry picked from commit aeb69a60c27bdf3da3acc8696d8526ee4b0aaab4) # Conflicts: # docs/detections/detections-ui-exceptions.asciidoc --- .../detections-ui-exceptions.asciidoc | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/docs/detections/detections-ui-exceptions.asciidoc b/docs/detections/detections-ui-exceptions.asciidoc index 6a8421bbd0..b210b4efe6 100644 --- a/docs/detections/detections-ui-exceptions.asciidoc +++ b/docs/detections/detections-ui-exceptions.asciidoc @@ -8,6 +8,7 @@ processes and network activity to function without producing unnecessary noise. You can add multiple exceptions to one rule. +<<<<<<< HEAD IMPORTANT: When you add an exception to the <> rule, you can select to add the exception to the Endpoint. When selected, the exception is added to @@ -15,6 +16,10 @@ both the detection rule *and* the Elastic Endpoint agent on your hosts. In addition to defining exception queries for source event values, rule exceptions can be used with value lists. Value lists are lists of items with +======= +In addition to defining exception queries for source event values, you can use rule +exceptions with value lists. Value lists are lists of items with +>>>>>>> aeb69a6 ([DOCS] Adds warning about exceptions requiring mappings (#2110)) the same {es} {ref}/mapping-types.html[data type]. You can create value lists with these types: @@ -70,6 +75,8 @@ You can add exceptions to a rule via the Rule details page or the Alerts table. When you add an exception, you can also close all alerts that meet the exception's criteria. +IMPORTANT: To ensure an exception is successfully applied, make sure that the fields you've defined for the exception query are correctly and consistently mapped in their respective indices. Refer to {ecs-ref}[ECS] to learn more about supported mappings. + [IMPORTANT] ============== Be careful when adding exceptions to event correlation rules. Exceptions are @@ -152,6 +159,16 @@ with Elastic endpoint rule exceptions. To associate rules, when creating or editing a rule select the <> option. +[IMPORTANT] +===== +When you add an exception to the +<> rule, you can select to +add the exception to the endpoint. When selected, the exception is added to +both the detection rule *and* the {elastic-endpoint} agent on your hosts. + +{ref}/binary.html[Binary fields] are not supported in detection rule exceptions. +===== + [IMPORTANT] ============= Exceptions added to the Elastic Endpoint Security rule affect all alerts sent From de644af60fe6b42c93cdbc6d3166f3b1a21df610 Mon Sep 17 00:00:00 2001 From: Ryland Herrick Date: Thu, 23 Jun 2022 17:50:07 -0500 Subject: [PATCH 2/2] Fix conflicts with 7.12 branch --- docs/detections/detections-ui-exceptions.asciidoc | 10 ---------- 1 file changed, 10 deletions(-) diff --git a/docs/detections/detections-ui-exceptions.asciidoc b/docs/detections/detections-ui-exceptions.asciidoc index b210b4efe6..22d071478f 100644 --- a/docs/detections/detections-ui-exceptions.asciidoc +++ b/docs/detections/detections-ui-exceptions.asciidoc @@ -8,18 +8,8 @@ processes and network activity to function without producing unnecessary noise. You can add multiple exceptions to one rule. -<<<<<<< HEAD -IMPORTANT: When you add an exception to the -<> rule, you can select to -add the exception to the Endpoint. When selected, the exception is added to -both the detection rule *and* the Elastic Endpoint agent on your hosts. - In addition to defining exception queries for source event values, rule exceptions can be used with value lists. Value lists are lists of items with -======= -In addition to defining exception queries for source event values, you can use rule -exceptions with value lists. Value lists are lists of items with ->>>>>>> aeb69a6 ([DOCS] Adds warning about exceptions requiring mappings (#2110)) the same {es} {ref}/mapping-types.html[data type]. You can create value lists with these types: