elastic · joepeeples · Oct 1, 2024 · Sep 10, 2024 · Sep 10, 2024 · Sep 10, 2024
@@ -14,13 +14,13 @@ Add {elastic-defend}'s <<response-actions,response actions>> to detection rules
 * Automated response actions require an https://www.elastic.co/pricing[Enterprise subscription].
 * Hosts must have {agent} installed with the {elastic-defend} integration.
 * Your user role must have the ability to create detection rules and the privilege to perform <<response-action-commands,specific response actions>> (for example, the **Host Isolation** privilege to isolate hosts).
-* You can only add automated response actions to custom query rules.
+* You can only add automated response actions to <<create-custom-rule,custom query>>, <<create-eql-rule,event correlation (EQL)>>, <<create-new-terms-rule,new terms>>, and <<create-esql-rule,{esql}>> type rules.
 --
 
-You can add automated response actions to a new or existing custom query rule.
+To add automated response actions to a new or existing rule:
 
 . Do one of the following:
-* *New rule*: On the last step of <<create-custom-rule,custom query rule>> creation, go to the **Response Actions** section and select **{elastic-defend}**.
+* *New rule*: On the last step of rule creation, go to the **Response Actions** section and select **{elastic-defend}**.
 * *Existing rule*: Edit the rule's settings, then go to the *Actions* tab. In the tab, select **{elastic-defend}** under the **Response Actions** section.
 
 . Select an option in the **Response action** field:

@@ -12,17 +12,17 @@ Add ((elastic-defend))'s <DocLink slug="/serverless/security/response-actions">r
 
 <DocCallOut title="Requirements">
 
-- Automated response actions require the Endpoint Protection Complete <DocLink slug="/serverless/elasticsearch/manage-project" text="project feature"/>.
+- Automated response actions require the Endpoint Protection Complete <DocLink slug="/serverless/elasticsearch/manage-project">project feature</DocLink>.
 - Hosts must have ((agent)) installed with the ((elastic-defend)) integration.
 - Your user role must have the ability to create detection rules and the privilege to perform <DocLink slug="/serverless/security/response-actions" section="response-action-commands">specific response actions</DocLink> (for example, custom roles require the **Host Isolation** privilege to isolate hosts).
-- You can only add automated response actions to custom query rules.
+- You can only add automated response actions to <DocLink slug="/serverless/security/rules-create" section="create-custom-rule">custom query</DocLink>, <DocLink slug="/serverless/security/rules-create" section="create-eql-rule">event correlation (EQL)</DocLink>, <DocLink slug="/serverless/security/rules-create" section="create-new-terms-rule">new terms</DocLink>, and <DocLink slug="/serverless/security/rules-create" section="create-esql-rule">((esql))</DocLink> type rules.
 
 </DocCallOut>
 
-You can add automated response actions to a new or existing custom query rule.
+To add automated response actions to a new or existing rule:
 
 1. Do one of the following:
-   - **New rule**: On the last step of <DocLink slug="/serverless/security/rules-create" section="create-custom-rule"> custom query rule</DocLink> creation, go to the **Response Actions** section and select **((elastic-defend))**.
+   - **New rule**: On the last step of rule creation, go to the **Response Actions** section and select **((elastic-defend))**.
    - **Existing rule**: Edit the rule's settings, then go to the **Actions** tab. In the tab, select **((elastic-defend))** under the **Response Actions** section.
 
 1. Select an option in the **Response action** field: