Loading

Observability workflows

Observability signals (infrastructure metrics, application logs, traces, and anomaly detection results) generate the same kind of "observe a problem, do something about it" loop that security does. Use workflows to close that loop: correlate signals across sources, route to the right team, and run scheduled maintenance or reporting tasks.

The following patterns use existing workflow capabilities:

  • Respond to anomaly detection alerts. Configure an alert trigger on an anomaly detection rule. The workflow runs with the alert's context, and can query log data in a window around the anomaly, enrich with host or service metadata, and open a case or post a notification.
  • Correlate signals across data sources. Use Elasticsearch search actions to query metrics, logs, and traces in the same workflow, then combine results with if steps to decide on next actions.
  • Automate scheduled data operations. Use a scheduled trigger to run periodic health checks, index rollover tasks, or data quality audits.
  • Analyze signals with AI. Use AI steps to have an agent interpret anomaly patterns or summarize a multi-signal investigation before the workflow takes action.

An anomaly response workflow has the shape:

  1. Alert trigger fires when an anomaly detection rule surfaces an anomaly.
  2. Elasticsearch step queries log data in a window around event.alerts[0].kibana.alert.start.
  3. AI step calls an Elastic Agent Builder agent to interpret the pattern.
  4. Kibana step creates a case with the anomaly details and the agent's interpretation.
  5. Connector step posts a summary to the on-call channel.