[DOCS] Create rule updates - 7.10

docs/detections/detection-engine-intro.asciidoc

@@ -88,6 +88,12 @@ Detection rules::
 Background tasks that run periodically and produce alerts when suspicious
 activity is detected.
 
+[[term-sec-indices]]
+{es-sec} indices::
+Indices containing host and network source events (such as
+`packetbeat-*`, `log-*`, and `winlogbeat-*`). Detection rules use these
+indices to generate alerts when suspicious activity is detected.
+
 Endpoint exceptions::
 <<term-exceptions, Exceptions>> added to both rules and Endpoint agents on
 hosts. Endpoint exceptions can only be added when:
@@ -103,6 +109,11 @@ alerts.
 External alerts::
 Alerts {es-sec} receives from external systems, such as Suricata.
 
+Threat indices::
+Indices containing suspect field values. Threat-match detection rules use these
+indices to compare their field values with source event values contained in
+<<term-sec-indices, {es-sec} indices>>.
+
 [float]
 [[detections-permissions]]
 == Detections configuration and index privilege prerequisites

docs/detections/detections-ui-exceptions.asciidoc

@@ -2,8 +2,14 @@
 [role="xpack"]
 == Rule exceptions and value lists
 
-To prevent the creation of unwanted alerts, you can add exceptions to detection
-rules. Exceptions contain the source event conditions that determine when
+To prevent the creation of unwanted alerts, you can add exceptions to these
+detection rule types:
+
+* Custom query
+* EQL
+* Threat match
+
+Exceptions contain the source event conditions that determine when
 alerts are not generated. They provide a convenient way of allowing trusted
 processes and network activity to function without producing unnecessary noise.
 
@@ -42,7 +48,6 @@ NOTE: All values in the file must be of the same {es} type.
 . Click *Upload value lists*.
 +
 The *Upload value lists* window opens.
-
 [role="screenshot"]
 image::images/upload-lists-ui.png[]
 
@@ -61,15 +66,23 @@ To view, delete, or export existing lists:
 
 [float]
 [[detection-rule-exceptions]]
-=== Add detection exceptions to a rule
+=== Add exceptions to a rule
 
 You can add exceptions to a rule via the Rule details page or the Alerts table.
 When you add an exception, you can also close all alerts that meet the
 exception's criteria.
 
-IMPORTANT: When you select to close all alerts that meet the exception's
-criteria, all matching alerts are closed, *including* alerts generated by other
-rules.
+[IMPORTANT]
+==============
+Be careful when adding exceptions to EQL sequence rules. Exceptions are
+evaluated against every event in the sequence and when the exception matches any
+event(s) in the sequence, alerts are not generated. To exclude values from a
+specific event in the sequence, update the rule's EQL statement. For example:
+
+`sequence
+  [file where file.extension == "exe" and file.name != "app-name.exe"]
+  [process where true and process.name != "process-name.exe"]`
+==============
 
 . To add an exception via the Rule details page:
 .. Go to the Rule details page of the rule to which you want to add the
@@ -86,7 +99,6 @@ The *Add Exception* window opens (via Alerts table).
 +
 [role="screenshot"]
 image::images/add-exception-ui.png[]
-
 . Add conditions that define when the exception prevents alerts. You can define
 multiple conditions with `OR` and `AND` relationships. In the example above,
 the exception prevents the rule from generating alerts when the
@@ -105,7 +117,6 @@ values in a list with `is in list` and `is not in list` operators:
 +
 [role="screenshot"]
 image::images/exceptions-ui-list.png[]
-
 NOTE: When using a list, all exception statements must use `is in list` and
 `is not in list` operators.
 
@@ -115,6 +126,10 @@ NOTE: When using a list, all exception statements must use `is in list` and
 is only available when adding exceptions via the Alerts table.
 * _Close all alerts that match this exception, including alerts generated by other rules_:
 Closes all alerts that match the exception's conditions.
++
+IMPORTANT: When you select to close all alerts that meet the exception's
+criteria, all matching alerts are closed, *including* alerts generated by other
+rules.
 
 . Click *Add Exception*.
 
@@ -156,7 +171,6 @@ The *Add Endpoint Exception* window opens (via Alerts table).
 +
 [role="screenshot"]
 image::images/endpoint-add-exp.png[]
-
 . If required, modify the conditions.
 +
 NOTE: <<ex-nested-conditions>> describes when nested conditions are required.
@@ -234,4 +248,4 @@ correctly:
 Creates an exception that excludes all LFC-signed trusted processes: 
 
 [role="screenshot"]
-image::images/nested-exp.png[]
+image::images/nested-exp.png[]