diff --git a/docs/detections/rules-ui-create.asciidoc b/docs/detections/rules-ui-create.asciidoc
index 1b78fcdb94..abd2631004 100644
--- a/docs/detections/rules-ui-create.asciidoc
+++ b/docs/detections/rules-ui-create.asciidoc
@@ -270,7 +270,9 @@ Use {ref}/esql.html[{esql}] to query your source events and aggregate event data
 To create an {esql} rule:
 
 . Go to *Rules* -> *Detection rules (SIEM)* -> *Create new rule*. The *Create new rule* page appears.
-. Select **{esql}**, then write a <<esql-rule-query-types,query>>. 
+. Select **{esql}**, then write a query. 
++
+NOTE: Refer to the sections below to learn more about <<esql-rule-query-types,{esql} query types>>, <<esql-query-design,query design considerations>>, and <<esql-rule-limitations,rule limitations>>.
 +
 TIP: Click the help icon (image:images/esql-ref-button.png[Click the ES|QL help icon,20,20]) to open the in-product reference documentation for all {esql} commands and functions.
 +
@@ -358,6 +360,30 @@ FROM logs-* [metadata _id, _index, _version]
 | LIMIT 10
 -----
 
+[float]
+[[esql-query-design]]
+==== Query design considerations 
+
+When writing your query, consider the following:
+
+- The {ref}/esql-commands.html#esql-limit[`LIMIT`] command specifies the number of rows an {esql} query returns and the number of alerts created per rule execution. Similarly, a detection rule's <<opt-fields-all,`max_signals`>> setting specifies the maximum number of alerts it can create every time it runs.
++ 
+If the `LIMIT` value is lower than the `max_signals` value, the rule uses the `LIMIT` value to determine the maximum number of alerts the rule generates. If the `LIMIT` value is higher than the `max_signals` value, the rule uses the `max_signals` value. 
++
+NOTE: The `max_signals` default value is 100. You can modify it using the <<rules-api-create,Create rule API>>. 
++
+
+- When writing an aggregating query, use the {ref}/esql-commands.html#esql-stats-by[`STATS...BY`] command with fields that you want to search and filter for after alerts are created. For example, using the `host.name`, `user.name`, `process.name` fields with the `BY` operator of the `STATS...BY` command returns these fields in alert documents, and allows you to search and filter for them from the Alerts table. 
+
+[float]
+[[esql-rule-limitations]]
+==== {esql} rule limitations  
+
+The {esql} rule has the following limitations:
+
+- If your {esql} query creates new fields that aren’t part of the ECS schema, they won’t be mapped to the alerts index and you can't search or filter for them from the Alerts table. As a workaround, create <<runtime-fields,runtime fields>>. 
+- If your {esql} query creates new fields that aren’t in the query’s source index, they can’t be added to the rule’s <<rule-ui-advanced-params,custom highlighted fields>>.
+
 [float]
 [[rule-ui-basic-params]]
 === Configure basic rule settings