From eff795c5ca214d700d1c2cb455773a68f02f44b9 Mon Sep 17 00:00:00 2001
From: "nastasha.solomon" <nastasha.solomon@elastic.co>
Date: Fri, 4 Oct 2024 16:47:25 -0400
Subject: [PATCH] First draft

---
 docs/detections/detection-engine-intro.asciidoc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docs/detections/detection-engine-intro.asciidoc b/docs/detections/detection-engine-intro.asciidoc
index fb2cae91a0..46b70b9914 100644
--- a/docs/detections/detection-engine-intro.asciidoc
+++ b/docs/detections/detection-engine-intro.asciidoc
@@ -86,7 +86,7 @@ Indicator match rules provide a powerful capability to search your security data
 
 In addition, the following support restrictions are in place:
 
-* {elastic-sec} does not support the use of either cold or frozen {ref}/data-tiers.html[tier data] with indicator match rules.
+* {elastic-sec} does not support the use of either cold or frozen {ref}/data-tiers.html[tier data] with indicator match rules. However, the rule will search cold and frozen data tiers if they exist. To prevent this, configure the `excludedDataTiersForRuleExecution` <<exclude-cold-frozen-data-rule-executions,advanced setting>> (which applies to all rules in a space), or add a <<exclude-cold-frozen-data-individual-rules,Query DSL filter>> to individual rules. 
 * Indicator match rules with an additional look-back time value greater than 24 hours are not supported.
 
 [float]