elastic · natasha-moore-elastic · Aug 19, 2025
@@ -13,7 +13,7 @@ products:
 
 # Endpoint protection rules [endpoint-protection-rules]
 
-Endpoint protection rules are [prebuilt rules](../detect-and-alert/install-manage-elastic-prebuilt-rules.md) designed to help you manage and respond to alerts generated by {{elastic-endpoint}}, the installed component that performs {{elastic-defend}}'s threat monitoring and prevention. These rules include the Endpoint Security rule as well as additional detection and prevention rules for different {{elastic-defend}} protection features.
+Endpoint protection rules are [prebuilt rules](../detect-and-alert/install-manage-elastic-prebuilt-rules.md) designed to help you manage and respond to alerts generated by {{elastic-endpoint}}, the installed component that performs {{elastic-defend}}'s threat monitoring and prevention. These rules include the Endpoint Security ({{elastic-defend}}) rule as well as additional detection and prevention rules for different {{elastic-defend}} protection features.
 
 ::::{important}
 To receive {{elastic-endpoint}} alerts, you must install {{agent}} and the {{elastic-defend}} integration  on your hosts (refer to [Install {{elastic-defend}}](../configure-elastic-defend/install-elastic-defend.md)).
@@ -28,10 +28,10 @@ When endpoint protection rules are triggered, {{elastic-endpoint}} alerts are di
 
 ## Endpoint Security rule [endpoint-sec-rule]
 
-The Endpoint Security rule automatically creates an alert from all incoming {{elastic-endpoint}} alerts.
+The [Endpoint Security ({{elastic-defend}})](detection-rules://rules/integrations/endpoint/elastic_endpoint_security.md) rule automatically creates an alert from all incoming {{elastic-endpoint}} alerts.
 
 ::::{note}
-When you install Elastic prebuilt rules, the {{elastic-defend}} is enabled by default.
+When you install Elastic prebuilt rules, the Endpoint Security ({{elastic-defend}}) rule is enabled by default.
 ::::
 
 
@@ -40,17 +40,17 @@ When you install Elastic prebuilt rules, the {{elastic-defend}} is enabled by de
 
 The following endpoint protection rules give you more granular control over how you handle the generated alerts. These rules are tailored for each of {{elastic-defend}}'s endpoint protection features—malware, ransomware, memory threats, and malicious behavior. Enabling these rules allows you to configure more specific actions based on the protection feature and whether the malicious activity was prevented or detected.
 
-* Behavior - Detected - {{elastic-defend}}
-* Behavior - Prevented - {{elastic-defend}}
-* Malicious File - Detected - {{elastic-defend}}
-* Malicious File - Prevented - {{elastic-defend}}
-* Memory Signature - Detected - {{elastic-defend}}
-* Memory Signature - Prevented - {{elastic-defend}}
-* Ransomware - Detected - {{elastic-defend}}
-* Ransomware - Prevented - {{elastic-defend}}
+* [Behavior - Detected - {{elastic-defend}}](detection-rules://rules/integrations/endpoint/elastic_endpoint_security_behavior_detected.md)
+* [Behavior - Prevented - {{elastic-defend}}](detection-rules://rules/integrations/endpoint/elastic_endpoint_security_behavior_prevented.md)
+* [Malicious File - Detected - {{elastic-defend}}](detection-rules://rules/integrations/endpoint/execution_elastic_malicious_file_detected.md)
+* [Malicious File - Prevented - {{elastic-defend}}](detection-rules://rules/integrations/endpoint/execution_elastic_malicious_file_prevented.md)
+* [Memory Threat - Detected - {{elastic-defend}}](detection-rules://rules/integrations/endpoint/defense_evasion_elastic_memory_threat_detected.md)
+* [Memory Threat - Prevented - {{elastic-defend}}](detection-rules://rules/integrations/endpoint/defense_evasion_elastic_memory_threat_prevented.md)
+* [Ransomware - Detected - {{elastic-defend}}](detection-rules://rules/integrations/endpoint/impact_elastic_ransomware_detected.md)
+* [Ransomware - Prevented - {{elastic-defend}}](detection-rules://rules/integrations/endpoint/impact_elastic_ransomware_prevented.md)
 
 ::::{note}
-If you choose to use the feature-specific protection rules, we recommend that you disable the Endpoint Security rule, as using both will result in duplicate alerts.
+If you choose to use the feature-specific protection rules, we recommend that you disable the Endpoint Security ({{elastic-defend}}) rule, as using both will result in duplicate alerts.
 ::::
 
 
@@ -59,4 +59,4 @@ To use these rules, you need to manually enable them from the **Rules** page in
 
 ## Endpoint security exception handling [_endpoint_security_exception_handling]
 
-All endpoint protection rules share a common exception list called the Endpoint Security Exception List. This ensures that if you switch between using the Endpoint Security rule and the feature-specific protection rules, your existing [{{elastic-endpoint}} exceptions](../detect-and-alert/add-manage-exceptions.md#endpoint-rule-exceptions) continue to apply.
+All endpoint protection rules share a common exception list called the Endpoint Security Exception List. This ensures that if you switch between using the Endpoint Security ({{elastic-defend}}) rule and the feature-specific protection rules, your existing [{{elastic-endpoint}} exceptions](../detect-and-alert/add-manage-exceptions.md#endpoint-rule-exceptions) continue to apply.