First draft

Author: nastasha-solomon

serverless/serverless-changelog.asciidoc

@@ -9,6 +9,67 @@ For serverless changes in Cloud Console, refer to https://www.elastic.co/guide/e
 [[serverless-changelog-12032024]]
 == December 3, 2024
 
+[discrete]
+[[known-issues-12032024]]
+=== Known issues
+
+// tag::known-issue[201820]
+[discrete]
+.The **Exceptions** tab won't properly load if exceptions contain comments with the newline character (`\n`)  
+[%collapsible]
+====
+*Details* +
+On December 5, 2024, it was discovered that the **Exceptions** tab will not load properly if any exceptions contain comments with newline characters (`\n`). This issue occurs when you upgrade to 8.16.0 or later. 
+
+*Workaround* + 
+
+For custom rules:
+
+. From the {security-app}, <<import-export-rules-ui,export>> the rule or rules with the affected exception lists. 
+. Modify the `.ndjson` file so `comments` no longer contain newline characters.
+. Return to the {security-app} and <<import-export-rules-ui,re-import>> the rules. Make sure to select the **Overwrite existing exception lists with conflicting "list_id"** option.
+
+For prebuilt rules: 
+
+. Fetch the affected exception list ID or IDs that are associated with the rule. 
+.. Find the affected rule's ID (`id`). From the {security-app}, open rule's details page, go to the page's URL, and copy the string at the end. For example, the string `167a5f6f-2148-4792-8226-b5e7a58ef46e` at the end of the URL http://host.name/app/security/rules/id/167a5f6f-2148-4792-8226-b5e7a58ef46e is a rule `id`.
+.. Use the `id` to fetch the rule's details using the {api-kibana}/operation/operation-readrule[Retrieve a detection rule API]. Here is an example request that includes the rule ID:
++
+[source,console]
+----
+curl -H 'kbn-xsrf: true' -H 'elastic-api-version: 2023-10-31' http://localhost:5601/api/detection_engine/rules?id=167a5f6f-2148-4792-8226-b5e7a58ef46e -u elastic:changeme
+----
++
+.. The JSON response will contain the `id`, `list_id`, and `namespace_type` values within the `exceptions_list` key (as shown below). You will need these values to retrieve the exception list using the Exception list API. 
++
+[source,console]
+----
+{
+  "id": "167a5f6f-2148-4792-8226-b5e7a58ef46e",
+  "exceptions_list": [
+    {
+      "id": "490525a2-eb66-4320-95b5-88bdd1302dc4",
+      "list_id": "f75aae6f-0229-413f-881d-81cb3abfbe2d",
+      "namespace_type": "single"
+    }
+  ]
+}
+----
++
+. Retrieve the affected exception list using the export exceptions API. Insert the values for the `id`, `list_id`, and `namespace_type` parameters into the following API call:
++
+[source,console]
+----
+curl -XPOST -u elastic:changeme -H 'kbn-xsrf: true' -H 'elastic-api-version: 2023-10-31' 'http://localhost:5601/api/exception_lists/_export?list_id=f75aae6f-0229-413f-881d-81cb3abfbe2d&id=490525a2-eb66-4320-95b5-88bdd1302dc4&namespace_type=single' -o list.ndjson
+----
++
+. Modify the exception list's `.ndjson` file to ensure that no `comments[].comment` values contain newline characters (`\n`).
+. From the {security-app}, re-import the modified exception list using **Import exception lists** option on the **Shared Exception Lists** page (find the page in the navigation menu or by using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]).
++
+The import will initially fail because the exception list already exists. After the failure, an option to overwrite the existing list appears. Select the option, then resubmit the request to import the updated exception list.
+====
+// end::known-issue[201820]
+
 [discrete]
 [[features-enhancements-12032024]]
 === Features and enhancements