diff --git a/docs/management/admin/automated-response-actions.asciidoc b/docs/management/admin/automated-response-actions.asciidoc index b1ee3c0c48..ec339f1731 100644 --- a/docs/management/admin/automated-response-actions.asciidoc +++ b/docs/management/admin/automated-response-actions.asciidoc @@ -14,13 +14,13 @@ Add {elastic-defend}'s <> to detection rules * Automated response actions require an https://www.elastic.co/pricing[Enterprise subscription]. * Hosts must have {agent} installed with the {elastic-defend} integration. * Your user role must have the ability to create detection rules and the privilege to perform <> (for example, the **Host Isolation** privilege to isolate hosts). -* You can only add automated response actions to custom query rules. +* You can only add automated response actions to <>, <>, <>, and <> type rules. -- -You can add automated response actions to a new or existing custom query rule. +To add automated response actions to a new or existing rule: . Do one of the following: -* *New rule*: On the last step of <> creation, go to the **Response Actions** section and select **{elastic-defend}**. +* *New rule*: On the last step of rule creation, go to the **Response Actions** section and select **{elastic-defend}**. * *Existing rule*: Edit the rule's settings, then go to the *Actions* tab. In the tab, select **{elastic-defend}** under the **Response Actions** section. . Select an option in the **Response action** field: diff --git a/docs/serverless/endpoint-response-actions/automated-response-actions.mdx b/docs/serverless/endpoint-response-actions/automated-response-actions.mdx index b982abe1f9..a110dfaaf0 100644 --- a/docs/serverless/endpoint-response-actions/automated-response-actions.mdx +++ b/docs/serverless/endpoint-response-actions/automated-response-actions.mdx @@ -12,17 +12,17 @@ Add ((elastic-defend))'s r -- Automated response actions require the Endpoint Protection Complete . +- Automated response actions require the Endpoint Protection Complete project feature. - Hosts must have ((agent)) installed with the ((elastic-defend)) integration. - Your user role must have the ability to create detection rules and the privilege to perform specific response actions (for example, custom roles require the **Host Isolation** privilege to isolate hosts). -- You can only add automated response actions to custom query rules. +- You can only add automated response actions to custom query, event correlation (EQL), new terms, and ((esql)) type rules. -You can add automated response actions to a new or existing custom query rule. +To add automated response actions to a new or existing rule: 1. Do one of the following: - - **New rule**: On the last step of custom query rule creation, go to the **Response Actions** section and select **((elastic-defend))**. + - **New rule**: On the last step of rule creation, go to the **Response Actions** section and select **((elastic-defend))**. - **Existing rule**: Edit the rule's settings, then go to the **Actions** tab. In the tab, select **((elastic-defend))** under the **Response Actions** section. 1. Select an option in the **Response action** field: