Skip to main content

Native automation with Elastic Workflows — No SOAR required

Elastic Workflows brings automation directly into Elastic Security. Execute defined tasks from playbooks while AI agents reason through complex investigations to shut down threats faster.

By
Sumana Mannem
image1_(2).png

Elastic Workflows, now in technical preview, brings native automation to Elastic Security, the agentic security operations platform that already includes unified SIEM and XDR. Stop paying the automation tax. There is no separate SOAR tool to buy, integrate, or maintain.

Built natively inside Elastic Security, Workflows has direct access to your alerts, cases, and investigation data. Eliminate manual triage by executing defined tasks from playbooks while AI agents reason through complex investigations to shut down threats faster.

The challenge: The automation tax and forced trade-offs

Security teams can't keep pace with growing alert volumes and AI-driven threats. Automation is essential. But the legacy approach of buying a standalone SOAR to bolt onto your SIEM has created its own category of problems. The result is an automation tax on the SOC.

SOAR sits apart from your security data. This forces teams to build and maintain brittle integrations just to act on what the SIEM already knows. That means there are more vendors, more costs, and more complexity along with analysts burning hours on integration overhead instead of investigating threats. According to the State of the SOC report, the average SOC operates across 11 security consoles, and 91% of security leaders trace a serious incident directly back to the friction between their disconnected tools.

And teams face a trade-off between reliability and reasoning. Traditional playbooks handle defined tasks with consistency but can't adapt when an investigation doesn't match a known pattern. AI tools offer reasoning but often lack the reliability that security operations require.

Elastic Workflows: End the automation tax

Instead of maintaining a separate automation platform, Workflows runs natively in Elastic Security — no complex integration to build and no data to move between platforms. Close proximity to your data gives automation richer context and faster execution. 

Defined in YAML, Workflows are executed by a built-in engine designed for reliability at scale. They are fully composable and event-driven, responding to alerts, schedules, external system events, and analyst-initiated actions.

traditional triage

Once running, Workflows connects seamlessly to external systems that your SOC depends on, such as cloud providers, identity platforms, service desks, and messaging tools, allowing a single automation to synchronize context across your security stack. 

overlapping images - SS

Workflows and agents for intelligent automation

Elastic Workflows combines scripted automation with AI reasoning. Execute defined tasks from playbooks with consistency and reliability, while AI agents reason through complex investigations.

Workflows gets its agentic capabilities through integration with Elastic Agent Builder, a native capability of Elasticsearch for creating custom AI agents. The integration works in both directions. Workflows can call agents as intelligent steps for analysis and decision-making. Agents can invoke Workflows as tools to take concrete actions, such as isolating a host, querying threat intel, escalating an incident, or updating a case. Each action and reasoning step is transparent and configurable.

threat hunting agent

Because Elastic Security is built on the Elasticsearch Platform, agents reason with superior context from your security data, delivering more accurate results tailored to your environment. AI Skills will extend this by giving agents modular, domain-specific reasoning like alert triage or malware analysis that loads dynamically on demand, keeping agents fast and accurate at scale.

Here's what that looks like in practice. Imagine an alert fires for a suspicious login from an unrecognized location on a high-privilege account. Normally, this is where your manual work begins. But with Workflows, the moment that alert triggers, the system immediately begins verifying the user's typical behavior, checking for other recent sign-in anomalies, and bundling the findings into a new case while alerting the team on Slack.

If there isn't a defined playbook for automatically triaging this specific scenario, the workflow can call an AI agent to step in. The agent analyzes the activity, compares it against known attack patterns, and provides a summary of what actually happened. By the time an analyst opens the case, they aren't starting with a vague alert and a blank screen; they are starting with context already assembled.

overlapping images
workflows

Using Workflows enabled our SOC to spend so much more time on the things that matter. On a daily basis, we ran through 500 alerts, spending 3 hours creating cases and enriching them manually. Using Workflows, this is all done automatically, saving up to 2.5 hours a day.

SOC leader, European government agency

For teams with an existing SOAR

If your team already has a SOAR platform, Workflows doesn't require you to replace it. Automation that touches your Elastic data, such as alert triage, enrichment, case management, and response actions, moves natively into Workflows. Cross-platform orchestration across non-Elastic systems stays in your existing SOAR. Over time, you can consolidate at your own pace.

Get started with Elastic Workflows

Elastic Workflows is available now as a technical preview in Elastic Security, the agentic security operations platform. General availability is coming soon. Get started with an Elastic Cloud trial, and check out the documentation.

For a hands-on walkthrough of building security playbooks with Workflows, watch the demo on YouTube or read the Security Labs technical blog.

If your team has been looking for a way to automate SOC operations without adding another tool to your stack, this is a good place to start.

The release and timing of any features or functionality described in this post remain at Elastic's sole discretion. Any features or functionality not currently available may not be delivered on time or at all.

In this blog post, we may have used or referred to third party generative AI tools, which are owned and operated by their respective owners. Elastic does not have any control over the third party tools and we have no responsibility or liability for their content, operation or use, nor for any loss or damage that may arise from your use of such tools. Please exercise caution when using AI tools with personal, sensitive or confidential information. Any data you submit may be used for AI training or other purposes. There is no guarantee that information you provide will be kept secure or confidential. You should familiarize yourself with the privacy practices and terms of use of any generative AI tools prior to use. 

Elastic, Elasticsearch, and associated marks are trademarks, logos or registered trademarks of Elasticsearch B.V. in the United States and other countries. All other company and product names are trademarks, logos or registered trademarks of their respective owners.

Sign up for Elastic Cloud free trial

Spin up a fully loaded deployment on the cloud provider you choose. As the company behind Elasticsearch, we bring our features and support to your Elastic clusters in the cloud.

Start free trial