[7.14] [DOCS] Adds warning about exceptions requiring mappings (backp…

…ort elastic#2110) (elastic#2122) * [DOCS] Adds warning about exceptions requiring mappings (elastic#2110) * Move callout about endpoint exceptions to more appropriate section This not was previously at the top-level exceptions section, when it really only applies when adding to the Endpoint rule. * Add note about mappings being required for exceptions Wording is subject to change; just throwing something at the wall for now. * Apply suggestions from code review Co-authored-by: nastasha-solomon <79124755+nastasha-solomon@users.noreply.github.com> Co-authored-by: nastasha-solomon <79124755+nastasha-solomon@users.noreply.github.com> (cherry picked from commit aeb69a6) # Conflicts: # docs/detections/detections-ui-exceptions.asciidoc * Resolve merge conflicts with 7.14 branch. Co-authored-by: Ryland Herrick <ryalnd@gmail.com>
lcawl · Jun 23, 2022 · dfb1e65 · dfb1e65
1 parent 14b4807
commit dfb1e65
Showing 1 changed file with 12 additions and 5 deletions.
diff --git a/docs/detections/detections-ui-exceptions.asciidoc b/docs/detections/detections-ui-exceptions.asciidoc
@@ -8,11 +8,6 @@ processes and network activity to function without producing unnecessary noise.
 
 You can add multiple exceptions to one rule.
 
-IMPORTANT: When you add an exception to the
-<<endpoint-rule-exceptions, Elastic Endpoint Security>> rule, you can select to
-add the exception to the Endpoint. When selected, the exception is added to
-both the detection rule *and* the Elastic Endpoint agent on your hosts.
-
 In addition to defining exception queries for source event values, you can use rule
 exceptions with value lists. Value lists are lists of items with
 the same {es} {ref}/mapping-types.html[data type]. You can create value lists
@@ -77,6 +72,8 @@ You can add exceptions to a rule via the rule details page or the Alerts table.
 When you add an exception, you can also close all alerts that meet the
 exception's criteria.
 
+IMPORTANT:  To ensure an exception is successfully applied, make sure that the fields you've defined for the exception query are correctly and consistently mapped in their respective indices. Refer to {ecs-ref}[ECS] to learn more about supported mappings.
+
 [IMPORTANT]
 ==============
 Be careful when adding exceptions to event correlation rules. Exceptions are
@@ -159,6 +156,16 @@ with Elastic endpoint rule exceptions. To associate rules, when creating or
 editing a rule select the
 <<rule-ui-advanced-params, _Elastic endpoint exceptions_>> option.
 
+[IMPORTANT]
+=====
+When you add an exception to the
+<<endpoint-rule-exceptions, Elastic Endpoint Security>> rule, you can select to
+add the exception to the endpoint. When selected, the exception is added to
+both the detection rule *and* the {elastic-endpoint} agent on your hosts.
+
+{ref}/binary.html[Binary fields] are not supported in detection rule exceptions.
+=====
+
 [IMPORTANT]
 =============
 Exceptions added to the Elastic Endpoint Security rule affect all alerts sent