diff --git a/docs/detections/rules-ui-create.asciidoc b/docs/detections/rules-ui-create.asciidoc
index d8440e8bc8..2e0efbc1f1 100644
--- a/docs/detections/rules-ui-create.asciidoc
+++ b/docs/detections/rules-ui-create.asciidoc
@@ -111,8 +111,16 @@ alerts.
 +
 NOTE: You can use {kib} saved queries (image:images/saved-query-menu.png[Saved query menu,18,18]) and queries from saved Timelines (*Import query from saved Timeline*) as rule conditions.
 
+<<<<<<< HEAD
 .. Use the `Group by` and `Threshold` fields to determine which source event field is used as a threshold and the threshold's value.
 .. Use the `Count` field to limit alerts by cardinality of a certain field.
+=======
+.. Use the *Group by* and *Threshold* fields to determine which source event field is used as a threshold and the threshold's value.
++
+NOTE: Nested fields are not supported for use with *Group by*.
++
+.. Use the *Count* field to limit alerts by cardinality of a certain field.
+>>>>>>> fbc53b52 (first pass, minor bugfix (#4683))
 +
 For example, if `Group by` is `source.ip`, `destination.ip` and its `Threshold` is `10`, an alert is generated for every pair of source and destination IP addresses that appear in at least 10 of the rule's search results.
 +