From 2332653fb87ea2054e7ce36bc18aeb17e44fa167 Mon Sep 17 00:00:00 2001
From: Louie Mayor <louie.mayor@microsoft.com>
Date: Tue, 11 Aug 2020 16:06:58 -0700
Subject: [PATCH] Update custom-detection-rules.md

---
 .../microsoft-defender-atp/custom-detection-rules.md          | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md b/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md
index 7481a4362e..223e5b4295 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md
@@ -33,6 +33,10 @@ Custom detection rules built from [Advanced hunting](advanced-hunting-overview.m
 
 In Microsoft Defender Security Center, go to **Advanced hunting** and select an existing query or create a new query. When using an new query, run the query to identify errors and understand possible results.
 
+>[!IMPORTANT]
+>To prevent the service from returning too many alerts, each rule is limited to generating only 100 alerts whenever it runs. Before creating a rule, tweak your query to avoid alerting for normal, day-to-day activity.
+
+
 #### Required columns in the query results
 To use a query for a custom detection rule, the query must return the `Timestamp`, `DeviceId`, and `ReportId` columns in the results. Simple queries, such as those that don't use the `project` or `summarize` operator to customize or aggregate results, typically return these common columns.