From 709d8897d9031db01632659a40bea3c65b8e29bf Mon Sep 17 00:00:00 2001
From: Nastasha Solomon <nastasha.solomon@elastic.co>
Date: Wed, 15 Oct 2025 16:42:05 -0400
Subject: [PATCH 1/2] Adding note

---
 solutions/security/detect-and-alert/create-detection-rule.md | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/solutions/security/detect-and-alert/create-detection-rule.md b/solutions/security/detect-and-alert/create-detection-rule.md
index c136a77535..8955c5c448 100644
--- a/solutions/security/detect-and-alert/create-detection-rule.md
+++ b/solutions/security/detect-and-alert/create-detection-rule.md
@@ -142,7 +142,8 @@ To filter noisy {{ml}} rules, use [rule exceptions](/solutions/security/detect-a
     3. Use the **Group by** and **Threshold** fields to determine which source event field is used as a threshold and the threshold’s value.
 
         ::::{note}
-        Nested fields are not supported for use with **Group by**.
+        - Nested fields are not supported for use with **Group by**.
+        - High cardinality in the fields or a high amount of matching documents will result in either a rule timeout or a circuit breaker error from {{es}}.
         ::::
 
     4. Use the **Count** field to limit alerts by cardinality of a certain field.

From dd276d29186c9a6bfa5949bfd707c5b2853f06ee Mon Sep 17 00:00:00 2001
From: Nastasha Solomon <nastasha.solomon@elastic.co>
Date: Thu, 16 Oct 2025 15:25:10 -0400
Subject: [PATCH 2/2] Revise

---
 solutions/security/detect-and-alert/create-detection-rule.md | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/solutions/security/detect-and-alert/create-detection-rule.md b/solutions/security/detect-and-alert/create-detection-rule.md
index 8955c5c448..e15502248c 100644
--- a/solutions/security/detect-and-alert/create-detection-rule.md
+++ b/solutions/security/detect-and-alert/create-detection-rule.md
@@ -142,8 +142,9 @@ To filter noisy {{ml}} rules, use [rule exceptions](/solutions/security/detect-a
     3. Use the **Group by** and **Threshold** fields to determine which source event field is used as a threshold and the threshold’s value.
 
         ::::{note}
-        - Nested fields are not supported for use with **Group by**.
-        - High cardinality in the fields or a high amount of matching documents will result in either a rule timeout or a circuit breaker error from {{es}}.
+        Consider the following when using the **Group by** field:
+        - Nested fields are not supported.
+        - High cardinality in the fields or a high number of matching documents can result in a rule timeout or a circuit breaker error from {{es}}.
         ::::
 
     4. Use the **Count** field to limit alerts by cardinality of a certain field.