From 19ddcc1fd4338d0d74314b5bd91c752ef58b72dd Mon Sep 17 00:00:00 2001 From: "mergify[bot]" <37929162+mergify[bot]@users.noreply.github.com> Date: Tue, 18 Oct 2022 15:36:55 -0400 Subject: [PATCH] [DOCS] Value list exceptions for all rule types (#2562) (#2596) * Update detections-ui-exceptions.asciidoc * Smol edits * Apply suggestions from Janeen's review Co-authored-by: Janeen Mikell-Straughn <57149392+jmikell821@users.noreply.github.com> * Apply suggestions from Marshall's review Co-authored-by: Marshall Main <55718608+marshallmain@users.noreply.github.com> Co-authored-by: Janeen Mikell-Straughn <57149392+jmikell821@users.noreply.github.com> Co-authored-by: Marshall Main <55718608+marshallmain@users.noreply.github.com> (cherry picked from commit c85062b12c7d33482fed572492dec60d7876cdcd) Co-authored-by: Joe Peeples --- docs/detections/detections-ui-exceptions.asciidoc | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/docs/detections/detections-ui-exceptions.asciidoc b/docs/detections/detections-ui-exceptions.asciidoc index e6765e97d8..56b3a9eb6a 100644 --- a/docs/detections/detections-ui-exceptions.asciidoc +++ b/docs/detections/detections-ui-exceptions.asciidoc @@ -21,15 +21,18 @@ with these types: After creating value lists, you can use `is in list` and `is not in list` operators to define exceptions. -IMPORTANT: Operators `is in list` and `is not in list` are not available for -threshold and event correlation rules. - TIP: You can also use value lists as the <> when creating an indicator match rule. [float] [[manage-value-lists]] == Create value lists +When creating a value list for a rule exception, be mindful of the list's size and data type. In general, all rule types support value list exceptions, but there are some limitations for especially large lists or certain data types. The following value list types can _only_ be used with custom query, machine learning, and indicator match rule types: + +* Keyword or IP address lists with more than 65,536 values +* IP range lists with more than 200 dash notation values (for example, `127.0.0.1-127.0.0.4` is one value) or more than 65,536 CIDR notation values +* Text data type lists of any size + To create a value list: . Prepare a `txt` or `csv` file with all the values you want to use for @@ -129,8 +132,9 @@ image::images/add-exception-ui.png[] + [NOTE] ======= -* An exception defined by a value list must use `is in list` or `is not in list` in all conditions. +* An exception defined by a value list must use `is in list` or `is not in list` in all conditions. * Wildcards are not supported in value lists. +* If a value list can't be used due to <>, it'll be unavailable in the *Value* menu. ======= * `matches` | `does not match` — Allows you to use wildcards in *Value*, such as `C:\path\*\app.exe`. Available wildcards are `?` (match one character) and `*` (match zero or more characters). The selected *Field* data type must be {ref}/keyword.html#keyword-field-type[keyword], {ref}/text.html#text-field-type[text], or {ref}/keyword.html#wildcard-field-type[wildcard]. +