diff --git a/docs/reference/eql/functions.asciidoc b/docs/reference/eql/functions.asciidoc
new file mode 100644
index 0000000000000..cc5fbba57e4ea
--- /dev/null
+++ b/docs/reference/eql/functions.asciidoc
@@ -0,0 +1,66 @@
+[[eql-function-ref]]
+== EQL function reference
+++++
+Function reference
+++++
+
+experimental::[]
+
+{es} supports the following EQL functions:
+
+* <>
+
+[discrete]
+[[eql-fn-substring]]
+=== `substring`
+
+Extracts a substring from a source string at provided start and end positions.
+
+If no end position is provided, the function extracts the remaining string.
+
+[%collapsible]
+====
+*Example*
+[source,eql]
+----
+substring("start regsvr32.exe", 6) // returns "regsvr32.exe"
+substring("start regsvr32.exe", 0, 5) // returns "start"
+substring("start regsvr32.exe", 6, 14) // returns "regsvr32"
+substring("start regsvr32.exe", -4) // returns ".exe"
+substring("start regsvr32.exe", -4, -1) // returns ".ex"
+----
+
+*Syntax*
+
+[source,txt]
+----
+substring(, [, ])
+----
+
+*Parameters*
+
+``::
+(Required, string)
+Source string.
+
+``::
++
+--
+(Required, integer)
+Starting position for extraction.
+
+If this position is higher than the `` position or the length of the
+`` string, the function returns an empty string.
+
+Positions are zero-indexed. Negative offsets are supported.
+--
+
+``::
+(Optional, integer)
+Exclusive end position for extraction. If this position is not provided, the
+function returns the remaining string.
++
+Positions are zero-indexed. Negative offsets are supported.
+
+*Returns:* string
+====
\ No newline at end of file
diff --git a/docs/reference/eql/index.asciidoc b/docs/reference/eql/index.asciidoc
index 328f40a36a557..f9168b861c9b7 100644
--- a/docs/reference/eql/index.asciidoc
+++ b/docs/reference/eql/index.asciidoc
@@ -32,9 +32,11 @@ Consider using EQL if you:
* <>
* <>
* <>
+* <>
* <>
include::requirements.asciidoc[]
include::search.asciidoc[]
include::syntax.asciidoc[]
+include::functions.asciidoc[]
include::limitations.asciidoc[]
diff --git a/docs/reference/eql/limitations.asciidoc b/docs/reference/eql/limitations.asciidoc
index 5e6cc74c319c2..dc7a211d8bd34 100644
--- a/docs/reference/eql/limitations.asciidoc
+++ b/docs/reference/eql/limitations.asciidoc
@@ -15,7 +15,10 @@ experimental::[]
{es} supports a subset of {eql-ref}/index.html[EQL syntax]. {es} cannot run EQL
queries that contain:
-* {eql-ref}/functions.html[Functions]
+* Array functions:
+** {eql-ref}/functions.html#arrayContains[`arrayContains`]
+** {eql-ref}/functions.html#arrayCount[`arrayCount`]
+** {eql-ref}/functions.html#arraySearch[`arraySearch`]
* {eql-ref}/joins.html[Joins]
diff --git a/docs/reference/eql/syntax.asciidoc b/docs/reference/eql/syntax.asciidoc
index 9beb9598bb9b9..a3827cfc58ab7 100644
--- a/docs/reference/eql/syntax.asciidoc
+++ b/docs/reference/eql/syntax.asciidoc
@@ -2,6 +2,9 @@
[testenv="basic"]
[[eql-syntax]]
== EQL syntax reference
+++++
+Syntax reference
+++++
experimental::[]
@@ -283,3 +286,12 @@ dots (`.`), hyphens (`-`), or spaces, must be escaped using backticks (+++`+++).
`my-field`
`my field`
----
+
+[discrete]
+[[eql-functions]]
+=== Functions
+
+{es} supports several of EQL's built-in functions. You can use these functions
+to convert data types, perform math, manipulate strings, and more.
+
+For a list of supported functions, see <>.
\ No newline at end of file