Using ES|QL in Elastic Security

edit

Using ES|QL in Elastic Security

edit

You can use ES|QL in Elastic Security to investigate events in Timeline and create detection rules. Use the Elastic AI Assistant to build ES|QL queries, or answer questions about the ES|QL query language.

Use ES|QL to investigate events in Timeline

edit

You can use ES|QL in Timeline to filter, transform, and analyze event data stored in Elasticsearch. To start using ES|QL, open the ES|QL tab. To learn more, refer to Investigate events in Timeline.

Use ES|QL to create detection rules

edit

Use the ES|QL rule type to create detection rules using ES|QL queries. The ES|QL rule type supports aggregating and non-aggregating queries. To learn more, refer to Create an ES|QL rule.

Elastic AI Assistant

edit

Use the Elastic AI Assistant to build ES|QL queries, or answer questions about the ES|QL query language. To learn more, refer to AI Assistant.

For AI Assistant to answer questions about ES|QL and write ES|QL queries, you need to enable knowledge base.