[DOCS] Explain requirement to create Endpoint exception (#1428) (#1451)

mergify[bot] · joepeeples · web-flow · commit b0be06196d61 · 2022-01-26T16:44:27.000-05:00
* First draft * Second draft * Tighten up procedure * Update detections-ui-exceptions.asciidoc * Update detections-ui-exceptions.asciidoc * Apply suggestions from Ben's review Co-authored-by: benironside <91905639+benironside@users.noreply.github.com> * Restructure procedure syntax * Update docs/detections/detections-ui-exceptions.asciidoc Co-authored-by: Janeen Mikell-Straughn <57149392+jmikell821@users.noreply.github.com> Co-authored-by: benironside <91905639+benironside@users.noreply.github.com> Co-authored-by: Janeen Mikell-Straughn <57149392+jmikell821@users.noreply.github.com> (cherry picked from commit 4491fc5) Co-authored-by: Joe Peeples <joe.peeples@elastic.co>
diff --git a/docs/detections/detections-ui-exceptions.asciidoc b/docs/detections/detections-ui-exceptions.asciidoc
@@ -152,55 +152,53 @@ Closes all alerts that match the exception's conditions and were generated only
 
 [float]
 [[endpoint-rule-exceptions]]
-=== Add Elastic Endpoint Security exceptions
+=== Add Elastic {endpoint-sec} exceptions
 
-Like detection rule exceptions, you can add Endpoint agent exceptions via both
-the Elastic Endpoint Security rule and its generated alerts. Alerts generated
-from the Elastic Endpoint Security rule have the following fields:
+Like detection rule exceptions, you can add Endpoint agent exceptions either by editing Elastic {endpoint-sec} rules or by adding them as an action on alerts generated by {endpoint-sec} rules. Elastic {endpoint-sec} alerts have the following fields:
 
 * `signal.original_event.module determined:endpoint`
 * `signal.original_event.kind:alert`
 
-Additionally, you can add Endpoint exceptions via rules that are associated
-with Elastic endpoint rule exceptions. To associate rules, when creating or
-editing a rule select the
-<<rule-ui-advanced-params, _Elastic endpoint exceptions_>> option.
+You can also add Endpoint exceptions to rules that are associated with {elastic-endpoint} rule exceptions. To associate rules, when creating or editing a rule, select the <<rule-ui-advanced-params, *{elastic-endpoint} exceptions*>> option.
 
 [IMPORTANT]
 =============
-Exceptions added to the Elastic Endpoint Security rule affect all alerts sent
+Exceptions added to the Elastic {endpoint-sec} rule affect all alerts sent
 from the Endpoint agent. Be careful not to unintentionally prevent some Endpoint
 alerts.
+
+Additionally, to add an Endpoint exception to the Elastic {endpoint-sec} rule, there must be at least one {endpoint-sec} alert generated in the system. For non-production use, if no alerts exist, you can trigger a test alert using malware emulation techniques or tools such as the Anti Malware Testfile from the https://www.eicar.org/[European Institute for Computer Anti-Virus Research (EICAR)].
 =============
 
-. To add an Endpoint exception via the rule details page:
+. Do one of the following:
++
+--
+* To add an Endpoint exception from the rule details page:
 .. Go to the rule details page (*Detect* -> *Rules*), and then search for and  select the Elastic *Security Endpoint* rule.
 .. Scroll down to the *Trend* histogram and select the *Exceptions* tab.
 .. Click *Add new exception* -> *Add Endpoint exception*.
-. To add an exception via the Alerts table:
+* To add an Endpoint exception from the Alerts table:
 .. Go to *Detect* -> *Alerts*.
 .. Scroll down to the Alerts table, and from an Elastic Security Endpoint
 alert, click the *More actions* button (*...*), then select *Add Endpoint exception*.
+--
 +
-The *Add Endpoint Exception* window opens (via the Alerts table).
+The *Add Endpoint Exception* window opens, from either the rule details page or the Alerts table.
 +
 [role="screenshot"]
 image::images/endpoint-add-exp.png[]
 . If required, modify the conditions.
 +
-NOTE: <<ex-nested-conditions>> describes when nested conditions are required.
+NOTE: See <<ex-nested-conditions>> for more information on when nested conditions are required.
 
 . You can select any of the following:
 
 * *Close this alert*: Closes the alert when the exception is added. This option
-is only available when adding exceptions via the Alerts table.
-* *Close all alerts that match this exception, including alerts generated by other rules*:
+is only available when adding exceptions from the Alerts table.
+* *Close all alerts that match this exception and were generated by this rule*:
 Closes all alerts that match the exception's conditions.
 
-. Click *Add Exception*.
-+
-An exception is created for both the detection rule *and* the Elastic Endpoint
-agent.
+. Click *Add Endpoint Exception*. An exception is created for both the detection rule and the {elastic-endpoint}.
 
 [float]
 [[ex-nested-conditions]]
