Observability workflows

Observability signals (infrastructure metrics, application logs, traces, and anomaly detection results) generate the same kind of "observe a problem, do something about it" loop that security does. Use workflows to close that loop: correlate signals across sources, route to the right team, and run scheduled maintenance or reporting tasks.

What you can automate

The following patterns use existing workflow capabilities:

Respond to anomaly detection alerts. Configure an alert trigger on an anomaly detection rule. The workflow runs with the alert's context, and can query log data in a window around the anomaly, enrich with host or service metadata, and open a case or post a notification.
Correlate signals across data sources. Use Elasticsearch search actions to query metrics, logs, and traces in the same workflow, then combine results with if steps to decide on next actions.
Automate scheduled data operations. Use a scheduled trigger to run periodic health checks, index rollover tasks, or data quality audits.
Analyze signals with AI. Use AI steps to have an agent interpret anomaly patterns or summarize a multi-signal investigation before the workflow takes action.

Example flow

An anomaly response workflow has the shape:

Alert trigger fires when an anomaly detection rule surfaces an anomaly.
Elasticsearch step queries log data in a window around event.alerts[0].kibana.alert.start.
AI step calls an Elastic Agent Builder agent to interpret the pattern.
Kibana step creates a case with the anomaly details and the agent's interpretation.
Connector step posts a summary to the on-call channel.

Learn more

Alert triggers: Use anomaly detection or alerting rules to invoke a workflow.
Scheduled triggers: Run a workflow on a fixed schedule.
Elasticsearch action steps: Reference for search, index, and request actions.
Elastic Agent Builder for Observability: How Agent Builder integrates with observability workflows.