From be112c10c0198a4259433c78332b5d6ae1265873 Mon Sep 17 00:00:00 2001
From: Abdon Pijpelink <abdon.pijpelink@elastic.co>
Date: Wed, 1 Nov 2023 15:25:08 +0100
Subject: [PATCH] [DOCS] Add 'Using ES|QL in Elastic Security'

---
 .../esql/esql-security-solution.asciidoc      | 35 +++++++++++++++++++
 docs/reference/esql/esql-using.asciidoc       |  7 +++-
 2 files changed, 41 insertions(+), 1 deletion(-)
 create mode 100644 docs/reference/esql/esql-security-solution.asciidoc

diff --git a/docs/reference/esql/esql-security-solution.asciidoc b/docs/reference/esql/esql-security-solution.asciidoc
new file mode 100644
index 0000000000000..83de8514dc92c
--- /dev/null
+++ b/docs/reference/esql/esql-security-solution.asciidoc
@@ -0,0 +1,35 @@
+[[esql-elastic-security]]
+=== Using {esql} in {elastic-sec}
+
+++++
+<titleabbrev>Using {esql} in {elastic-sec}</titleabbrev>
+++++
+
+You can use {esql} in {elastic-sec} to investigate events in Timeline and create
+detection rules. Use the Elastic AI Assistant to build {esql} queries, or answer
+questions about the {esql} query language.
+
+[discrete]
+[[esql-elastic-security-timeline]]
+=== Use {esql} to investigate events in Timeline
+
+You can use {esql} in Timeline to filter, transform, and analyze event data
+stored in {es}. To start using {esql}, open the the **{esql}** tab. To learn
+more, refer to {security-guide}/timelines-ui.html[Investigate events in
+Timeline].
+
+[discrete]
+[[esql-elastic-security-detection-rules]]
+=== Use {esql} to create detection rules
+
+Use the {esql} rule type to create detection rules using {esql} queries. The
+{esql} rule type supports aggregating and non-aggregating queries. To learn
+more, refer to {security-guide}/rules-ui-create.html[Create a detection rule].
+
+[discrete]
+[[esql-elastic-security-ai-assistant]]
+=== Elastic AI Assistant
+
+Use the Elastic AI Assistant to build {esql} queries, or answer questions about
+the {esql} query language. To learn more, refer to
+{security-guide}/security-assistant.html[AI Assistant].
diff --git a/docs/reference/esql/esql-using.asciidoc b/docs/reference/esql/esql-using.asciidoc
index f586f3a28de5c..dbab521ead4d1 100644
--- a/docs/reference/esql/esql-using.asciidoc
+++ b/docs/reference/esql/esql-using.asciidoc
@@ -6,11 +6,16 @@ Information about using the <<esql-query-api,{esql} query API>>.
 
 <<esql-kibana>>::
 Using {esql} in {kib} to query and aggregate your data, create visualizations,
-and set up alerts. 
+and set up alerts.
+
+<<esql-elastic-security>>::
+Using {esql} in {elastic-sec} to investigate events in Timeline and create
+detection rules.
 
 <<esql-task-management>>::
 Using the <<tasks,task management API>> to list and cancel {esql} queries.
 
 include::esql-rest.asciidoc[]
 include::esql-kibana.asciidoc[]
+include::esql-security-solution.asciidoc[]
 include::task-management.asciidoc[]
\ No newline at end of file