diff --git a/docs/detections/detections-ui-exceptions.asciidoc b/docs/detections/detections-ui-exceptions.asciidoc index aa2cd6498b..e6765e97d8 100644 --- a/docs/detections/detections-ui-exceptions.asciidoc +++ b/docs/detections/detections-ui-exceptions.asciidoc @@ -6,7 +6,7 @@ To prevent the creation of unwanted alerts, you can add exceptions to any rule. alerts are not generated. They provide a convenient way of allowing trusted processes and network activity to function without producing unnecessary noise. -You can add multiple exceptions to one rule. +You can add multiple exceptions to a single rule. An exception can also apply to multiple rules. In addition to defining exception queries for source event values, you can use rule exceptions with value lists. Value lists are lists of items with @@ -102,11 +102,10 @@ specific event in the sequence, update the rule's EQL statement. For example: * To add an exception from the rule details page: .. Go to the rule details page of the rule to which you want to add an exception (*Manage* -> *Rules* -> *__*). -.. Scroll down below the rule details and select the *Exceptions* tab. +.. Scroll down the rule details page, select the *Rule exceptions* tab, then click *Add rule exception*. + [role="screenshot"] -image::images/exception-histogram.png[Detail of Exceptions tab, 75%] -.. Click *Add new exception* -> *Add rule exception*. +image::images/rule-exception-tab.png[Detail of rule exceptions tab] * To add an exception from the Alerts table: .. Go to *Alerts*. @@ -166,16 +165,9 @@ Like detection rule exceptions, you can add Endpoint agent exceptions either by You can also add Endpoint exceptions to rules that are associated with {elastic-endpoint} rule exceptions. To associate rules, when creating or editing a rule, select the <> option. -[IMPORTANT] -===== -When you add an exception to the -<> rule, you can select to -add the exception to the endpoint. When selected, the exception is added to +Endpoint exceptions are added to both the detection rule *and* the {elastic-endpoint} agent on your hosts. -{ref}/binary.html[Binary fields] are not supported in detection rule exceptions. -===== - [IMPORTANT] ============= Exceptions added to the Elastic Endpoint Security rule affect all alerts sent @@ -185,13 +177,17 @@ alerts. Additionally, to add an Endpoint exception to the Elastic Endpoint Security rule, there must be at least one Endpoint Security alert generated in the system. For non-production use, if no alerts exist, you can trigger a test alert using malware emulation techniques or tools such as the Anti Malware Testfile from the https://www.eicar.org/[European Institute for Computer Anti-Virus Research (EICAR)]. ============= +[IMPORTANT] +===== +{ref}/binary.html[Binary fields] are not supported in detection rule exceptions. +===== + . Do one of the following: + -- * To add an Endpoint exception from the rule details page: .. Go to the rule details page (*Manage* -> *Rules*), and then search for and select the Elastic *Endpoint Security* rule. -.. Scroll down to the *Trend* histogram and select the *Exceptions* tab. -.. Click *Add new exception* -> *Add Endpoint exception*. +.. Scroll down the rule details page, select the *Endpoint exceptions* tab, then click *Add endpoint exception*. * To add an Endpoint exception from the Alerts table: .. Go to *Alerts*. .. Scroll down to the Alerts table, and from an {elastic-endpoint} @@ -278,6 +274,14 @@ Creates an exception that excludes all LFC-signed trusted processes: [role="screenshot"] image::images/nested-exp.png[] +[float] +[[rules-using-same-exception]] +=== Find rules using the same exception +To find out if an exception is used by other rules, select the *Rule exceptions* or *Endpoint exceptions* tab, navigate to an exception list item, then click *Affects _X_ rules*. + +[role="screenshot"] +image::images/exception-affects-multiple-rules.png[] + [float] [[manage-exceptions]] === View and manage exception lists diff --git a/docs/detections/images/exception-affects-multiple-rules.png b/docs/detections/images/exception-affects-multiple-rules.png new file mode 100644 index 0000000000..24ecb0a965 Binary files /dev/null and b/docs/detections/images/exception-affects-multiple-rules.png differ diff --git a/docs/detections/images/rule-exception-tab.png b/docs/detections/images/rule-exception-tab.png new file mode 100644 index 0000000000..55d6444404 Binary files /dev/null and b/docs/detections/images/rule-exception-tab.png differ