add-exceptions.html

<!DOCTYPE html>
<html lang="en-us">
  <head>
    
<meta charset="UTF-8">
<title>Add and manage exceptions | Elastic Security Solution [8.12] | Elastic</title>
<meta class="elastic" name="content" content="Add and manage exceptions | Elastic Security Solution [8.12]">

<link rel="home" href="index.html" title="Elastic Security Solution [8.12]"/>
<link rel="up" href="detections-ui-exceptions.html" title="Rule exceptions"/>
<link rel="prev" href="value-lists-exceptions.html" title="Create and manage value lists"/>
<link rel="next" href="shared-exception-lists.html" title="Create and manage shared exception lists"/>
<meta class="elastic" name="product_version" content="8.12"/>
<meta class="elastic" name="product_name" content="Security"/>
<meta class="elastic" name="website_area" content="documentation"/>
<meta name="DC.type" content="Learn/Docs/Security/Guide/8.12"/>
<meta name="DC.subject" content="Security"/>
<meta name="DC.identifier" content="8.12"/>
<meta name="robots" content="noindex,nofollow"/>

    <meta http-equiv="content-type" content="text/html; charset=utf-8" />
    <meta http-equiv="X-UA-Compatible" content="IE=edge">
    <meta name="viewport" content="width=device-width, initial-scale=1">
    <script src="https://cdn.optimizely.com/js/18132920325.js"></script>
    <link rel="apple-touch-icon" sizes="57x57" href="/apple-icon-57x57.png">
    <link rel="apple-touch-icon" sizes="60x60" href="/apple-icon-60x60.png">
    <link rel="apple-touch-icon" sizes="72x72" href="/apple-icon-72x72.png">
    <link rel="apple-touch-icon" sizes="76x76" href="/apple-icon-76x76.png">
    <link rel="apple-touch-icon" sizes="114x114" href="/apple-icon-114x114.png">
    <link rel="apple-touch-icon" sizes="120x120" href="/apple-icon-120x120.png">
    <link rel="apple-touch-icon" sizes="144x144" href="/apple-icon-144x144.png">
    <link rel="apple-touch-icon" sizes="152x152" href="/apple-icon-152x152.png">
    <link rel="apple-touch-icon" sizes="180x180" href="/apple-icon-180x180.png">
    <link rel="icon" type="image/png" href="/favicon-32x32.png" sizes="32x32">
    <link rel="icon" type="image/png" href="/android-chrome-192x192.png" sizes="192x192">
    <link rel="icon" type="image/png" href="/favicon-96x96.png" sizes="96x96">
    <link rel="icon" type="image/png" href="/favicon-16x16.png" sizes="16x16">
    <link rel="manifest" href="/manifest.json">
    <meta name="apple-mobile-web-app-title" content="Elastic">
    <meta name="application-name" content="Elastic">
    <meta name="msapplication-TileColor" content="#ffffff">
    <meta name="msapplication-TileImage" content="/mstile-144x144.png">
    <meta name="theme-color" content="#ffffff">
    <meta name="naver-site-verification" content="936882c1853b701b3cef3721758d80535413dbfd" />
    <meta name="yandex-verification" content="d8a47e95d0972434" />
    <meta name="localized" content="true" />
    <meta name="st:robots" content="follow,index" />
    <meta property="og:image" content="https://static-www.elastic.co/v3/assets/bltefdd0b53724fa2ce/blt280217a63b82a734/6202d3378b1f312528798412/elastic-logo.svg" />
    <meta property="og:image:width" content="500" />
    <meta property="og:image:height" content="172" />
    <link rel="shortcut icon" href="/favicon.ico" type="image/x-icon">
    <link rel="icon" href="/favicon.ico" type="image/x-icon">
    <link rel="apple-touch-icon-precomposed" sizes="64x64" href="/favicon_64x64_16bit.png">
    <link rel="apple-touch-icon-precomposed" sizes="32x32" href="/favicon_32x32.png">
    <link rel="apple-touch-icon-precomposed" sizes="16x16" href="/favicon_16x16.png">
    <!-- Give IE8 a fighting chance -->
    <!--[if lt IE 9]>
    <script src="https://oss.maxcdn.com/html5shiv/3.7.2/html5shiv.min.js"></script>
    <script src="https://oss.maxcdn.com/respond/1.4.2/respond.min.js"></script>
    <![endif]-->
    <link rel="stylesheet" type="text/css" href="/guide/static/styles-v1.css" />
  </head>

  <!--© 2015-2025 Elasticsearch B.V. -->
  <!-- All Elastic documentation is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License. -->
  <!-- http://creativecommons.org/licenses/by-nc-nd/4.0/ -->

