From 0d98a5e72d2e44ffd11c5cf58577fe6312c85b72 Mon Sep 17 00:00:00 2001
From: natasha-moore-elastic <natasha.moore@elastic.co>
Date: Fri, 13 Feb 2026 11:28:01 +0000
Subject: [PATCH] Document Workflows in Security docs

---
 .../detect-and-alert/create-detection-rule.md         |  4 ++++
 solutions/security/get-started/elastic-security-ui.md | 11 +++++++++++
 2 files changed, 15 insertions(+)

diff --git a/solutions/security/detect-and-alert/create-detection-rule.md b/solutions/security/detect-and-alert/create-detection-rule.md
index 12f469080b..58da53009b 100644
--- a/solutions/security/detect-and-alert/create-detection-rule.md
+++ b/solutions/security/detect-and-alert/create-detection-rule.md
@@ -664,6 +664,10 @@ Use actions to set up notifications sent via other systems when alerts are gener
 To use actions for alert notifications, you need the [appropriate license](https://www.elastic.co/subscriptions). For more information, see [Cases requirements](/solutions/security/investigate/cases-requirements.md).
 ::::
 
+::::{tip}
+:applies_to: {stack: preview 9.3+, serverless: preview}
+You can use [workflows](/explore-analyze/workflows.md) as a rule action to automate alert response processes. Workflows can create cases, route notifications, or perform other automated tasks when alerts are generated. To learn how to set up a workflow as a rule action, refer to [](/explore-analyze/workflows/triggers/alert-triggers.md).
+:::: 
 
 1. Select a connector type to determine how notifications are sent. For example, if you select the {{jira}} connector, notifications are sent to your {{jira}} system.
 
diff --git a/solutions/security/get-started/elastic-security-ui.md b/solutions/security/get-started/elastic-security-ui.md
index 6e725981e0..6218164e88 100644
--- a/solutions/security/get-started/elastic-security-ui.md
+++ b/solutions/security/get-started/elastic-security-ui.md
@@ -118,6 +118,17 @@ Expand this section to access the following pages:
 
 View and manage alerts to monitor activity within your network. Refer to [Detections and alerts](/solutions/security/detect-and-alert.md) for more information.
 
+### Workflows
+```yaml {applies_to}
+stack: preview 9.3+
+serverless: preview
+```
+
+:::{admonition} Requirements
+To access this section, turn on the Elastic Workflows (`workflows:ui:enabled`) [advanced setting](kibana://reference/advanced-settings.md#kibana-general-settings).
+:::
+
+Create and manage workflows that automate tasks such as incident response, case creation, and notification routing. Refer to [](/explore-analyze/workflows.md) for more information.
 
 ### Attack discovery