Update command_and_control_frequent_egress_netcon_from_sus_executable.toml

Author: Aegrah

rules/linux/command_and_control_frequent_egress_netcon_from_sus_executable.toml

@@ -11,7 +11,8 @@ author = ["Elastic"]
 description = """
 This rule detects a high number of egress network connections from an unusual executable on a Linux system.
 This could indicate a command and control (C2) communication attempt, a brute force attack via a malware
-infection or other malicious activity.
+infection, or other malicious activity. ES|QL rules have limited fields available in its alert documents.
+Make sure to review the original documents to aid in the investigation of this alert.
 """
 from = "now-61m"
 interval = "1h"