diff --git a/docs/detections/detections-req.asciidoc b/docs/detections/detections-req.asciidoc
index fa5d106bab..e70f02a821 100644
--- a/docs/detections/detections-req.asciidoc
+++ b/docs/detections/detections-req.asciidoc
@@ -20,15 +20,16 @@ These steps are only required for *self-managed* deployments:
 
 * HTTPS must be configured for communication between
 {kibana-ref}/configuring-tls.html#configuring-tls-kib-es[{es} and {kib}].
-* In the `elasticsearch.yml` configuration file, set the
-`xpack.security.enabled` setting to `true`. For more information, refer to
-{ref}/settings.html[Configuring {es}] and
-{ref}/security-settings.html[Security settings in {es}].
 * In the `kibana.yml` {kibana-ref}/settings.html[configuration file], add the
 `xpack.encryptedSavedObjects.encryptionKey` setting with any alphanumeric value
 of at least 32 characters. For example:
 +
 `xpack.encryptedSavedObjects.encryptionKey: 'fhjskloppd678ehkdfdlliverpoolfcr'`
+* In the `elasticsearch.yml` {ref}/settings.html[configuration] file: 
+
+** Set the `xpack.security.enabled` setting to `true`. For more information, refer to {ref}/security-settings.html[general security settings in {es}].
+** If the `search.allow_expensive_queries` setting is set to `false`, remove it. If set to its default value of `true` or not included in the file, you don't need to change it. This setting must be `true` for key detection features, such as {kibana-ref}/alerting-getting-started.html#_rules[alerting rules] and rule exceptions, to work.
+
 
 IMPORTANT: After changing the `xpack.encryptedSavedObjects.encryptionKey` value
 and restarting {kib}, you must restart all detection rules.