[[esql-elastic-security]]
=== Using {esql} in {elastic-sec}

++++
<titleabbrev>Using {esql} in {elastic-sec}</titleabbrev>
++++

You can use {esql} in {elastic-sec} to investigate events in Timeline and create
detection rules. Use the Elastic AI Assistant to build {esql} queries, or answer
questions about the {esql} query language.

[discrete]
[[esql-elastic-security-timeline]]
=== Use {esql} to investigate events in Timeline

You can use {esql} in Timeline to filter, transform, and analyze event data
stored in {es}. To start using {esql}, open the **{esql}** tab. To learn
more, refer to {security-guide}/timelines-ui.html#esql-in-timeline[Investigate
events in Timeline].

[discrete]
[[esql-elastic-security-detection-rules]]
=== Use {esql} to create detection rules

Use the {esql} rule type to create detection rules using {esql} queries. The
{esql} rule type supports aggregating and non-aggregating queries. To learn
more, refer to {security-guide}/rules-ui-create.html#create-esql-rule[Create an
{esql} rule].

[discrete]
[[esql-elastic-security-ai-assistant]]
=== Elastic AI Assistant

Use the Elastic AI Assistant to build {esql} queries, or answer questions about
the {esql} query language. To learn more, refer to
{security-guide}/security-assistant.html[AI Assistant].

NOTE: For AI Assistant to answer questions about {esql} and write {esql}
queries, you need to
{security-guide}/security-assistant.html#set-up-ai-assistant[enable knowledge
base].