First draft

nastasha-solomon · nastasha-solomon · commit 07b5ad6f918f · 2025-10-21T17:20:28.000-04:00
diff --git a/docs/detections/detections-req.asciidoc b/docs/detections/detections-req.asciidoc
@@ -20,15 +20,15 @@ These steps are only required for *self-managed* deployments:
 
 * HTTPS must be configured for communication between
 {kibana-ref}/configuring-tls.html#configuring-tls-kib-es[{es} and {kib}].
-* In the `elasticsearch.yml` configuration file, set the
-`xpack.security.enabled` setting to `true`. For more information, refer to
-{ref}/settings.html[Configuring {es}] and
-{ref}/security-settings.html[Security settings in {es}].
 * In the `kibana.yml` {kibana-ref}/settings.html[configuration file], add the
 `xpack.encryptedSavedObjects.encryptionKey` setting with any alphanumeric value
 of at least 32 characters. For example:
 +
 `xpack.encryptedSavedObjects.encryptionKey: 'fhjskloppd678ehkdfdlliverpoolfcr'`
+* In the `elasticsearch.yml` {ref}/settings.html[configuration] file: 
+
+** Set the `xpack.security.enabled` setting to `true`. For more information, refer to {ref}/security-settings.html[general security settings in {es}].
+** Remove the line `search.allow_expensive_queries=false` if you find it. The `search.allow_expensive_queries` setting must be left on its default value of `true` for key detection features like {kib}/alerting-getting-started.html#_rules[alerting rules] and rule exceptions to work.
 
 IMPORTANT: After changing the `xpack.encryptedSavedObjects.encryptionKey` value
 and restarting {kib}, you must restart all detection rules.