  <body>
    <!-- Google Tag Manager -->
    <script>dataLayer = [];</script><noscript><iframe src="//www.googletagmanager.com/ns.html?id=GTM-58RLH5" height="0" width="0" style="display:none;visibility:hidden"></iframe></noscript>
    <script>(function(w,d,s,l,i){w[l]=w[l]||[];w[l].push({'gtm.start': new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0], j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src= '//www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f); })(window,document,'script','dataLayer','GTM-58RLH5');</script>
    <!-- End Google Tag Manager -->

    <!-- Global site tag (gtag.js) - Google Analytics -->
    <script async src="https://www.googletagmanager.com/gtag/js?id=UA-12395217-16"></script>
    <script>
      window.dataLayer = window.dataLayer || [];
      function gtag(){dataLayer.push(arguments);}
      gtag('js', new Date());
      gtag('config', 'UA-12395217-16');
    </script>

    <!-- Google Tag Manager for GA4 -->
    <script>(function(w,d,s,l,i){w[l]=w[l]||[];w[l].push({'gtm.start': new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0], j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src='https://www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f);})(window,document,'script','dataLayer','GTM-KNJMG2M');</script>
    <noscript><iframe src="https://www.googletagmanager.com/ns.html?id=GTM-KNJMG2M" height="0" width="0" style="display:none;visibility:hidden"></iframe></noscript>
    <!-- End Google Tag Manager for GA4-->

    <div id='elastic-nav' style="display:none;"></div>
    <script src='https://www.elastic.co/elastic-nav.js'></script>

    <div class="main-container">
      <section id="content" >
        <div class="content-wrapper">

          <section id="guide" lang="en">
            <div class="container-fluid">
              <div class="row pb-3">
                <div class="col-12 order-2 col-md-4 order-md-1 col-lg-3 h-almost-full-md sticky-top-md" id="left_col">
                  <!-- The TOC is appended here -->
                </div>

                <div class="col-12 order-1 col-md-8 order-md-2 col-lg-7 order-lg-2 guide-section" id="middle_col">
                  <!-- start body -->
                  
