diff --git a/docs/detections/rules-ui-create.asciidoc b/docs/detections/rules-ui-create.asciidoc
index 85ed3c7d39..1060d6b90d 100644
--- a/docs/detections/rules-ui-create.asciidoc
+++ b/docs/detections/rules-ui-create.asciidoc
@@ -108,6 +108,9 @@ alerts.
 NOTE: You can use {kib} saved queries (image:images/saved-query-menu.png[Saved query menu,18,18]) and queries from saved Timelines (*Import query from saved Timeline*) as rule conditions.
 
 .. Use the *Group by* and *Threshold* fields to determine which source event field is used as a threshold and the threshold's value.
++
+NOTE: Nested fields are not supported for use with *Group by*.
++
 .. Use the *Count* field to limit alerts by cardinality of a certain field.
 +
 For example, if *Group by* is `source.ip, destination.ip` and its *Threshold* is `10`, an alert is generated for every pair of source and destination IP addresses that appear in at least 10 of the rule's search results.