[DOCS] Adds warning about exceptions requiring mappings (#2110)

* Move callout about endpoint exceptions to more appropriate section This not was previously at the top-level exceptions section, when it really only applies when adding to the Endpoint rule. * Add note about mappings being required for exceptions Wording is subject to change; just throwing something at the wall for now. * Apply suggestions from code review Co-authored-by: nastasha-solomon <79124755+nastasha-solomon@users.noreply.github.com> Co-authored-by: nastasha-solomon <79124755+nastasha-solomon@users.noreply.github.com>
elastic · Jun 23, 2022 · aeb69a6 · aeb69a6
1 parent 3f2f653
commit aeb69a6
Showing 1 changed file with 12 additions and 10 deletions.
diff --git a/docs/detections/detections-ui-exceptions.asciidoc b/docs/detections/detections-ui-exceptions.asciidoc
@@ -8,16 +8,6 @@ processes and network activity to function without producing unnecessary noise.
 
 You can add multiple exceptions to one rule.
 
-[IMPORTANT]
-=====
-When you add an exception to the
-<<endpoint-rule-exceptions, Elastic Endpoint Security>> rule, you can select to
-add the exception to the Endpoint. When selected, the exception is added to
-both the detection rule *and* the Elastic Endpoint agent on your hosts.
-
-{ref}/binary.html[Binary fields] are not supported in detection rule exceptions.
-=====
-
 In addition to defining exception queries for source event values, you can use rule
 exceptions with value lists. Value lists are lists of items with
 the same {es} {ref}/mapping-types.html[data type]. You can create value lists
@@ -87,6 +77,8 @@ You can add exceptions to a rule from the rule details page or the Alerts table.
 When you add an exception, you can also close all alerts that meet the
 exception's criteria.
 
+IMPORTANT:  To ensure an exception is successfully applied, make sure that the fields you've defined for the exception query are correctly and consistently mapped in their respective indices. Refer to {ecs-ref}[ECS] to learn more about supported mappings.
+
 [IMPORTANT]
 ==============
 Be careful when adding exceptions to event correlation rules. Exceptions are evaluated against every event in the sequence, and when the exception matches _all_ event(s) in the sequence, alerts _are not_ generated. If the exception only matches _some_ of the events in the sequence, alerts _are_ generated. 
@@ -167,6 +159,16 @@ Like detection rule exceptions, you can add Endpoint agent exceptions either by
 
 You can also add Endpoint exceptions to rules that are associated with {elastic-endpoint} rule exceptions. To associate rules, when creating or editing a rule, select the <<rule-ui-advanced-params, *{elastic-endpoint} exceptions*>> option.
 
+[IMPORTANT]
+=====
+When you add an exception to the
+<<endpoint-rule-exceptions, Elastic Endpoint Security>> rule, you can select to
+add the exception to the endpoint. When selected, the exception is added to
+both the detection rule *and* the {elastic-endpoint} agent on your hosts.
+
+{ref}/binary.html[Binary fields] are not supported in detection rule exceptions.
+=====
+
 [IMPORTANT]
 =============
 Exceptions added to the Elastic {endpoint-sec} rule affect all alerts sent