<div class="page_header">
<strong>IMPORTANT</strong>: No additional bug fixes or documentation updates
will be released for this version. For the latest information, see the
<a href="../current/index.html">current release documentation</a>.
</div>
<div class="navheader">
<span class="prev">
<a href="value-lists-exceptions.html">« Create and manage value lists</a>
</span>
<span class="next">
<a href="shared-exception-lists.html">Create and manage shared exception lists »</a>
</span>
</div>
<div class="book" lang="en">
<div class="titlepage">
<div class="breadcrumbs">
<span class="breadcrumb-link"><a href="/guide/">Elastic Docs</a></span>
<span class="chevron-right">›</span><span class="breadcrumb-link"><a href="index.html">Elastic Security Solution [8.12]</a></span>
<span class="chevron-right">›</span><span class="breadcrumb-link"><a href="detection-engine-overview.html">Detections and alerts</a></span>
<span class="chevron-right">›</span><span class="breadcrumb-link"><a href="detections-ui-exceptions.html">Rule exceptions</a></span>
</div>
<div>
<div><h1 class="title"><a id="id-1"></a>Add and manage exceptions</h1><a class="edit_me edit_me_private" rel="nofollow" title="Editing on GitHub is available to Elastic" href="https://github.com/elastic/security-docs/edit/8.12/docs/detections/add-exceptions.asciidoc">edit</a></div>
</div>
<!--EXTRA-->
</div>
<div id="content">
<div id="url-to-v3" class="version-warning">
    <strong>IMPORTANT</strong>: This documentation is no longer updated. Refer to <a href="https://www.elastic.co/support/eol">Elastic's version policy</a> and the <a href="https://www.elastic.co/docs/solutions/security/detect-and-alert/add-manage-exceptions">latest documentation</a>.
</div>
<div class="section">
<div class="titlepage"><div><div>
<div class="position-relative"><h2 class="title"><a id="add-exceptions"></a>Add and manage exceptions</h2><a class="edit_me edit_me_private" rel="nofollow" title="Editing on GitHub is available to Elastic" href="https://github.com/elastic/security-docs/edit/8.12/docs/detections/add-exceptions.asciidoc">edit</a></div>
</div></div></div>
<p>You can add exceptions to a rule from the rule details page, the Alerts table, the alert details flyout, or the Shared Exception Lists page. When you add an exception, you can also close all alerts that meet the exception’s criteria.</p>
<div class="important admon">
<div class="icon"></div>
<div class="admon_content">
<div class="ulist itemizedlist">
<ul class="itemizedlist">
<li class="listitem">
To ensure an exception is successfully applied, ensure that the fields you&#8217;ve defined for its query are correctly and consistently mapped in their respective indices. Refer to <a href="/guide/en/ecs/8.11" class="ulink" target="_top">ECS</a> to learn more about supported mappings.
</li>
<li class="listitem">
<p>Be careful when adding exceptions to <a class="xref" href="rules-ui-create.html#create-eql-rule" title="Create an event correlation rule">event correlation</a> rules. Exceptions are evaluated against every event in the sequence, and if an exception matches any events that are necessary to complete the sequence, alerts are not created.</p>
<p>To exclude values from a
specific event in the sequence, update the rule&#8217;s EQL statement. For example:</p>
<div class="pre_wrapper lang-eql">
<div class="console_code_copy" title="Copy to clipboard"></div>
<pre class="programlisting prettyprint lang-eql">`sequence
  [file where file.extension == "exe"
  and file.name != "app-name.exe"]
  [process where true
  and process.name != "process-name.exe"]`</pre>
</div>
</li>
<li class="listitem">
Be careful when adding exceptions to <a class="xref" href="rules-ui-create.html#create-indicator-rule" title="Create an indicator match rule">indicator match</a> rules. Exceptions are evaluated against source and indicator indices, so if the exception matches events in <em>either</em> index, alerts are not generated.
</li>
</ul>
</div>
</div>
</div>
<div class="position-relative"><h4><a id="detection-rule-exceptions"></a>Add exceptions to a rule</h4><a class="edit_me edit_me_private" rel="nofollow" title="Editing on GitHub is available to Elastic" href="https://github.com/elastic/security-docs/edit/8.12/docs/detections/add-exceptions.asciidoc">edit</a></div>
<div class="olist orderedlist">
<ol class="orderedlist">
<li class="listitem">
<p>Do one of the following:</p>
<div class="ulist itemizedlist">
<ul class="itemizedlist">
<li class="listitem">
<p>To add an exception from the rule details page:</p>
<div class="olist orderedlist">
<ol class="orderedlist">
<li class="listitem">
Go to the rule details page of the rule to which you want to add an
exception (<span class="strong strong"><strong>Rules</strong></span> &#8594; <span class="strong strong"><strong>Detection rules (SIEM)</strong></span> &#8594; <span class="strong strong"><strong><em>Rule name</em></strong></span>).
</li>
<li class="listitem">
<p>Scroll down the rule details page, select the <span class="strong strong"><strong>Rule exceptions</strong></span> tab, then click <span class="strong strong"><strong>Add rule exception</strong></span>.</p>
<div class="imageblock screenshot">
<div class="content">
<img src="images/rule-exception-tab.png" alt="Detail of rule exceptions tab">
</div>
</div>
</li>
</ol>
</div>
</li>
<li class="listitem">
<p>To add an exception from the Alerts table:</p>
<div class="olist orderedlist">
<ol class="orderedlist">
<li class="listitem">
Go to <span class="strong strong"><strong>Alerts</strong></span>.
</li>
<li class="listitem">
Scroll down to the Alerts table, go to the alert you want to create an exception for, click the <span class="strong strong"><strong>More Actions</strong></span> menu (<span class="strong strong"><strong>&#8230;&#8203;</strong></span>), then select <span class="strong strong"><strong>Add rule exception</strong></span>.
