diff --git a/solutions/security/detect-and-alert/add-manage-exceptions.md b/solutions/security/detect-and-alert/add-manage-exceptions.md index 745ffb8502..f57d3a0d16 100644 --- a/solutions/security/detect-and-alert/add-manage-exceptions.md +++ b/solutions/security/detect-and-alert/add-manage-exceptions.md @@ -78,6 +78,9 @@ You can add exceptions to a rule from the rule details page, the Alerts table, t When you create a new exception from an alert, exception conditions are auto-populated with relevant alert data. Data from custom highlighted fields is listed first. A comment that describes the auto-generated exception conditions is also added to the **Add comments** section. :::: + ::::{note} + When using ES|QL, you can append new fields with commands such as [`EVAL`](https://www.elastic.co/docs/reference/query-languages/esql/commands/eval), but you can't apply exceptions to these appended fields. Exceptions are only applied to the index source fields. + :::: 1. **Field**: Select a field to identify the event being filtered. @@ -125,9 +128,9 @@ You can add exceptions to a rule from the rule details page, the Alerts table, t :screenshot: ::: -4. Click **AND** or **OR** to create multiple conditions and define their relationships. -5. Click **Add nested condition** to create conditions using nested fields. This is only required for [these nested fields](#nested-field-list). For all other fields, nested conditions should not be used. -6. Choose to add the exception to a rule or a shared exception list. +5. Click **AND** or **OR** to create multiple conditions and define their relationships. +6. Click **Add nested condition** to create conditions using nested fields. This is only required for [these nested fields](#nested-field-list). For all other fields, nested conditions should not be used. +7. Choose to add the exception to a rule or a shared exception list. ::::{note} If you are creating an exception from the Shared Exception Lists page, you can add the exception to multiple rules. @@ -138,14 +141,14 @@ You can add exceptions to a rule from the rule details page, the Alerts table, t If a shared exception list doesn’t exist, you can [create one](create-manage-shared-exception-lists.md) from the Shared Exception Lists page. :::: -7. (Optional) Enter a comment describing the exception. -8. (Optional) Enter a future expiration date and time for the exception. -9. Select one of the following alert actions: +8. (Optional) Enter a comment describing the exception. +9. (Optional) Enter a future expiration date and time for the exception. +10. Select one of the following alert actions: * **Close this alert**: Closes the alert when the exception is added. This option is only available when adding exceptions from the Alerts table. * **Close all alerts that match this exception and were generated by this rule**: Closes all alerts that match the exception’s conditions and were generated only by the current rule. -10. Click **Add rule exception**. +11. Click **Add rule exception**. ## Add {{elastic-endpoint}} exceptions [endpoint-rule-exceptions]