Step type index
Every step type available for Elastic Workflows, ordered alphabetically. Use this lookup when you know the step ID and want the reference fast.
| Step type | Category | What it does |
|---|---|---|
ai.agent |
AI | Invoke an Elastic Agent Builder agent as a step. |
ai.classify |
AI | Classify input into a fixed category set. |
ai.prompt |
AI | Prompt a model, optionally with structured output. |
ai.summarize |
AI | Summarize content with an LLM. |
cases.addAlerts |
Cases | Attach detection alerts to a case. |
cases.addComment |
Cases | Add a comment to a case. |
cases.addEvents |
Cases | Attach events to a case. |
cases.addObservables |
Cases | Add observables (IPs, hashes, domains) to a case. |
cases.addTags |
Cases | Add tags to a case. |
cases.assignCase |
Cases | Assign a case to one or more users. |
cases.closeCase |
Cases | Close a case. |
cases.createCase |
Cases | Create a case. |
cases.createCaseFromTemplate |
Cases | Create a case from a template. |
cases.deleteCases |
Cases | Delete one or more cases. |
cases.deleteObservable |
Cases | Delete an observable from a case. |
cases.findCases |
Cases | Search for cases. |
cases.findSimilarCases |
Cases | Find cases similar to a given case. |
cases.getAllAttachments |
Cases | List every attachment on a case. |
cases.getCase |
Cases | Fetch a case by ID. |
cases.getCases |
Cases | Fetch multiple cases by ID. |
cases.getCasesByAlertId |
Cases | Find cases containing a specific alert. |
cases.setCategory |
Cases | Set a case's category. |
cases.setCustomField |
Cases | Set a custom field on a case. |
cases.setDescription |
Cases | Update a case's description. |
cases.setSeverity |
Cases | Set a case's severity. |
cases.setStatus |
Cases | Set a case's status. |
cases.setTitle |
Cases | Update a case's title. |
cases.unassignCase |
Cases | Remove assignees from a case. |
cases.updateCase |
Cases | Update one case's fields. |
cases.updateCases |
Cases | Bulk update multiple cases. |
cases.updateObservable |
Cases | Update an observable. |
console |
HTTP and console | Log a message to the workflow execution view. |
data.aggregate |
Data | Group and aggregate a collection. |
data.concat |
Data | Concatenate arrays. |
data.dedupe |
Data | Remove duplicates from an array. |
data.filter |
Data | Keep elements matching a KQL predicate. |
data.find |
Data | Return the first element matching a KQL predicate. |
data.map |
Data | Transform each element of an array. |
data.parseJson |
Data | Parse a JSON string into an object. |
data.regexExtract |
Data | Extract fields from a string using regex. |
data.regexReplace |
Data | Replace regex matches in a string. |
data.set |
Data | Set named variables in the workflow context. |
data.stringifyJson |
Data | Serialize an object to a JSON string. |
elasticsearch.bulk |
Elasticsearch | Bulk index, update, or delete documents. |
elasticsearch.esql.query |
Elasticsearch | Run an ES|QL query. |
elasticsearch.index |
Elasticsearch | Index one document. |
elasticsearch.indices.create |
Elasticsearch | Create an index. |
elasticsearch.indices.delete |
Elasticsearch | Delete one or more indices. |
elasticsearch.indices.exists |
Elasticsearch | Check whether indices exist. |
elasticsearch.request |
Elasticsearch | Generic Elasticsearch API escape hatch. |
elasticsearch.search |
Elasticsearch | Run a search. |
elasticsearch.update |
Elasticsearch | Update one document. |
foreach |
Flow control | Iterate over a collection. |
http |
HTTP and console | Call any external HTTP API. |
if |
Flow control | Conditional branching. |
kibana.request |
Kibana | Generic Kibana API escape hatch. |
kibana.SetAlertsStatus |
Kibana | Update detection alert status. PascalCase. |
kibana.SetAlertTags |
Kibana | Add or remove tags on detection alerts. PascalCase. |
kibana.streams.get |
Streams (tech preview) | Fetch a stream by name. |
kibana.streams.getSignificantEvents |
Streams (tech preview) | Get significant events for a stream. |
kibana.streams.list |
Streams (tech preview) | List available streams. |
loop.break |
Flow control | Exit the innermost loop. |
loop.continue |
Flow control | Skip to the next iteration. |
switch |
Flow control | Multi-way dispatch. |
wait |
Flow control | Pause for a fixed duration. |
waitForInput |
Flow control | Pause for human input (human-in-the-loop). |
while |
Flow control | Loop while a condition holds. |
workflow.execute |
Composition (tech preview) | Run a child workflow synchronously. |
workflow.executeAsync |
Composition (tech preview) | Fire-and-forget child workflow. |
workflow.fail |
Composition (tech preview) | Terminate the workflow as failed. |
workflow.output |
Composition (tech preview) | Emit the final outputs of a workflow. |
In addition to the steps listed previously, every configured Kibana connector exposes one or more <connector>.<action> step types. Common examples include:
slack.postMessage— post a message to a Slack channel.jira.createIssue— create a Jira issue.pagerduty.triggerIncident— page an on-call rotation.virustotal.scanFileHash— scan a file hash.
Because the available connector steps depend on which connectors your deployment has configured, they aren't enumerated here. Refer to the Kibana connectors reference for the full catalog.
These still work in existing workflows but can't be used in new ones. Refer to the migration guide for full replacement details.
| Deprecated | Replacement |
|---|---|
kibana.createCaseDefaultSpace |
cases.createCase |
kibana.getCaseDefaultSpace |
cases.getCase |
kibana.updateCaseDefaultSpace |
cases.updateCase |
kibana.addCaseCommentDefaultSpace |
cases.addComment |
- Steps overview: Common fields every step accepts.
- Cheat sheet: Step menu organized by intent rather than alphabetically.
elastic/workflowslibrary: 57 example workflows that exercise these step types.