From 07b5ad6f918fac0ef9c5119c4a0f61c089c4f39d Mon Sep 17 00:00:00 2001
From: Nastasha Solomon <nastasha.solomon@elastic.co>
Date: Tue, 21 Oct 2025 17:20:28 -0400
Subject: [PATCH 1/5] First draft

---
 docs/detections/detections-req.asciidoc | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/docs/detections/detections-req.asciidoc b/docs/detections/detections-req.asciidoc
index fa5d106bab..62d1b9dd32 100644
--- a/docs/detections/detections-req.asciidoc
+++ b/docs/detections/detections-req.asciidoc
@@ -20,15 +20,15 @@ These steps are only required for *self-managed* deployments:
 
 * HTTPS must be configured for communication between
 {kibana-ref}/configuring-tls.html#configuring-tls-kib-es[{es} and {kib}].
-* In the `elasticsearch.yml` configuration file, set the
-`xpack.security.enabled` setting to `true`. For more information, refer to
-{ref}/settings.html[Configuring {es}] and
-{ref}/security-settings.html[Security settings in {es}].
 * In the `kibana.yml` {kibana-ref}/settings.html[configuration file], add the
 `xpack.encryptedSavedObjects.encryptionKey` setting with any alphanumeric value
 of at least 32 characters. For example:
 +
 `xpack.encryptedSavedObjects.encryptionKey: 'fhjskloppd678ehkdfdlliverpoolfcr'`
+* In the `elasticsearch.yml` {ref}/settings.html[configuration] file: 
+
+** Set the `xpack.security.enabled` setting to `true`. For more information, refer to {ref}/security-settings.html[general security settings in {es}].
+** Remove the line `search.allow_expensive_queries=false` if you find it. The `search.allow_expensive_queries` setting must be left on its default value of `true` for key detection features like {kib}/alerting-getting-started.html#_rules[alerting rules] and rule exceptions to work.
 
 IMPORTANT: After changing the `xpack.encryptedSavedObjects.encryptionKey` value
 and restarting {kib}, you must restart all detection rules.

From 5bc05446b601dca81fca7dcb3cb7dfe4a78f10c4 Mon Sep 17 00:00:00 2001
From: Nastasha Solomon <nastasha.solomon@elastic.co>
Date: Tue, 21 Oct 2025 17:59:26 -0400
Subject: [PATCH 2/5] Fixed attribute

---
 docs/detections/detections-req.asciidoc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docs/detections/detections-req.asciidoc b/docs/detections/detections-req.asciidoc
index 62d1b9dd32..e5dc31ab3a 100644
--- a/docs/detections/detections-req.asciidoc
+++ b/docs/detections/detections-req.asciidoc
@@ -28,7 +28,7 @@ of at least 32 characters. For example:
 * In the `elasticsearch.yml` {ref}/settings.html[configuration] file: 
 
 ** Set the `xpack.security.enabled` setting to `true`. For more information, refer to {ref}/security-settings.html[general security settings in {es}].
-** Remove the line `search.allow_expensive_queries=false` if you find it. The `search.allow_expensive_queries` setting must be left on its default value of `true` for key detection features like {kib}/alerting-getting-started.html#_rules[alerting rules] and rule exceptions to work.
+** Remove the line `search.allow_expensive_queries=false` if you find it. The `search.allow_expensive_queries` setting must be left on its default value of `true` for key detection features like {kibana-ref}/alerting-getting-started.html#_rules[alerting rules] and rule exceptions to work.
 
 IMPORTANT: After changing the `xpack.encryptedSavedObjects.encryptionKey` value
 and restarting {kib}, you must restart all detection rules.

From 8d9b464fc0afb001087bd8d037d4ac6a94988f6c Mon Sep 17 00:00:00 2001
From: Steven de Salas <sdesalas@users.noreply.github.com>
Date: Wed, 22 Oct 2025 13:03:16 +0200
Subject: [PATCH 3/5] Update docs/detections/detections-req.asciidoc

Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com>
---
 docs/detections/detections-req.asciidoc | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/docs/detections/detections-req.asciidoc b/docs/detections/detections-req.asciidoc
index e5dc31ab3a..c250ad6e68 100644
--- a/docs/detections/detections-req.asciidoc
+++ b/docs/detections/detections-req.asciidoc
@@ -28,7 +28,8 @@ of at least 32 characters. For example:
 * In the `elasticsearch.yml` {ref}/settings.html[configuration] file: 
 