</li>
</ol>
</div>
</li>
<li class="listitem">
<p>To add an exception from the alert details flyout:</p>
<div class="olist orderedlist">
<ol class="orderedlist">
<li class="listitem">
Go to <span class="strong strong"><strong>Alerts</strong></span>.
</li>
<li class="listitem">
Click the <span class="strong strong"><strong>View details</strong></span> button from the Alerts table.
</li>
<li class="listitem">
In the alert details flyout, click <span class="strong strong"><strong>Take action &#8594; Add rule exception</strong></span>.
</li>
</ol>
</div>
</li>
<li class="listitem">
<p>To add an exception from the Shared Exception Lists page:</p>
<div class="olist orderedlist">
<ol class="orderedlist">
<li class="listitem">
Go to <span class="strong strong"><strong>Rules</strong></span> &#8594; <span class="strong strong"><strong>Shared exception lists</strong></span>.
</li>
<li class="listitem">
Click <span class="strong strong"><strong>Create shared exception list</strong></span> &#8594; <span class="strong strong"><strong>Create exception item</strong></span>.
</li>
</ol>
</div>
</li>
</ul>
</div>
</li>
<li class="listitem">
In the <span class="strong strong"><strong>Add rule exception</strong></span> flyout, name the exception.
</li>
<li class="listitem">
<p>Add conditions that define the exception. When the exception&#8217;s query evaluates to <code class="literal">true</code>, rules don&#8217;t generate alerts even when their criteria are met.</p>
<div class="important admon">
<div class="icon"></div>
<div class="admon_content">
<p>Rule exceptions are case-sensitive, which means that any character that&#8217;s entered as an uppercase or lowercase letter will be treated as such. In the event you <em>don&#8217;t</em> want a field evaluated as case-sensitive, some ECS fields have a <code class="literal">.caseless</code> version that you can use.</p>
</div>
</div>
<div class="note admon">
<div class="icon"></div>
<div class="admon_content">
<p>When you create a new exception from an alert, exception conditions are auto-populated with relevant alert data. Data from custom highlighted fields is listed first. A comment that describes the auto-generated exception conditions is also added to the <span class="strong strong"><strong>Add comments</strong></span> section.</p>
</div>
</div>
<div class="olist orderedlist">
<ol class="orderedlist">
<li class="listitem">
<p><span class="strong strong"><strong>Field</strong></span>: Select a field to identify the event being filtered.</p>
<div class="note admon">
<div class="icon"></div>
<div class="admon_content">
<p>A warning displays for fields with conflicts. Using these fields might cause unexpected exceptions behavior. Refer to <a class="xref" href="ts-detection-rules.html#rule-exceptions-field-conflicts" title="Warning about type conflicts and unmapped fields">Troubleshooting type conflicts and unmapped fields</a> for more information.</p>
</div>
</div>
</li>
<li class="listitem">
<p><span class="strong strong"><strong>Operator</strong></span>: Select an operator to define the condition:</p>
<div class="ulist itemizedlist">
<ul class="itemizedlist">
<li class="listitem">
<code class="literal">is</code> | <code class="literal">is not</code> — Must be an exact match of the defined value.
</li>
<li class="listitem">
<code class="literal">is one of</code> | <code class="literal">is not one of</code> — Matches any of the defined values.
</li>
<li class="listitem">
<code class="literal">exists</code> | <code class="literal">does not exist</code> — The field exists.
</li>
<li class="listitem">
<p><code class="literal">is in list</code> | <code class="literal">is not in list</code> — Matches values in a value list.</p>
<div class="note admon">
<div class="icon"></div>
<div class="admon_content">
<div class="ulist itemizedlist">
<ul class="itemizedlist">
<li class="listitem">
An exception defined by a value list must use <code class="literal">is in list</code> or <code class="literal">is not in list</code> in all conditions.
</li>
<li class="listitem">
Wildcards are not supported in value lists.
</li>
<li class="listitem">
If a value list can&#8217;t be used due to <a class="xref" href="value-lists-exceptions.html#manage-value-lists" title="Create value lists">size or data type</a>, it&#8217;ll be unavailable in the <span class="strong strong"><strong>Value</strong></span> menu.
</li>
</ul>
</div>
</div>
</div>
</li>
<li class="listitem">
<p><code class="literal">matches</code> | <code class="literal">does not match</code> — Allows you to use wildcards in <span class="strong strong"><strong>Value</strong></span>, such as <code class="literal">C:\\path\\*\\app.exe</code>. Available wildcards are <code class="literal">?</code> (match one character) and <code class="literal">*</code> (match zero or more characters). The selected <span class="strong strong"><strong>Field</strong></span> data type must be <a href="/guide/en/elasticsearch/reference/8.12/keyword.html#keyword-field-type" class="ulink" target="_top">keyword</a>, <a href="/guide/en/elasticsearch/reference/8.12/text.html#text-field-type" class="ulink" target="_top">text</a>, or <a href="/guide/en/elasticsearch/reference/8.12/keyword.html#wildcard-field-type" class="ulink" target="_top">wildcard</a>.</p>
<div class="note admon">
<div class="icon"></div>
<div class="admon_content">
<p>Some characters must be escaped with a backslash, such as <code class="literal">\\</code> for a literal backslash, <code class="literal">\*</code> for an asterisk, and <code class="literal">\?</code> for a question mark. Windows paths must be divided with double backslashes (for example, <code class="literal">C:\\Windows\\explorer.exe</code>), and paths that already include double backslashes might require four backslashes for each divider.</p>
</div>
</div>
<div class="important admon">
<div class="icon"></div>
<div class="admon_content">
<p>Using wildcards can impact performance. To create a more efficient exception using wildcards, use multiple conditions and make them as specific as possible. For example, adding conditions using <code class="literal">process.name</code> or <code class="literal">file.name</code> can help limit the scope of wildcard matching.</p>
</div>
</div>
</li>
</ul>
</div>
</li>
<li class="listitem">
<p><span class="strong strong"><strong>Value</strong></span>: Enter the value associated with the <span class="strong strong"><strong>Field</strong></span>. To enter multiple values (when using <code class="literal">is one of</code> or <code class="literal">is not one of</code>), enter each value, then press <span class="strong strong"><strong>Return</strong></span>.</p>
<div class="note admon">
<div class="icon"></div>
<div class="admon_content">
<p>The <code class="literal">is one of</code> and <code class="literal">is not one of</code> operators support identical, case-sensitive values. For example, if you want to match the values <code class="literal">Windows</code> and <code class="literal">windows</code>, add both values to the <span class="strong strong"><strong>Value</strong></span> field.</p>
</div>
</div>
<p>In the following example, the exception was created from the Rules page and prevents the rule from generating alerts when the <code class="literal">svchost.exe</code> process runs on hostname <code class="literal">siem-kibana</code>.</p>
<div class="imageblock screenshot">
<div class="content">
<img src="images/add-exception-ui.png" alt="add exception ui">
</div>
</div>
</li>
</ol>
</div>
</li>
<li class="listitem">
Click <span class="strong strong"><strong>AND</strong></span> or <span class="strong strong"><strong>OR</strong></span> to create multiple conditions and define their relationships.
</li>
<li class="listitem">
Click <span class="strong strong"><strong>Add nested condition</strong></span> to create conditions using nested fields. This is only required for
<a class="xref" href="add-exceptions.html#nested-field-list">these nested fields</a>. For all other fields, nested conditions should not be used.
</li>
<li class="listitem">
<p>Choose to add the exception to a rule or a shared exception list.</p>
<div class="note admon">
<div class="icon"></div>
<div class="admon_content">
<p>If you are creating an exception from the Shared Exception Lists page, you can add the exception to multiple rules.</p>
</div>
</div>
<div class="tip admon">
<div class="icon"></div>
<div class="admon_content">
<p>If a shared exception list doesn&#8217;t exist, you can <a class="xref" href="shared-exception-lists.html" title="Create and manage shared exception lists">create one</a> from the Shared Exception Lists page.</p>
</div>
</div>
</li>
<li class="listitem">
(Optional) Enter a comment describing the exception.
</li>
<li class="listitem">
(Optional) Enter a future expiration date and time for the exception.
</li>
<li class="listitem">
<p>Select one of the following alert actions:</p>
<div class="ulist itemizedlist">
<ul class="itemizedlist">
<li class="listitem">
<span class="strong strong"><strong>Close this alert</strong></span>: Closes the alert when the exception is added. This option
is only available when adding exceptions from the Alerts table.
</li>
<li class="listitem">
<span class="strong strong"><strong>Close all alerts that match this exception and were generated by this rule</strong></span>:
Closes all alerts that match the exception&#8217;s conditions and were generated only by the current rule.
</li>
</ul>
</div>
</li>
<li class="listitem">
Click <span class="strong strong"><strong>Add rule exception</strong></span>.
</li>
</ol>
</div>
<div class="position-relative"><h4><a id="endpoint-rule-exceptions"></a>Add Elastic Endpoint exceptions</h4><a class="edit_me edit_me_private" rel="nofollow" title="Editing on GitHub is available to Elastic" href="https://github.com/elastic/security-docs/edit/8.12/docs/detections/add-exceptions.asciidoc">edit</a></div>
<p>Like detection rule exceptions, you can add Endpoint agent exceptions either by editing the Endpoint Security rule or by adding them as actions on alerts generated by the Endpoint Security rule. Elastic Endpoint alerts have the following fields:</p>
<div class="ulist itemizedlist">
<ul class="itemizedlist">
<li class="listitem">
<code class="literal">kibana.alert.original_event.module determined:endpoint</code>
</li>
<li class="listitem">
<code class="literal">kibana.alert.original_event.kind:alert</code>
</li>
</ul>
</div>
<p>You can also add Endpoint exceptions to rules that are associated with Elastic Endpoint rule exceptions. To associate rules when creating or editing a rule, select the <a class="xref" href="rules-ui-create.html#rule-ui-advanced-params" title="Configure advanced rule settings (optional)"><span class="strong strong"><strong>Elastic Endpoint exceptions</strong></span></a> option.</p>
<p>Endpoint exceptions are added to the Endpoint Security rule <span class="strong strong"><strong>and</strong></span> the Elastic Endpoint on your hosts.</p>
<div class="important admon">
<div class="icon"></div>
<div class="admon_content">
<p>Exceptions added to the Endpoint Security rule affect all alerts sent
from the Endpoint agent. Be careful not to unintentionally prevent useful Endpoint
alerts.</p>
