[8.11] ES|QL tab added to Timeline (backport #4065) (#4201)

Co-authored-by: Benjamin Ironside Goldstein <[email protected]> Co-authored-by: Abdon Pijpelink <[email protected]> Co-authored-by: Janeen Mikell Roberts <[email protected]> Co-authored-by: Nastasha Solomon <[email protected]>
elastic · Nov 6, 2023 · 08e4841 · 08e4841
1 parent dbbd68c
commit 08e4841
Show file tree

Hide file tree

Showing 3 changed files with 26 additions and 0 deletions.
diff --git a/docs/events/images/esql-tab.png b/docs/events/images/esql-tab.png
diff --git a/docs/events/timeline-ui-overview.asciidoc b/docs/events/timeline-ui-overview.asciidoc
@@ -178,3 +178,29 @@ From the *Correlation* tab, you can also do the following:
 * Specify the date and time range that you want to investigate.
 * Reorder the columns and choose which fields to display.
 * Choose a data view and whether to show detection alerts only.
+
+[discrete]
+[[esql-in-timeline]]
+== Use {esql} to investigate events 
+
+preview::[]
+
+The {ref}/esql.html[Elasticsearch Query Language ({esql})] provides a powerful way to filter, transform, and analyze event data stored in {es}. {esql} queries use "pipes" to manipulate and transform data in a step-by-step fashion. This approach allows you to compose a series of operations, where the output of one operation becomes the input for the next, enabling complex data transformations and analysis.
+
+You can use {esql} in Timeline by opening the **{esql}** tab. From there, you can: 
+
+- Explore your events using the default query, or create a custom one. The default query searches documents within the Security alert index (`.alerts-security.alerts-default`) and indices specified in the <<update-sec-indices,Security data view>>, then returns 10 events from the defined time range.  
+- Click the help icon (image:images/esql-ref-button.png[Click the ES|QL reference button,20,20]) on the far right side of the query editor to open the in-product reference documentation for all {esql} commands and functions.  
+- Visualize query results using {kibana-ref}/discover.html[Discover] functionality.
+
+[role="screenshot"]
+image::images/esql-tab.png[a Timeline's ES|QL tab]
+
+[discrete]
+[[esql-in-timeline-resources]]
+=== Additional {esql} resources 
+
+To get started using {esql}, read the tutorial for {ref}/esql-kibana.html[using {esql} in {kib}]. Much of the functionality available in {kib} is also available in Timeline.  
+
+To find examples of using {esql} for threat hunting, check out https://www.elastic.co/blog/introduction-to-esql-new-query-language-flexible-iterative-analytics[our blog].
+
diff --git a/docs/images/esql-ref-button.png b/docs/images/esql-ref-button.png