Re-adding to pass checks

Author: nastasha-solomon

solutions/security/detect-and-alert/create-detection-rule.md

@@ -120,6 +120,81 @@ Select a rule type below for detailed instructions:
 * **Never seen before** → New terms (e.g., "first time seeing this user/host combination")
 * **Complex analytics** → ES|QL (e.g., "aggregate and transform data beyond other query types")
 
+## Create a custom query rule [create-custom-rule]
+
+Refer to [Custom query rule documentation](/solutions/security/detect-and-alert/rule-types/custom-query.md) for complete instructions on creating custom query rules, including:
+
+* Step-by-step configuration
+* How to use saved queries and Timeline queries
+* Infrastructure-focused examples (SSH login detection, unusual outbound connections)
+* Testing and tuning guidance
+
+## Create a machine learning rule [create-ml-rule]
+
+Refer to [Machine learning rule documentation](/solutions/security/detect-and-alert/rule-types/machine-learning.md) for complete instructions on creating machine learning rules, including:
+
+* Requirements and prerequisites
+* ML job startup considerations and resource requirements
+* Baseline learning periods and production best practices
+* Alert suppression with anomaly fields
+
+## Create a threshold rule [create-threshold-rule]
+
+Refer to [Threshold rule documentation](/solutions/security/detect-and-alert/rule-types/threshold.md) for complete instructions on creating threshold rules, including:
+
+* Step-by-step configuration with Group by and Threshold fields
+* Understanding cardinality limits and risk levels
+* Testing cardinality before creating rules
+* Circuit breaker error troubleshooting
+* How threshold rule alerts differ from source documents
+
+
+## Create an event correlation rule [create-eql-rule]
+
+Refer to [Event correlation rule documentation](/solutions/security/detect-and-alert/rule-types/event-correlation.md) for complete instructions on creating event correlation rules, including:
+
+* Step-by-step configuration with EQL queries
+* How to detect sequences of related events
+* EQL settings configuration (event category, tiebreaker, timestamp fields)
+* Missing events syntax for sequence detection
+
+
+## Create an indicator match rule [create-indicator-rule]
+
+Refer to [Indicator match rule documentation](/solutions/security/detect-and-alert/rule-types/indicator-match.md) for complete instructions on creating indicator match rules, including:
+
+* Step-by-step configuration with threat indicator mapping
+* How to compare source events with threat intelligence feeds
+* Using value lists as indicator match indices
+* Performance considerations and best practices
+
+::::{note}
+{{elastic-sec}} provides [limited support](/solutions/security/detect-and-alert.md#support-indicator-rules) for indicator match rules.
+::::
+
+
+## Create a new terms rule [create-new-terms-rule]
+
+Refer to [New terms rule documentation](/solutions/security/detect-and-alert/rule-types/new-terms.md) for complete instructions on creating new terms rules, including:
+
+* Step-by-step configuration with field selection
+* How to detect first-time occurrences
+* Multi-field combination support (up to 3 fields)
+* History window size configuration
+* Important cardinality limits for field arrays
+
+
+## Create an {{esql}} rule [create-esql-rule]
+
+Refer to [ES|QL rule documentation](/solutions/security/detect-and-alert/rule-types/esql.md) for complete instructions on creating ES|QL rules, including:
+
+* Step-by-step configuration with query writing
+* Aggregating vs. non-aggregating query types
+* Alert deduplication configuration (METADATA fields)
+* Query design considerations (LIMIT, STATS...BY, sorting)
+* Rule limitations and workarounds
+* Custom highlighted fields guidance
+
 
 ## Configure basic rule settings [rule-ui-basic-params]