<p>Additionally, to add an Endpoint exception to the Endpoint Security rule, there must be at least one Endpoint Security alert generated in the system. For non-production use, if no alerts exist, you can trigger a test alert using malware emulation techniques or tools such as the Anti Malware Testfile from the <a href="https://www.eicar.org/" class="ulink" target="_top">European Institute for Computer Anti-Virus Research (EICAR)</a>.</p>
</div>
</div>
<div class="important admon">
<div class="icon"></div>
<div class="admon_content">
<p><a href="/guide/en/elasticsearch/reference/8.12/binary.html" class="ulink" target="_top">Binary fields</a> are not supported in detection rule exceptions.</p>
</div>
</div>
<div class="olist orderedlist">
<ol class="orderedlist">
<li class="listitem">
<p>Do one of the following:</p>
<div class="ulist itemizedlist">
<ul class="itemizedlist">
<li class="listitem">
<p>To add an Endpoint exception from the rule details page:</p>
<div class="olist orderedlist">
<ol class="orderedlist">
<li class="listitem">
Go to the rule details page (<span class="strong strong"><strong>Rules</strong></span> &#8594; <span class="strong strong"><strong>Detection rules (SIEM)</strong></span>), and then search for and select the Elastic <span class="strong strong"><strong>Endpoint Security</strong></span> rule.
</li>
<li class="listitem">
Scroll down the rule details page, select the <span class="strong strong"><strong>Endpoint exceptions</strong></span> tab, then click <span class="strong strong"><strong>Add endpoint exception</strong></span>.
</li>
</ol>
</div>
</li>
<li class="listitem">
<p>To add an Endpoint exception from the Alerts table:</p>
<div class="olist orderedlist">
<ol class="orderedlist">
<li class="listitem">
Go to <span class="strong strong"><strong>Alerts</strong></span>.
</li>
<li class="listitem">
Scroll down to the Alerts table, and from an Elastic Endpoint
alert, click the <span class="strong strong"><strong>More actions</strong></span> menu (<span class="strong strong"><strong>&#8230;&#8203;</strong></span>), then select <span class="strong strong"><strong>Add Endpoint exception</strong></span>.
</li>
</ol>
</div>
</li>
<li class="listitem">
<p>To add an Endpoint exception from Shared Exception Lists page:</p>
<div class="olist orderedlist">
<ol class="orderedlist">
<li class="listitem">
Go to <span class="strong strong"><strong>Rules</strong></span> &#8594; <span class="strong strong"><strong>Shared exception lists</strong></span>.
</li>
<li class="listitem">
<p>Expand the Endpoint Security Exception List or click the list name to open the list&#8217;s details page. Next, click <span class="strong strong"><strong>Add endpoint exception</strong></span>.</p>
<div class="note admon">
<div class="icon"></div>
<div class="admon_content">
<p>The Endpoint Security Exception List is automatically created. By default, it&#8217;s associated with the Endpoint Security rule and any rules with the <a class="xref" href="rules-ui-create.html#rule-ui-advanced-params" title="Configure advanced rule settings (optional)"><span class="strong strong"><strong>Elastic Endpoint exceptions</strong></span></a> option selected.</p>
</div>
</div>
</li>
</ol>
</div>
</li>
</ul>
</div>
<p>The <span class="strong strong"><strong>Add Endpoint Exception</strong></span> flyout opens.</p>
<div class="imageblock screenshot">
<div class="content">
<img src="images/endpoint-add-exp.png" alt="endpoint add exp">
</div>
</div>
</li>
<li class="listitem">
<p>If required, modify the conditions.</p>
<div class="important admon">
<div class="icon"></div>
<div class="admon_content">
<p>Rule exceptions are case-sensitive, which means that any character that&#8217;s entered as an uppercase or lowercase letter will be treated as such. In the event you <em>don&#8217;t</em> want a field evaluated as case-sensitive, some ECS fields have a <code class="literal">.caseless</code> version that you can use.</p>
</div>
</div>
<div class="note admon">
<div class="icon"></div>
<div class="admon_content">
<div class="ulist itemizedlist">
<ul class="itemizedlist">
<li class="listitem">
Fields with conflicts are marked with a warning icon (<span class="image"><img src="images/field-warning-icon.png" alt="Field conflict warning icon" width="13" height="13"></span>). Using these fields might cause unexpected exceptions behavior. For more information, refer to <a class="xref" href="ts-detection-rules.html#rule-exceptions-field-conflicts" title="Warning about type conflicts and unmapped fields">Troubleshooting type conflicts and unmapped fields</a>.
</li>
<li class="listitem">
The <code class="literal">is one of</code> and <code class="literal">is not one of</code> operators support identical, case-sensitive values. For example, if you want to match the values <code class="literal">Windows</code> and <code class="literal">windows</code>, add both values to the <span class="strong strong"><strong>Value</strong></span> field.
</li>
</ul>
</div>
</div>
</div>
</li>
<li class="listitem">
(Optional) Add a comment to the exception.
</li>
<li class="listitem">
<p>You can select any of the following:</p>
<div class="ulist itemizedlist">
<ul class="itemizedlist">
<li class="listitem">
<span class="strong strong"><strong>Close this alert</strong></span>: Closes the alert when the exception is added. This option
is only available when adding exceptions from the Alerts table.
</li>
<li class="listitem">
<span class="strong strong"><strong>Close all alerts that match this exception and were generated by this rule</strong></span>:
Closes all alerts that match the exception&#8217;s conditions.
</li>
</ul>
</div>
</li>
<li class="listitem">
<p>Click <span class="strong strong"><strong>Add Endpoint Exception</strong></span>. An exception is created for both the detection rule and the Elastic Endpoint.</p>
<div class="note admon">
<div class="icon"></div>
<div class="admon_content">