 ** Set the `xpack.security.enabled` setting to `true`. For more information, refer to {ref}/security-settings.html[general security settings in {es}].
-** Remove the line `search.allow_expensive_queries=false` if you find it. The `search.allow_expensive_queries` setting must be left on its default value of `true` for key detection features like {kibana-ref}/alerting-getting-started.html#_rules[alerting rules] and rule exceptions to work.
+** If the `search.allow_expensive_queries` setting is set to `false`, remove it. If the setting is set to its default value of `true` or not included in the `elasticsearch.yml` file, you don't need to change it. When this setting is set to `true`, it allows key detection features, such as {kibana-ref}/alerting-getting-started.html#_rules[alerting rules] and rule exceptions, to work.
+
 
 IMPORTANT: After changing the `xpack.encryptedSavedObjects.encryptionKey` value
 and restarting {kib}, you must restart all detection rules.

From ae191616bf8a5c526a550e0b682ab37e84164444 Mon Sep 17 00:00:00 2001
From: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com>
Date: Wed, 22 Oct 2025 11:45:39 -0400
Subject: [PATCH 4/5] Update docs/detections/detections-req.asciidoc

Co-authored-by: Steven de Salas <sdesalas@users.noreply.github.com>
---
 docs/detections/detections-req.asciidoc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docs/detections/detections-req.asciidoc b/docs/detections/detections-req.asciidoc
index c250ad6e68..cfb4aa84c8 100644
--- a/docs/detections/detections-req.asciidoc
+++ b/docs/detections/detections-req.asciidoc
@@ -28,7 +28,7 @@ of at least 32 characters. For example:
 * In the `elasticsearch.yml` {ref}/settings.html[configuration] file: 
 
 ** Set the `xpack.security.enabled` setting to `true`. For more information, refer to {ref}/security-settings.html[general security settings in {es}].
-** If the `search.allow_expensive_queries` setting is set to `false`, remove it. If the setting is set to its default value of `true` or not included in the `elasticsearch.yml` file, you don't need to change it. When this setting is set to `true`, it allows key detection features, such as {kibana-ref}/alerting-getting-started.html#_rules[alerting rules] and rule exceptions, to work.
+** If the `search.allow_expensive_queries` setting is set to `false`, remove it. If set to its default value of `true` or not included in the file, you don't need to change it. This setting must be `true`, for key detection features, such as {kibana-ref}/alerting-getting-started.html#_rules[alerting rules] and rule exceptions, to work.
 
 
 IMPORTANT: After changing the `xpack.encryptedSavedObjects.encryptionKey` value

From 481feff91d7586b8a7f66211052ddb912b3b2b3f Mon Sep 17 00:00:00 2001
From: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com>
Date: Wed, 22 Oct 2025 12:22:14 -0400
Subject: [PATCH 5/5] Update docs/detections/detections-req.asciidoc

---
 docs/detections/detections-req.asciidoc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docs/detections/detections-req.asciidoc b/docs/detections/detections-req.asciidoc
index cfb4aa84c8..e70f02a821 100644
--- a/docs/detections/detections-req.asciidoc
+++ b/docs/detections/detections-req.asciidoc
@@ -28,7 +28,7 @@ of at least 32 characters. For example:
 * In the `elasticsearch.yml` {ref}/settings.html[configuration] file: 
 
 ** Set the `xpack.security.enabled` setting to `true`. For more information, refer to {ref}/security-settings.html[general security settings in {es}].
-** If the `search.allow_expensive_queries` setting is set to `false`, remove it. If set to its default value of `true` or not included in the file, you don't need to change it. This setting must be `true`, for key detection features, such as {kibana-ref}/alerting-getting-started.html#_rules[alerting rules] and rule exceptions, to work.
+** If the `search.allow_expensive_queries` setting is set to `false`, remove it. If set to its default value of `true` or not included in the file, you don't need to change it. This setting must be `true` for key detection features, such as {kibana-ref}/alerting-getting-started.html#_rules[alerting rules] and rule exceptions, to work.
 
 
 IMPORTANT: After changing the `xpack.encryptedSavedObjects.encryptionKey` value