Document HTTP workflow connector support (#6885)

## Summary

- Updates the Workflows HTTP actions docs to explain connector-backed
HTTP steps.
- Replaces the outdated secret-store limitation with guidance to use
`connector-id` for authenticated requests.
- Adds dropdown syntax examples for configured HTTP connector and direct
URL usage.

## Testing

- Not run; docs-only change.

Author: talboren

explore-analyze/workflows/steps/external-systems-apps.md

@@ -18,7 +18,7 @@ products:
 External systems actions allow your workflows to communicate with third-party services and custom endpoints. You can interact with external systems in the following ways:
 
 * [Connector-based actions](#connector-based-actions): Use pre-configured connectors to integrate with services such as Slack and {{jira}}
-* [HTTP actions](#http-actions): Make direct HTTP requests to any API endpoint
+* [HTTP actions](#http-actions): Make HTTP requests to APIs directly or through a configured HTTP connector
 
 ## Connector-based actions
 
@@ -66,37 +66,41 @@ steps:
 
 ## HTTP actions
 
-The native `http` action is a built-in HTTP client that does not require a pre-configured connector. Use it for one-off requests to public or internal APIs.
+The native `http` action is a built-in HTTP client for calling external APIs. It supports two modes:
+
+* **Configured HTTP connector**: For authenticated requests, first [configure an HTTP connector](/deploy-manage/manage-connectors.md). Then reference it from the workflow step with `connector-id`. The connector stores the base URL, authentication settings, and secrets using {{kib}}'s centralized {{connectors-ui}} framework.
+* **Direct URL**: For simple requests that don't require connector-managed secrets, omit `connector-id` and provide the full `url` directly in the step. Avoid placing secrets directly in workflow YAML.
 
 Use the following parameters in the `with` block to configure the request:
 
 | Parameter | Required | Description |
 |-----------|----------|-------------|
-| `url` | Yes | The full URL of the endpoint to call |
-| `method` | No (defaults to `GET`) | The HTTP method (`GET`, `POST`, `PUT`, or `DELETE`) |
-| `headers` | No | An object with key-value pairs for HTTP headers |
-| `body` | No | The request body (typically a JSON object) |
-
-::::{admonition} Known limitation
-The native `http` action does not have access to a centralized secret store for managing authentication credentials. If your endpoint requires authentication, you must include the credentials directly in the `headers` block.
+| `url` | Yes, when `connector-id` is not provided | The full URL of the endpoint to call. |
+| `path` | No | The path appended to the configured connector's base URL. Use this with `connector-id`. |
+| `method` | No (defaults to `GET`) | The HTTP method (`GET`, `POST`, `PUT`, `PATCH`, or `DELETE`). |
+| `headers` | No | An object with key-value pairs for additional HTTP headers. Request headers take precedence over connector headers. |
+| `query` | No | An object with key-value pairs for query string parameters. |
+| `body` | No | The request body (typically a JSON object). |
 
 :::{dropdown} Click to show syntax example
+Use a configured HTTP connector:
+
 ```yaml
 steps:
-  - name: call_secure_api
+  - name: trigger_response_action
     type: http
+    connector-id: "security-response-api"
     with:
-      url: "https://api.thirdparty.com/v1/data"
-      method: "GET"
+      path: "/v1/response-actions/isolate"
+      method: "POST"
       headers:
-        Authorization: "Bearer my-secret-api-token"
+        Content-Type: "application/json"
+      body:
+        endpoint_id: "{{ event.agent.id }}"
+        reason: "Triggered by workflow '{{ workflow.name }}'"
 ```
-:::
-::::
-
-### Example: Call a custom webhook
 
-This example makes a POST request to a custom automation endpoint, passing data from the workflow context.
+Call a URL directly without a connector:
 
 ```yaml
 steps:
@@ -111,4 +115,4 @@ steps:
         event_id: "{{ event.id }}"
         message: "Workflow action triggered by '{{ workflow.name }}'"
 ```
-
+:::