<p>It might take longer for exceptions to be applied to hosts within larger deployments.</p>
</div>
</div>
</li>
</ol>
</div>
<div class="position-relative"><h4><a id="ex-nested-conditions"></a>Exceptions with nested conditions</h4><a class="edit_me edit_me_private" rel="nofollow" title="Editing on GitHub is available to Elastic" href="https://github.com/elastic/security-docs/edit/8.12/docs/detections/add-exceptions.asciidoc">edit</a></div>
<p>Some Endpoint objects contain nested fields, and the only way to ensure you are
excluding the correct fields is with nested conditions. One example is the
<code class="literal">process.Ext</code> object:</p>
<div class="pre_wrapper lang-json">
<div class="console_code_copy" title="Copy to clipboard"></div>
<pre class="programlisting prettyprint lang-json">{
  "ancestry": [],
  "code_signature": {
    "trusted": true,
    "subject_name": "LFC",
    "exists": true,
    "status": "trusted"
  },
  "user": "WDAGUtilityAccount",
  "token": {
    "elevation": true,
    "integrity_level_name": "high",
    "domain": "27FB305D-3838-4",
    "user": "WDAGUtilityAccount",
    "elevation_type": "default",
    "sid": "S-1-5-21-2047949552-857980807-821054962-504"
  }
}</pre>
</div>
<p><a id="nested-field-list"></a>Only these objects require nested conditions to ensure the exception functions
correctly:</p>
<div class="ulist itemizedlist">
<ul class="itemizedlist">
<li class="listitem">
<code class="literal">Endpoint.policy.applied.artifacts.global.identifiers</code>
</li>
<li class="listitem">
<code class="literal">Endpoint.policy.applied.artifacts.user.identifiers</code>
</li>
<li class="listitem">
<code class="literal">Target.dll.Ext.code_signature</code>
</li>
<li class="listitem">
<code class="literal">Target.process.Ext.code_signature</code>
</li>
<li class="listitem">
<code class="literal">Target.process.Ext.token.privileges</code>
</li>
<li class="listitem">
<code class="literal">Target.process.parent.Ext.code_signature</code>
</li>
<li class="listitem">
<code class="literal">Target.process.thread.Ext.token.privileges</code>
</li>
<li class="listitem">
<code class="literal">dll.Ext.code_signature</code>
</li>
<li class="listitem">
<code class="literal">file.Ext.code_signature</code>
</li>
<li class="listitem">
<code class="literal">file.Ext.macro.errors</code>
</li>
<li class="listitem">
<code class="literal">file.Ext.macro.stream</code>
</li>
<li class="listitem">
<code class="literal">process.Ext.code_signature</code>
</li>
<li class="listitem">
<code class="literal">process.Ext.token.privileges</code>
</li>
<li class="listitem">
<code class="literal">process.parent.Ext.code_signature</code>
</li>
<li class="listitem">
<code class="literal">process.thread.Ext.token.privileges</code>
</li>
</ul>
</div>
<div class="position-relative"><h5><a id="_nested_condition_example"></a>Nested condition example</h5><a class="edit_me edit_me_private" rel="nofollow" title="Editing on GitHub is available to Elastic" href="https://github.com/elastic/security-docs/edit/8.12/docs/detections/add-exceptions.asciidoc">edit</a></div>
<p>Creates an exception that excludes all LFC-signed trusted processes:</p>
<div class="imageblock screenshot">
<div class="content">
<img src="images/nested-exp.png" alt="nested exp">
</div>
</div>
<div class="position-relative"><h4><a id="manage-exception"></a>View and manage exceptions</h4><a class="edit_me edit_me_private" rel="nofollow" title="Editing on GitHub is available to Elastic" href="https://github.com/elastic/security-docs/edit/8.12/docs/detections/add-exceptions.asciidoc">edit</a></div>
<p>To view a rule&#8217;s exceptions, open the rule&#8217;s details page (<span class="strong strong"><strong>Rules</strong></span> &#8594; <span class="strong strong"><strong>Detection rules (SIEM)</strong></span> &#8594; <span class="strong strong"><strong><em>Rule name</em></strong></span>), then scroll down and select the <span class="strong strong"><strong>Rule exceptions</strong></span> or <span class="strong strong"><strong>Endpoint exceptions</strong></span> tab. All exceptions that belong to the rule will display in a list. From the list, you can filter, edit, and delete exceptions. You can also toggle between <span class="strong strong"><strong>Active exceptions</strong></span> and <span class="strong strong"><strong>Expired exceptions</strong></span>.</p>
<div class="imageblock screenshot">
<div class="content">
<img src="images/manage-default-rule-list.png" alt="A default rule list">
</div>
</div>
<div class="position-relative"><h4><a id="rules-using-same-exception"></a>Find rules using the same exceptions</h4><a class="edit_me edit_me_private" rel="nofollow" title="Editing on GitHub is available to Elastic" href="https://github.com/elastic/security-docs/edit/8.12/docs/detections/add-exceptions.asciidoc">edit</a></div>
<p>To find out if an exception is used by other rules, select the <span class="strong strong"><strong>Rule exceptions</strong></span> or <span class="strong strong"><strong>Endpoint exceptions</strong></span> tab, navigate to an exception list item, then click <span class="strong strong"><strong>Affects <em>X</em> rules</strong></span>.</p>
<div class="note admon">
<div class="icon"></div>
<div class="admon_content">
<p>Changes that you make to the exception also apply to other rules that use the exception.</p>
</div>
</div>
<div class="imageblock screenshot">
<div class="content">
<img src="images/exception-affects-multiple-rules.png" alt="Exception that affects multiple rules">
</div>
</div>
</div>
</div>
</div><div class="navfooter">
<span class="prev">
<a href="value-lists-exceptions.html">« Create and manage value lists</a>
</span>
<span class="next">
<a href="shared-exception-lists.html">Create and manage shared exception lists »</a>
</span>
</div>

