Adding note

Author: nastasha-solomon

solutions/security/detect-and-alert/create-detection-rule.md

@@ -142,7 +142,8 @@ To filter noisy {{ml}} rules, use [rule exceptions](/solutions/security/detect-a
     3. Use the **Group by** and **Threshold** fields to determine which source event field is used as a threshold and the threshold’s value.
 
         ::::{note}
-        Nested fields are not supported for use with **Group by**.
+        - Nested fields are not supported for use with **Group by**.
+        - High cardinality in the fields or a high amount of matching documents will result in either a rule timeout or a circuit breaker error from {{es}}.
         ::::
 
     4. Use the **Count** field to limit alerts by cardinality of a certain field.