You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
included note that exceptions do not work with fields appended to the
output such as es|ql eval statements
---------
Co-authored-by: florent-leborgne <[email protected]>
Copy file name to clipboardExpand all lines: solutions/security/detect-and-alert/add-manage-exceptions.md
+10-7Lines changed: 10 additions & 7 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -78,6 +78,9 @@ You can add exceptions to a rule from the rule details page, the Alerts table, t
78
78
When you create a new exception from an alert, exception conditions are auto-populated with relevant alert data. Data from custom highlighted fields is listed first. A comment that describes the auto-generated exception conditions is also added to the **Add comments** section.
79
79
::::
80
80
81
+
::::{note}
82
+
When using ES|QL, you can append new fields with commands such as [`EVAL`](https://www.elastic.co/docs/reference/query-languages/esql/commands/eval), but you can't apply exceptions to these appended fields. Exceptions are only applied to the index source fields.
83
+
::::
81
84
82
85
1. **Field**: Select a field to identify the event being filtered.
83
86
@@ -125,9 +128,9 @@ You can add exceptions to a rule from the rule details page, the Alerts table, t
125
128
:screenshot:
126
129
:::
127
130
128
-
4. Click **AND** or **OR** to create multiple conditions and define their relationships.
129
-
5. Click **Add nested condition** to create conditions using nested fields. This is only required for [these nested fields](#nested-field-list). For all other fields, nested conditions should not be used.
130
-
6. Choose to add the exception to a rule or a shared exception list.
131
+
5. Click **AND** or **OR** to create multiple conditions and define their relationships.
132
+
6. Click **Add nested condition** to create conditions using nested fields. This is only required for [these nested fields](#nested-field-list). For all other fields, nested conditions should not be used.
133
+
7. Choose to add the exception to a rule or a shared exception list.
131
134
132
135
::::{note}
133
136
If you are creating an exception from the Shared Exception Lists page, you can add the exception to multiple rules.
@@ -138,14 +141,14 @@ You can add exceptions to a rule from the rule details page, the Alerts table, t
138
141
If a shared exception list doesn’t exist, you can [create one](create-manage-shared-exception-lists.md) from the Shared Exception Lists page.
139
142
::::
140
143
141
-
7. (Optional) Enter a comment describing the exception.
142
-
8. (Optional) Enter a future expiration date and time for the exception.
143
-
9. Select one of the following alert actions:
144
+
8. (Optional) Enter a comment describing the exception.
145
+
9. (Optional) Enter a future expiration date and time for the exception.
146
+
10. Select one of the following alert actions:
144
147
145
148
* **Close this alert**: Closes the alert when the exception is added. This option is only available when adding exceptions from the Alerts table.
146
149
* **Close all alerts that match this exception and were generated by this rule**: Closes all alerts that match the exception’s conditions and were generated only by the current rule.
0 commit comments