elastic · natasha-moore-elastic · Sep 11, 2023 · Sep 11, 2023
diff --git a/docs/getting-started/configure-integration-policy.asciidoc b/docs/getting-started/configure-integration-policy.asciidoc
@@ -164,6 +164,10 @@ Malicious behavior protection levels are:
 * **Prevent** (Default): Detects malicious behavior on the host, forces the process to stop,
 and generates an alert.
 
+Select whether you want to use **Reputation service** for additional malware analysis. This service identifies malicious activity and false positives, and enriches alerts using data from various sources, such as VirusTotal and telemetry. For example, reputation service can detect suspicious downloads of binaries with low or malicious reputation.
+
+NOTE: Reputation service requires an active https://www.elastic.co/pricing[Platinum or Enterprise subscription] and is available on cloud deployments only.
+
 Select **Notify user** to send a push notification in the host operating system when activity is detected or prevented. Notifications are enabled by default for the *Prevent* option.
 
 TIP: Platinum and Enterprise customers can customize these notifications using the `Elastic Security {action} {rule}` syntax.

diff --git a/docs/getting-started/images/install-endpoint/behavior-protection.png b/docs/getting-started/images/install-endpoint/behavior-protection.png