From 61096d4ef56d8d4116dd70f4575d501f5484c25f Mon Sep 17 00:00:00 2001 From: Joe Peeples Date: Tue, 11 Oct 2022 09:06:28 -0400 Subject: [PATCH 1/4] Update detections-ui-exceptions.asciidoc --- docs/detections/detections-ui-exceptions.asciidoc | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/docs/detections/detections-ui-exceptions.asciidoc b/docs/detections/detections-ui-exceptions.asciidoc index aa2cd6498b..5a33d1e530 100644 --- a/docs/detections/detections-ui-exceptions.asciidoc +++ b/docs/detections/detections-ui-exceptions.asciidoc @@ -21,15 +21,18 @@ with these types: After creating value lists, you can use `is in list` and `is not in list` operators to define exceptions. -IMPORTANT: Operators `is in list` and `is not in list` are not available for -threshold and event correlation rules. - TIP: You can also use value lists as the <> when creating an indicator match rule. [float] [[manage-value-lists]] == Create value lists +When creating a value list for a rule exception, be mindful of the list's size and data type. In general, value list exceptions are supported for all rule types, but there are some limitations for extremely large lists or certain data types. The following value list types can _only_ be used with custom query, machine learning, and indicator match rule types: + +* Keyword or IP address lists with more than 65,536 values +* IP range lists with more than 200 dash notation values (for example, `127.0.0.1-127.0.0.4` is one value) +* Text data type lists of any size + To create a value list: . Prepare a `txt` or `csv` file with all the values you want to use for @@ -130,8 +133,9 @@ image::images/add-exception-ui.png[] + [NOTE] ======= -* An exception defined by a value list must use `is in list` or `is not in list` in all conditions. +* An exception defined by a value list must use `is in list` or `is not in list` in all conditions. * Wildcards are not supported in value lists. +* If a value list can't be used due to <>, it will appear grayed out in the *Value* menu. ======= * `matches` | `does not match` — Allows you to use wildcards in *Value*, such as `C:\path\*\app.exe`. Available wildcards are `?` (match one character) and `*` (match zero or more characters). The selected *Field* data type must be {ref}/keyword.html#keyword-field-type[keyword], {ref}/text.html#text-field-type[text], or {ref}/keyword.html#wildcard-field-type[wildcard]. + From e524af498028c3b58175a00567a5805218145561 Mon Sep 17 00:00:00 2001 From: Joe Peeples Date: Tue, 11 Oct 2022 09:39:47 -0400 Subject: [PATCH 2/4] Smol edits --- docs/detections/detections-ui-exceptions.asciidoc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/detections/detections-ui-exceptions.asciidoc b/docs/detections/detections-ui-exceptions.asciidoc index 5a33d1e530..fc95612bf2 100644 --- a/docs/detections/detections-ui-exceptions.asciidoc +++ b/docs/detections/detections-ui-exceptions.asciidoc @@ -27,7 +27,7 @@ TIP: You can also use value lists as the <>, it will appear grayed out in the *Value* menu. +* If a value list can't be used due to <>, it will appear unavailable in the *Value* menu. ======= * `matches` | `does not match` — Allows you to use wildcards in *Value*, such as `C:\path\*\app.exe`. Available wildcards are `?` (match one character) and `*` (match zero or more characters). The selected *Field* data type must be {ref}/keyword.html#keyword-field-type[keyword], {ref}/text.html#text-field-type[text], or {ref}/keyword.html#wildcard-field-type[wildcard]. + From 93853254bd4d42dd78de1a926561aeef260f66e6 Mon Sep 17 00:00:00 2001 From: Joe Peeples Date: Wed, 12 Oct 2022 11:38:53 -0400 Subject: [PATCH 3/4] Apply suggestions from Janeen's review Co-authored-by: Janeen Mikell-Straughn <57149392+jmikell821@users.noreply.github.com> --- docs/detections/detections-ui-exceptions.asciidoc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/detections/detections-ui-exceptions.asciidoc b/docs/detections/detections-ui-exceptions.asciidoc index fc95612bf2..5d5a3ff380 100644 --- a/docs/detections/detections-ui-exceptions.asciidoc +++ b/docs/detections/detections-ui-exceptions.asciidoc @@ -27,7 +27,7 @@ TIP: You can also use value lists as the <>, it will appear unavailable in the *Value* menu. +* If a value list can't be used due to <>, it'll be unavailable in the *Value* menu. ======= * `matches` | `does not match` — Allows you to use wildcards in *Value*, such as `C:\path\*\app.exe`. Available wildcards are `?` (match one character) and `*` (match zero or more characters). The selected *Field* data type must be {ref}/keyword.html#keyword-field-type[keyword], {ref}/text.html#text-field-type[text], or {ref}/keyword.html#wildcard-field-type[wildcard]. + From 58b43110d7484fcc947df074b653d2c1dcb315ad Mon Sep 17 00:00:00 2001 From: Joe Peeples Date: Tue, 18 Oct 2022 14:25:56 -0400 Subject: [PATCH 4/4] Apply suggestions from Marshall's review Co-authored-by: Marshall Main <55718608+marshallmain@users.noreply.github.com> --- docs/detections/detections-ui-exceptions.asciidoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/detections/detections-ui-exceptions.asciidoc b/docs/detections/detections-ui-exceptions.asciidoc index 6b74d0703e..56b3a9eb6a 100644 --- a/docs/detections/detections-ui-exceptions.asciidoc +++ b/docs/detections/detections-ui-exceptions.asciidoc @@ -30,7 +30,7 @@ TIP: You can also use value lists as the <