[DOCS] EQL updates (#1391) (#1394)

mergify[bot] · jmikell821 · web-flow · commit a346befd0d8d · 2022-01-11T16:00:39.000-05:00
* Two slight changes to EQL stuff. * Small edit. (cherry picked from commit 709b0d5) Co-authored-by: Janeen Mikell-Straughn <57149392+jmikell821@users.noreply.github.com>
diff --git a/docs/detections/detections-ui-exceptions.asciidoc b/docs/detections/detections-ui-exceptions.asciidoc
@@ -84,9 +84,9 @@ exception's criteria.
 
 [IMPORTANT]
 ==============
-Be careful when adding exceptions to event correlation rules. Exceptions are
-evaluated against every event in the sequence, and when the exception matches any
-event(s) in the sequence, alerts are not generated. To exclude values from a
+Be careful when adding exceptions to event correlation rules. Exceptions are evaluated against every event in the sequence, and when the exception matches _all_ event(s) in the sequence, alerts _are not_ generated. If the exception only matches _some_ of the events in the sequence, alerts _are_ generated. 
+
+To exclude values from a
 specific event in the sequence, update the rule's EQL statement. For example:
 
 [source,eql]
diff --git a/docs/detections/rules-ui-create.asciidoc b/docs/detections/rules-ui-create.asciidoc
@@ -101,7 +101,7 @@ image::images/create-new-rule.png[]
 [IMPORTANT]
 ==============
 To create or edit {ml} rules, you must have the https://www.elastic.co/subscriptions[appropriate license] or use a
-{ess-trial}[cloud deployment]. Additionally, you must have the {ref}/built-in-roles.html[`machine_learning_admin`] user 
+{ess-trial}[cloud deployment]. Additionally, you must have the {ref}/built-in-roles.html[`machine_learning_admin`] user
 role, and the selected {ml} job must be running for the rule to function correctly.
 ==============
 
@@ -190,7 +190,7 @@ network connection:
 +
 ** *Index patterns*: `winlogbeat-*`
 +
-> Winlogbeat ships Windows events to {es-sec}.
+> Winlogbeat ships Windows events to {elastic-sec}.
 
 ** *EQL query*:
 +
@@ -305,7 +305,7 @@ values:
 [role="screenshot"]
 image::images/severity-mapping-ui.png[]
 +
-NOTE: For threshold rules, not all source event values can be used for overrides; only the fields that were aggregated over (the `Group by` fields) will contain data.
+NOTE: For threshold rules, not all source event values can be used for overrides; only the fields that were aggregated over (the `Group by` fields) will contain data. Please also note that overrides are not supported for event correlation rules.
 .. *Default risk score*: A numerical value between 0 and 100 that correlates
 with the *Severity* level. General guidelines are:
 * `0` - `21` represents low severity.

Original file line number	Diff line number	Diff line change
`@@ -101,7 +101,7 @@ image::images/create-new-rule.png[]`
`101`	`101`	`[IMPORTANT]`
`102`	`102`	`==============`
`103`	`103`	`To create or edit {ml} rules, you must have the https://www.elastic.co/subscriptions[appropriate license] or use a`
`104`		-{ess-trial}[cloud deployment]. Additionally, you must have the {ref}/built-in-roles.html[`machine_learning_admin`] user
	`104`	+{ess-trial}[cloud deployment]. Additionally, you must have the {ref}/built-in-roles.html[`machine_learning_admin`] user
`105`	`105`	`role, and the selected {ml} job must be running for the rule to function correctly.`
`106`	`106`	`==============`
`107`	`107`
`@@ -190,7 +190,7 @@ network connection:`
`190`	`190`	`+`
`191`	`191`	** Index patterns: `winlogbeat-*`
`192`	`192`	`+`
`193`		`-> Winlogbeat ships Windows events to {es-sec}.`
	`193`	`+> Winlogbeat ships Windows events to {elastic-sec}.`
`194`	`194`
`195`	`195`	`** EQL query:`
`196`	`196`	`+`
`@@ -305,7 +305,7 @@ values:`
`305`	`305`	`[role="screenshot"]`
`306`	`306`	`image::images/severity-mapping-ui.png[]`
`307`	`307`	`+`
`308`		-NOTE: For threshold rules, not all source event values can be used for overrides; only the fields that were aggregated over (the `Group by` fields) will contain data.
	`308`	+NOTE: For threshold rules, not all source event values can be used for overrides; only the fields that were aggregated over (the `Group by` fields) will contain data. Please also note that overrides are not supported for event correlation rules.
`309`	`309`	`.. Default risk score: A numerical value between 0 and 100 that correlates`
`310`	`310`	`with the Severity level. General guidelines are:`
`311`	`311`	* `0` - `21` represents low severity.