diff --git a/docs/detections/rules-ui-create.asciidoc b/docs/detections/rules-ui-create.asciidoc
index d8440e8bc8..ef92f3f316 100644
--- a/docs/detections/rules-ui-create.asciidoc
+++ b/docs/detections/rules-ui-create.asciidoc
@@ -110,8 +110,11 @@ With either option, you can view all events associated with suppressed alerts by
 alerts.
 +
 NOTE: You can use {kib} saved queries (image:images/saved-query-menu.png[Saved query menu,18,18]) and queries from saved Timelines (*Import query from saved Timeline*) as rule conditions.
-
++
 .. Use the `Group by` and `Threshold` fields to determine which source event field is used as a threshold and the threshold's value.
++
+NOTE: Nested fields are not supported for use with *Group by*.
++
 .. Use the `Count` field to limit alerts by cardinality of a certain field.
 +
 For example, if `Group by` is `source.ip`, `destination.ip` and its `Threshold` is `10`, an alert is generated for every pair of source and destination IP addresses that appear in at least 10 of the rule's search results.