Skip to main content

Introducing Elastic Workflows: Native automation for Elasticsearch

Unify scripted automation and AI agents natively in Elasticsearch. Eliminate integrations and take action directly on your data.

By
Sumana MannemJames Spiteri
blog-native-automation-workflows_(1).png

Today, we are introducing Elastic Workflows, the automation engine built directly into Elasticsearch. Workflows gives you reliable, scripted automation for straightforward tasks and AI-driven automation for complex problems that require reasoning. 

Elastic Workflows is now available as a technical preview.

The challenge: Siloed data and forced tradeoffs

Organizations need automation to keep pace with the complexity of today's digital environment. But most automation solutions suffer from two major limitations.

  1. Automation usually sits apart from your operational data. This means teams have to build and maintain integrations just to give their automation the context it needs. Data has to be exported, synced, or queried across systems. Credentials have to be managed separately. And when something changes upstream, the integration breaks. Maintaining these integrations adds unnecessary effort. 

  2. Teams face a tradeoff between reliability and reasoning. Traditional automation handles defined tasks predictably — it runs the same way every time, which is exactly what you want for well-understood processes. But it can't adapt when it encounters something unexpected. There's no judgment, no interpretation, just predefined logic.

AI-powered tools promise to fill that gap. They can reason through ambiguity, weigh options, and suggest next steps even without explicit instructions. But they often lack the precision and predictability that critical business processes require. And most of them sit even further from your data, adding another integration layer to manage.

Until now, organizations had to choose between these approaches or try to stitch them together with middleware and custom code. Elastic Workflows eliminates that choice by delivering both in a single system.

Elastic Workflows: Data, context, and action unified

Elastic Workflows solves these problems by bringing the automation engine directly to where your data lives. There's no export pipeline, no middleware, and no separate security model to manage. When a workflow needs context, it's already there.

Defined in YAML, workflows are simple enough to version-control and review but expressive enough to handle real operational logic. They're executed by a built-in engine designed for enterprise reliability and scale.

Defined in YAML

Workflows are fully composable and event-driven. They can respond to changes in data within Elasticsearch to events from external systems via webhooks or to actions initiated by users. You can chain workflows together, nest them, or expose them as callable tools for other systems.

Once running, workflows connect to the external systems your organization already uses, including cloud providers, service desks, messaging platforms, and identity providers. But Elasticsearch stays at the center, so every step in the workflow has access to the full context of your environment.

every step in the workflow

The result is a simpler architecture with fewer moving parts and faster execution because there's no round-trip to external systems for basic context. Also, fewer things can break because you're not maintaining a web of integrations.

Workflows and agents for intelligent automation

The unified architecture of automation and AI on Elasticsearch enables something that's been difficult to achieve: combining the reliability of predictable execution with the flexibility of AI reasoning in a single process.

Here's how it works. A workflow handles the structured parts of a process — the steps that should run the same way every time. When the workflow reaches a point that requires judgment, it can call an AI agent to analyze the available context and determine what to do next. The agent reasons over the data, makes a decision, and returns a result. The workflow then continues executing based on that input.

simple agent invocation

This integration is bidirectional. Workflows can call agents as intelligent steps within a larger process. And agents can invoke workflows as tools, giving them the ability to take concrete actions and not just generate text but actually do things in the systems your organization runs on.

integration is bidirectional

Elastic Workflows gets its agentic capabilities through integration with Elastic Agent Builder, a native capability of Elasticsearch for creating custom AI agents. Agents built with Agent Builder have access to the same data and context as workflows, which means they can make better decisions. And because both workflows and agents run on the same platform, there's no integration gap between reasoning and execution.

While standard AI tools often just generate suggestions, Elastic Workflows empowers agents to take action like restarting a service, updating a record, sending a notification, or triggering another workflow.

For developers building agents

AI advances allow developers to build much more capable agents that can automate more tasks than before. Agents are no longer just for chatting; they can now make decisions and take action on their own. However, many agent-building frameworks require large language models (LLMs) to plan and manage every step of the automation. While AI is great at reasoning, it lacks the reliability of defined actions, which businesses often need.

