[Security][9.2 & Serverless]: Improvements to threshold rule documentation (elastic#3492)

Fixes elastic#2110

The UI has copy and visual cues that specify the limit of fields that
users can specify in the **Group by** field, so mentioning that info in
the docs is not necessary. I did however expand the note under the step
2c to include the information [in this
comment](elastic/security-team#8240 (comment)).


[Preview](https://docs-v3-preview.elastic.dev/elastic/docs-content/pull/3492/solutions/security/detect-and-alert/create-detection-rule#create-threshold-rule)
- See the note under step 2c

Author: nastasha-solomon

solutions/security/detect-and-alert/create-detection-rule.md

@@ -142,7 +142,9 @@ To filter noisy {{ml}} rules, use [rule exceptions](/solutions/security/detect-a
     3. Use the **Group by** and **Threshold** fields to determine which source event field is used as a threshold and the threshold’s value.
 
         ::::{note}
-        Nested fields are not supported for use with **Group by**.
+        Consider the following when using the **Group by** field:
+        - Nested fields are not supported.
+        - High cardinality in the fields or a high number of matching documents can result in a rule timeout or a circuit breaker error from {{es}}.
         ::::
 
     4. Use the **Count** field to limit alerts by cardinality of a certain field.