elastic
diff --git a/‎docs/siem/detections/detections-ui-exceptions.asciidoc‎
Lines changed: 17 additions & 19 deletions b/‎docs/siem/detections/detections-ui-exceptions.asciidoc‎
Lines changed: 17 additions & 19 deletions
diff --git a/‎docs/siem/detections/images/add-exception-ui.png‎
25.6 KB b/‎docs/siem/detections/images/add-exception-ui.png‎
25.6 KB
diff --git a/‎docs/siem/detections/images/exceptions-ui-list.png‎
100 KB b/‎docs/siem/detections/images/exceptions-ui-list.png‎
100 KB
@@ -87,27 +87,27 @@ The *Add Exception* window opens (via Alerts table).
 [role="screenshot"]
 image::images/add-exception-ui.png[]
 
-. If required, add or modify the conditions that define when the exception
-prevents the rule from generating alerts. You can define multiple conditions
-and use `OR` and `AND` logic to connect them. For example, the following
-conditions prevent a rule from generating alerts when the `maintenance.exe`
-process runs on `win-server-1`, `win-server-2`, or `win-server-3`:
+. Add conditions that define when the exception prevents alerts. You can define
+multiple conditions with `OR` and `AND` relationships. In the example above,
+the exception prevents the rule from generating alerts when the
+`maintenance.exe` process runs on `win-server-1`, `win-server-2`, or
+`win-server-3`.
 +
-[role="screenshot"]
-image::images/exception-ui-query.png[]
+[IMPORTANT]
+============
+You can use nested conditions. However, this is only required for
+<<nested-field-list, these fields>>. For all other fields, nested conditions
+should not be used. 
+============
 +
 If you have created value lists, you can use them to exclude or include all
-values in a list with the `is in list` and `is not in list` operators:
+values in a list with `is in list` and `is not in list` operators:
 +
 [role="screenshot"]
 image::images/exceptions-ui-list.png[]
-+
-[IMPORTANT]
-============
-You can use nested boolean conditions in the exception. This is only required
-for <<nested-field-list, these fields>>. For all other fields, nested
-conditions should not be used. 
-============
+
+NOTE: When using a list, all exception statements must use `is in list` and
+`is not in list` operators.
 
 . You can select any of the following:
 
@@ -148,11 +148,9 @@ The *Add Endpoint Exception* window opens (via Alerts table).
 [role="screenshot"]
 image::images/endpoint-add-exp.png[]
 
-. If required, add or modify the conditions that define when the exception
-prevents the rule from generating alerts.
+. If required, modify the conditions.
 +
-NOTE: For file signature exceptions, you can add nested conditions under the
-`file.ext.code_signature` field.
+NOTE: <<ex-nested-conditions>> describes when nested conditions are required.
 
 . You can select any of the following: