From ac5779c120a492339da7ee43753f1d9561bc9026 Mon Sep 17 00:00:00 2001
From: "nastasha.solomon" <nastasha.solomon@elastic.co>
Date: Wed, 29 Nov 2023 18:17:08 -0500
Subject: [PATCH] First draft

---
 docs/detections/rules-ui-create.asciidoc | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/docs/detections/rules-ui-create.asciidoc b/docs/detections/rules-ui-create.asciidoc
index abd2631004..ab6ae60238 100644
--- a/docs/detections/rules-ui-create.asciidoc
+++ b/docs/detections/rules-ui-create.asciidoc
@@ -177,6 +177,9 @@ NOTE: {elastic-sec} provides limited support for indicator match rules. See <<su
 
 . Go to *Rules* -> *Detection rules (SIEM)* -> *Create new rule*. The *Create new rule* page displays.
 . To create a rule that searches for events whose specified field value matches the specified indicator field value in the indicator index patterns, select *Indicator Match*, then fill in the following fields:
++
+NOTE: Only single-value fields are supported.
++
 .. *Source*: The individual index patterns or data view that specifies what data to search.
 .. *Custom query*: The query and filters used to retrieve the required results from
 the {elastic-sec} event indices. For example, if you want to match documents that only contain a `destination.ip` address field, add `destination.ip : *`.