diff --git a/docs/management/admin/event-filters.asciidoc b/docs/management/admin/event-filters.asciidoc
index 90845a03e6..06fde46542 100644
--- a/docs/management/admin/event-filters.asciidoc
+++ b/docs/management/admin/event-filters.asciidoc
@@ -36,12 +36,18 @@ For example, in the KQL search bar, enter the following query to find endpoint n
 --
 +
 [role="screenshot"]
-image::images/event-filter.png[]
+image::images/event-filter.png[Add event filter flyout, 80%]
 . Fill in these fields in the **Details** section:
   .. `Name`: Enter a name for the event filter.
   .. `Description`: Enter a filter description (optional).
 . In the **Conditions** section, depending which page you're using to create the filter, either modify the pre-populated conditions or add new conditions to define how {elastic-sec} will filter events. Use these settings:
   .. `Select operating system`: Select the appropriate operating system.
+  .. Select which kind of event filter you'd like to create: added:[8.15.0,Coming to {serverless-full}.]
+    * `Events`: Create a generic event filter that can match any event type. All matching events are excluded.
+    * `Process Descendants`: Create a filter that suppresses the descendant activity of a specified process. Events from the matched process will be ingested, but events from its descendant processes will be excluded.
++
+This option adds the condition `event.category is process` to narrow the filter to process-type events. You can add more conditions to identify the process whose descendants you want to exclude.
+
   .. `Field`: Select a field to identify the event being filtered.
   .. `Operator`: Select an operator to define the condition. Available options are:
     * `is`
diff --git a/docs/management/admin/images/event-filter.png b/docs/management/admin/images/event-filter.png
index 27546be716..9937fff516 100644
Binary files a/docs/management/admin/images/event-filter.png and b/docs/management/admin/images/event-filter.png differ