Loading

Automate security operations

Use workflows to close the loop between detection and response. When a detection or alerting rule fires, a workflow can enrich the alert with additional context, create or update a case, notify the right channel, and take follow-up actions, all without leaving Elastic.

This section describes common security automation patterns you can build with workflows today. Each pattern uses capabilities that already exist in the workflow engine: alert triggers, Elasticsearch action steps, Kibana action steps, AI steps, and external system connectors.

The following patterns map directly to workflow building blocks:

  • Respond to alerts automatically. An alert trigger starts the workflow when a detection rule or alerting rule fires. The full alert context is available as event.alerts[*], so later steps can query additional data, build case content, and route notifications based on alert fields.
  • Create and populate cases. The kibana.createCaseDefaultSpace action opens an Elastic Security case with fields populated from the alert. Refer to Kibana action steps for the full list of named case actions.
  • Route by severity or entity. Use if steps to branch on alert severity, host, user, or rule name, and send notifications to different Slack channels, PagerDuty services, or Jira projects.
  • Enrich alerts with external context. Use HTTP actions to pull data from threat intelligence APIs, CMDBs, or identity providers, then write the enriched record back to Elasticsearch or into the case body.
  • Investigate with AI assistance. An AI step can call an Elastic Agent Builder agent to summarize an alert, classify severity, or draft a triage note for the workflow to attach to the case.

A typical automated alert response workflow has the shape:

  1. Alert trigger fires when a detection rule matches.
  2. Elasticsearch step queries surrounding host and user context.
  3. If step evaluates severity.
  4. Kibana step creates a case with pre-populated fields.
  5. AI step calls an Elastic Agent Builder agent for a triage summary and appends it to the case.
  6. Connector step posts a notification to Slack or PagerDuty.

For a complete YAML example that creates a case from a step output, refer to the Chain steps to move output data example.