Workflows, which can be given to an agent as tools via MCP, close this gap. Workflows are the "hands" that allow agents to reliably interact with systems to take action and gather information.

Workflows help developers turn complex processes into predictable, reusable tools for information gathering and action. For example, building agent applications often requires information that can only be gathered by running processes in internal and external systems that meet company standards. Workflows solve this by turning complex processes into predictable, reusable actions, such as integrating enterprise data, calling services, linking signals, and updating records. This simplifies various search and automation tasks like customer support sorting, content upload, and business logic automation. It allows applications built on Elasticsearch to respond smartly to unclear requests while Workflows provides the reliable execution needed to back those decisions.

For security analysts

Security analysts deal with a constant stream of alerts, and much of the initial triage work follows a predictable pattern: enrich the alert with context, check related activity, pull in asset and identity information, update the case, and notify the right people. This is exactly the kind of work that automation should handle.

Workflows lets security teams codify these processes with complete control and predictability. The routine steps always happen automatically and consistently.

But investigations aren't always routine. Sometimes an alert doesn't match any known pattern. Sometimes the attacker did something novel. In these cases, analysts typically start from scratch, manually gathering logs, tracing user behavior, correlating signals across systems, and forming hypotheses about what happened.

This is where workflows combined with agents change the picture. Instead of starting with a blank screen, an agent can do the early legwork: reviewing the evidence, identifying unusual patterns, checking whether expected controls were in place, and suggesting which threads are worth pulling. The workflow keeps the overall process structured and auditable. The agent handles the ambiguity.

auto triage

The analyst stays in control but starts further ahead with context already assembled and initial hypotheses to evaluate rather than construct.

For SREs

Operations teams automate extensively: health checks, capacity decisions, alert routing, and remediation playbooks. These processes keep services running smoothly when conditions match known patterns.

But not every incident follows a pattern. Complex performance degradations, unexpected regressions, and cascading failures — these situations rarely come with a clear playbook. Operators typically have to investigate from scratch, correlating data across dashboards and tools to figure out what's actually happening.

With workflows and agents, that investigation can start faster. An agent with access to your logs, metrics, and traces can scan recent deployments, identify correlated anomalies, and surface the most likely explanations. Instead of assembling context manually, the operator starts with a hypothesis and supporting evidence.

If the hypothesis holds, the workflow can continue into remediation by rolling back a change, scaling a service, or adjusting a configuration. The agent provides the judgment; the workflow provides the execution. The operator stays in the loop to approve critical decisions and intervene when needed.

The result is faster time to resolution without giving up oversight or control.

Get started with Elastic Workflows

Elastic Workflows is available now as a technical preview. Get started with an Elastic Cloud trial, and check out the documentation.

We're continuing to build out prebuilt workflows and agent integrations to help teams automate more of their work. If you've been looking for a way to bring automation closer to your data without sacrificing reliability or flexibility, this is a good place to start.

For a deeper technical dive, see the Workflows technical blog.

The release and timing of any features or functionality described in this post remain at Elastic's sole discretion. Any features or functionality not currently available may not be delivered on time or at all.

In this blog post, we may have used or referred to third party generative AI tools, which are owned and operated by their respective owners. Elastic does not have any control over the third party tools and we have no responsibility or liability for their content, operation or use, nor for any loss or damage that may arise from your use of such tools. Please exercise caution when using AI tools with personal, sensitive or confidential information. Any data you submit may be used for AI training or other purposes. There is no guarantee that information you provide will be kept secure or confidential. You should familiarize yourself with the privacy practices and terms of use of any generative AI tools prior to use. 

Elastic, Elasticsearch, and associated marks are trademarks, logos or registered trademarks of Elasticsearch B.V. in the United States and other countries. All other company and product names are trademarks, logos or registered trademarks of their respective owners.

Sign up for Elastic Cloud free trial

Spin up a fully loaded deployment on the cloud provider you choose. As the company behind Elasticsearch, we bring our features and support to your Elastic clusters in the cloud.

Start free trial