Update uba-lite_with_statistics.md

moved the note

docs/searches/uba-lite_with_statistics.md

@@ -1,12 +1,12 @@
 # UBA-lite with Basic Statistics
 
-!!! note
- This is just an example using basic statistics and a CSV lookup. You can make this much more efficient at scale by utilizing a KVstore OR outputting to a summary index / accelerated report and searching back on that data.
-
 By comparing entity activity against itself or entities in a peer group (IE business unit, asset category, etc), you can create rules that offer anomaly detection capabilities similar to a UBA/UEBA solution. In RBA, you might use this as rules that generate risk events, or a field to use as a risk factor, or even just tags for the entity so that when you're investigating a risk-based alert you have an idea that this entity has been behaving erratically compared to various standards of behavior.
 
 ## Example: Event Count Variance per Category by Risk Object
 
+!!! note
+ This is just an example using basic statistics and a CSV lookup. You can make this much more efficient at scale by utilizing a KVstore OR outputting to a summary index / accelerated report and searching back on that data.
+
 In this case, we are utilizing the "category" field from the Asset & Identity Framework. We are specifically looking at the identity lookup(`identity_lookup_expanded`) and not the asset lookup(`asset_lookup_by_str/cidr`).
 
 In this example, I'm creating sample data with two queries, one with relative_time(-7d) and one now(). In actual practice,you want to run something like this weekly on the past week to fill out a lookup (`baseline_risk_events.csv`) which will measure event counts per risk object and category week after week, to use for average/stdev statistics. You could also *actually* run this query on a timerange of the previous week so that the `ran=relative_time(now(),"-7d")` is accurate.