elastic · nastasha-solomon · Mar 28, 2023 · Feb 27, 2023 · Feb 27, 2023 · Feb 28, 2023
@@ -59,6 +59,11 @@ image::images/add-exception-ui.png[]
 Add conditions that define when the exception prevents alerts:
 
   .. *Field*: Select a field to identify the event being filtered.
++  
+[TIP] 
+=======
+Fields with conflicts are marked with a warning icon (image:images/field-warning-icon.png[Field conflict warning icon,20,20]). Using these fields and might cause unexpected exceptions behavior. For more information, refer to <<rule-exceptions-field-conflicts>>.
+=======
 
   .. *Operator*: Select an operator to define the condition:
     * `is` | `is not` — Must be an exact match of the defined value.
@@ -72,9 +77,7 @@ Add conditions that define when the exception prevents alerts:
 * Wildcards are not supported in value lists.
 * If a value list can't be used due to <<manage-value-lists,size or data type>>, it'll be unavailable in the *Value* menu.
 =======
-    * `matches` | `does not match` — Allows you to use wildcards in *Value*, such as `C:\\path\\*\\app.exe`. Available wildcards are `?` (match one character) and `*` (match zero or more characters). The selected *Field* data type must be {ref}/keyword.html#keyword-field-type[keyword], {ref}/text.html#text-field-type[text], or {ref}/keyword.html#wildcard-field-type[wildcard].
-+
-NOTE: Some characters must be escaped with a backslash, such as `\\` for a literal backslash, `\*` for an asterisk, and `\?` for a question mark. Windows paths must be divided with double backslashes (for example, `C:\\Windows\\explorer.exe`), and paths that already include double backslashes might require four backslashes for each divider.      
+    * `matches` | `does not match` — Allows you to use wildcards in *Value*, such as `C:\path\*\app.exe`. Available wildcards are `?` (match one character) and `*` (match zero or more characters). The selected *Field* data type must be {ref}/keyword.html#keyword-field-type[keyword], {ref}/text.html#text-field-type[text], or {ref}/keyword.html#wildcard-field-type[wildcard].
 +
 IMPORTANT: Using wildcards can impact performance. To create a more efficient exception using wildcards, use multiple conditions and make them as specific as possible. For example, adding conditions using `process.name` or `file.name` can help limit the scope of wildcard matching.
 
@@ -158,6 +161,8 @@ image::images/endpoint-add-exp.png[]
 . If required, modify the conditions.
 +
 NOTE: Refer to <<ex-nested-conditions>> for more information on when nested conditions are required.
++
+TIP: Fields with conflicts are marked with a warning icon (image:images/field-warning-icon.png[Field conflict warning icon,20,20]). Using these fields and might cause unexpected exceptions behavior. For more information, refer to <<understanding-field-conflicts>>.
 
 . You can select any of the following:
 

@@ -76,3 +76,40 @@ You can resolve this by expanding the time range, or by configuring {kib}'s auto
 
 CAUTION: Turning off `autocomplete:useTimeRange` could cause performance issues if the data set is especially large.
 ====
+
+[discrete]
+[[rule-exceptions-field-conflicts]]
+.Warning about type conflicts and unmapped fields 
+[%collapsible]
+====
+
+A warning icon (image:images/field-warning-icon.png[Field conflict warning icon,15,15]) and message appears for fields that have <<fields-with-conflicting-types,conflicting types>> or are <<unmapped-field-conflict,unmapped>> across specified indices. You can learn more about the conflict by hovering over the field. After you select it, the warning message is displayed beneath the field.
+
+NOTE: A field can have conflicting types _and_ be unmapped in specified indices.  
+
+[role="screenshot"]
+image::images/warning-icon-message.png[Shows the warning icon and message,80%]
+
+[float]
+[[fields-with-conflicting-types]]
+==== Fields with conflicting types  
+
+Type conflicts occur when a field is mapped to different types across multiple indices. Use the information about a field's type mapping to ensure you're entering correct field values when defining exception conditions. 
+
+In the following example, the selected field has been defined as different types across five indices.
+
+[role="screenshot"]
+image::images/warning-type-conflicts.png[Warning for unmapped fields,80%] 
+
+[float]
+[[unmapped-field-conflict]]
+==== Unmapped fields 
+
+Unmapped fields are undefined within an index's mapping definition. Selecting an unmapped field could stop the exception from being applied to the rule's indices. This could lead to false positives or unexpected alerts being created.  
+
+In the following example, the selected field has type conflicts and is unmapped across two indices. It also has type conflicts in three indices.
+
+[role="screenshot"]
+image::images/warning-unmapped-fields.png[Warning for unmapped fields,80%] 
+
+====