diff --git a/docs/reference/esql/esql-security-solution.asciidoc b/docs/reference/esql/esql-security-solution.asciidoc
new file mode 100644
index 0000000000000..83de8514dc92c
--- /dev/null
+++ b/docs/reference/esql/esql-security-solution.asciidoc
@@ -0,0 +1,35 @@
+[[esql-elastic-security]]
+=== Using {esql} in {elastic-sec}
+
+++++
+Using {esql} in {elastic-sec}
+++++
+
+You can use {esql} in {elastic-sec} to investigate events in Timeline and create
+detection rules. Use the Elastic AI Assistant to build {esql} queries, or answer
+questions about the {esql} query language.
+
+[discrete]
+[[esql-elastic-security-timeline]]
+=== Use {esql} to investigate events in Timeline
+
+You can use {esql} in Timeline to filter, transform, and analyze event data
+stored in {es}. To start using {esql}, open the the **{esql}** tab. To learn
+more, refer to {security-guide}/timelines-ui.html[Investigate events in
+Timeline].
+
+[discrete]
+[[esql-elastic-security-detection-rules]]
+=== Use {esql} to create detection rules
+
+Use the {esql} rule type to create detection rules using {esql} queries. The
+{esql} rule type supports aggregating and non-aggregating queries. To learn
+more, refer to {security-guide}/rules-ui-create.html[Create a detection rule].
+
+[discrete]
+[[esql-elastic-security-ai-assistant]]
+=== Elastic AI Assistant
+
+Use the Elastic AI Assistant to build {esql} queries, or answer questions about
+the {esql} query language. To learn more, refer to
+{security-guide}/security-assistant.html[AI Assistant].
diff --git a/docs/reference/esql/esql-using.asciidoc b/docs/reference/esql/esql-using.asciidoc
index f586f3a28de5c..dbab521ead4d1 100644
--- a/docs/reference/esql/esql-using.asciidoc
+++ b/docs/reference/esql/esql-using.asciidoc
@@ -6,11 +6,16 @@ Information about using the <>.
<>::
Using {esql} in {kib} to query and aggregate your data, create visualizations,
-and set up alerts.
+and set up alerts.
+
+<>::
+Using {esql} in {elastic-sec} to investigate events in Timeline and create
+detection rules.
<>::
Using the <> to list and cancel {esql} queries.
include::esql-rest.asciidoc[]
include::esql-kibana.asciidoc[]
+include::esql-security-solution.asciidoc[]
include::task-management.asciidoc[]
\ No newline at end of file