                  <!-- end body -->
                </div>

                <div class="col-12 order-3 col-lg-2 order-lg-3 h-almost-full-lg sticky-top-lg" id="right_col">
                  <div id="sticky_content">
                    <!-- The OTP is appended here -->
                    <div class="row">
                      <div class="col-0 col-md-4 col-lg-0" id="bottom_left_col"></div>
                      <div class="col-12 col-md-8 col-lg-12">
                        <div id="rtpcontainer">
                          <div class="mktg-promo" id="most-popular">
                            <p class="aside-heading">Most Popular</p>
                            <div class="pb-2">
                              <p class="media-type">Video</p>
                              <a href="https://www.elastic.co/webinars/getting-started-elasticsearch?page=docs&placement=top-video">
                                <p class="mb-0">Get Started with Elasticsearch</p>
                              </a>
                            </div>
                            <div class="pb-2">
                              <p class="media-type">Video</p>
                              <a href="https://www.elastic.co/webinars/getting-started-kibana?page=docs&placement=top-video">
                                <p class="mb-0">Intro to Kibana</p>
                              </a>
                            </div>
                            <div class="pb-2">
                              <p class="media-type">Video</p>
                              <a href="https://www.elastic.co/webinars/introduction-elk-stack?page=docs&placement=top-video">
                                <p class="mb-0">ELK for Logs & Metrics</p>
                              </a>
                            </div>
                          </div>
                        </div>

                        <!-- Feedback widget -->
                        <div id="feedbackWidgetContainer"></div>
                      </div>
                    </div>
                  </div>
                </div>
              </div>
            </div>
          </section>

        </div>


        <div id='elastic-footer'></div>
        <script src='https://www.elastic.co/elastic-footer.js'></script>
        <!-- Footer Section end-->

      </section>
    </div>

    <!-- Feedback modal -->
    <div id="feedbackModalContainer"></div>

    <script src="/guide/static/jquery.js"></script>
    <script type="text/javascript" src="/guide/static/docs-v1.js"></script>
    <script type="text/javascript">
  window.initial_state = {}</script>
  </body>
</html>