From 0fea371997b9e5816eda518538bf6a574bc72f09 Mon Sep 17 00:00:00 2001
From: Liam Thompson <leemthompo@gmail.com>
Date: Mon, 20 Oct 2025 17:35:09 +0200
Subject: [PATCH 1/4] [docs][esql] Include search and security pages in
 elasticsearch docs nav

---
 .../query-languages/esql/esql-use-cases.md          | 13 +++++++++++++
 docs/reference/query-languages/toc.yml              |  6 ++++++
 2 files changed, 19 insertions(+)
 create mode 100644 docs/reference/query-languages/esql/esql-use-cases.md

diff --git a/docs/reference/query-languages/esql/esql-use-cases.md b/docs/reference/query-languages/esql/esql-use-cases.md
new file mode 100644
index 0000000000000..b7d123aa76a91
--- /dev/null
+++ b/docs/reference/query-languages/esql/esql-use-cases.md
@@ -0,0 +1,13 @@
+---
+applies_to:
+  stack:
+  serverless:
+navigation_title: "Use cases"
+---
+
+# Use cases for {{esql}}
+
+These pages detail how to use {{esql}} for search and cybersecurity use cases:
+
+* [ES|QL for search](docs-content://solutions/search/esql-for-search.md): Learn how to use {{esql}} for search use cases using {{es}}.
+* [ES|QL for security](docs-content://solutions/security/esql-for-security.md): Learn how to use {{esql}} for cybersecurity use cases.
\ No newline at end of file
diff --git a/docs/reference/query-languages/toc.yml b/docs/reference/query-languages/toc.yml
index c7f302127f789..39f4591bdc3cd 100644
--- a/docs/reference/query-languages/toc.yml
+++ b/docs/reference/query-languages/toc.yml
@@ -87,6 +87,12 @@ toc:
   - file: esql.md
     children:
       - file: esql/esql-getting-started.md
+      - file: esql/esql-use-cases.md
+        children:
+          - title: "ES|QL for search"
+            crosslink: docs-content://solutions/search/esql-for-search.md
+          - title: "ES|QL for cybersecurity"
+            crosslink: docs-content://solutions/security/esql-for-security.md
       - file: esql/esql-rest.md
       - file: esql/esql-syntax-reference.md
         children:

From 510225ef6e153654870ff602428bbb123f87bfcb Mon Sep 17 00:00:00 2001
From: Liam Thompson <leemthompo@gmail.com>
Date: Mon, 20 Oct 2025 17:48:31 +0200
Subject: [PATCH 2/4] add security tutorial under tutorials in nav

---
 docs/reference/query-languages/toc.yml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/docs/reference/query-languages/toc.yml b/docs/reference/query-languages/toc.yml
index 39f4591bdc3cd..0c53b4551aa56 100644
--- a/docs/reference/query-languages/toc.yml
+++ b/docs/reference/query-languages/toc.yml
@@ -161,6 +161,8 @@ toc:
       - file: esql/esql-examples.md
         children:
           - file: esql/esql-search-tutorial.md
+          - title: "ES|QL for threat hunting tutorial"
+            crosslink: docs-content://solutions/security/esql-for-security/esql-threat-hunting-tutorial.md
       - file: esql/esql-troubleshooting.md
         children:
           - file: esql/esql-query-log.md

From 93d4637754c51abb2c1819da4551d7702682a424 Mon Sep 17 00:00:00 2001
From: Liam Thompson <leemthompo@gmail.com>
Date: Mon, 20 Oct 2025 17:49:29 +0200
Subject: [PATCH 3/4] simplify title

---
 docs/reference/query-languages/toc.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docs/reference/query-languages/toc.yml b/docs/reference/query-languages/toc.yml
index 0c53b4551aa56..23260f5c1aa32 100644
--- a/docs/reference/query-languages/toc.yml
+++ b/docs/reference/query-languages/toc.yml
@@ -161,7 +161,7 @@ toc:
       - file: esql/esql-examples.md
         children:
           - file: esql/esql-search-tutorial.md
-          - title: "ES|QL for threat hunting tutorial"
+          - title: "ES|QL for threat hunting"
             crosslink: docs-content://solutions/security/esql-for-security/esql-threat-hunting-tutorial.md
       - file: esql/esql-troubleshooting.md
         children:

From 52e672079220c3d6c281fa1dd53f302fdefa4060 Mon Sep 17 00:00:00 2001
From: Liam Thompson <leemthompo@gmail.com>
Date: Tue, 21 Oct 2025 10:46:57 +0200
Subject: [PATCH 4/4] jazz up the descriptions

---
 docs/reference/query-languages/esql/esql-use-cases.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/docs/reference/query-languages/esql/esql-use-cases.md b/docs/reference/query-languages/esql/esql-use-cases.md
index b7d123aa76a91..021559dedcbf7 100644
--- a/docs/reference/query-languages/esql/esql-use-cases.md
+++ b/docs/reference/query-languages/esql/esql-use-cases.md
@@ -9,5 +9,5 @@ navigation_title: "Use cases"
 
 These pages detail how to use {{esql}} for search and cybersecurity use cases:
 
-* [ES|QL for search](docs-content://solutions/search/esql-for-search.md): Learn how to use {{esql}} for search use cases using {{es}}.
-* [ES|QL for security](docs-content://solutions/security/esql-for-security.md): Learn how to use {{esql}} for cybersecurity use cases.
\ No newline at end of file
+- [ES|QL for search](docs-content://solutions/search/esql-for-search.md): Learn how to use {{esql}} for lexical (keyword) search, relevance scoring, semantic and hybrid search, semantic reranking, and more.
+- [ES|QL for security](docs-content://solutions/security/esql-for-security.md): Learn how to use {{esql}} for threat hunting, timeline investigation, detection rules, and migrating Splunk queries.