---
title: Automate security operations
description: Use workflows to automate security alert response, case creation, enrichment, and notification routing in Elastic Security.
url: https://www.elastic.co/elastic/docs-builder/docs/3109/explore-analyze/workflows/use-cases/security/automate-security-operations
products:
  - Elastic Cloud Enterprise
  - Elastic Cloud Hosted
  - Elastic Cloud Serverless
  - Elastic Cloud on Kubernetes
  - Elastic Stack
  - Kibana
applies_to:
  - Elastic Cloud Serverless: Preview
  - Elastic Stack: Preview since 9.3
---

# Automate security operations
Use workflows to close the loop between detection and response. When a detection or alerting rule fires, a workflow can enrich the alert with additional context, create or update a case, notify the right channel, and take follow-up actions, all without leaving Elastic.
This section describes common security automation patterns you can build with workflows today. Each pattern uses capabilities that already exist in the workflow engine: [alert triggers](https://www.elastic.co/elastic/docs-builder/docs/3109/explore-analyze/workflows/triggers/alert-triggers), [Elasticsearch action steps](https://www.elastic.co/elastic/docs-builder/docs/3109/explore-analyze/workflows/steps/elasticsearch), [Kibana action steps](https://www.elastic.co/elastic/docs-builder/docs/3109/explore-analyze/workflows/steps/kibana), [AI steps](https://www.elastic.co/elastic/docs-builder/docs/3109/explore-analyze/workflows/steps/ai-steps), and [external system connectors](https://www.elastic.co/elastic/docs-builder/docs/3109/explore-analyze/workflows/steps/external-systems-apps).

## What you can automate

The following patterns map directly to workflow building blocks:
- **Respond to alerts automatically.** An [alert trigger](https://www.elastic.co/elastic/docs-builder/docs/3109/explore-analyze/workflows/triggers/alert-triggers) starts the workflow when a detection rule or alerting rule fires. The full alert context is available as `event.alerts[*]`, so later steps can query additional data, build case content, and route notifications based on alert fields.
- **Create and populate cases.** The `kibana.createCaseDefaultSpace` action opens an Elastic Security case with fields populated from the alert. Refer to [Kibana action steps](https://www.elastic.co/elastic/docs-builder/docs/3109/explore-analyze/workflows/steps/kibana) for the full list of named case actions.
- **Route by severity or entity.** Use [`if` steps](https://www.elastic.co/elastic/docs-builder/docs/3109/explore-analyze/workflows/steps/if) to branch on alert severity, host, user, or rule name, and send notifications to different Slack channels, PagerDuty services, or Jira projects.
- **Enrich alerts with external context.** Use [HTTP actions](https://www.elastic.co/elastic/docs-builder/docs/3109/explore-analyze/workflows/steps/external-systems-apps) to pull data from threat intelligence APIs, CMDBs, or identity providers, then write the enriched record back to Elasticsearch or into the case body.
- **Investigate with AI assistance.** An [AI step](https://www.elastic.co/elastic/docs-builder/docs/3109/explore-analyze/workflows/steps/ai-steps) can call an Elastic Agent Builder agent to summarize an alert, classify severity, or draft a triage note for the workflow to attach to the case.


## Example flow

A typical automated alert response workflow has the shape:
1. **Alert trigger** fires when a detection rule matches.
2. **Elasticsearch step** queries surrounding host and user context.
3. **If step** evaluates severity.
4. **Kibana step** creates a case with pre-populated fields.
5. **AI step** calls an Elastic Agent Builder agent for a triage summary and appends it to the case.
6. **Connector step** posts a notification to Slack or PagerDuty.

For a complete YAML example that creates a case from a step output, refer to the [Chain steps to move output data](/elastic/docs-builder/docs/3109/explore-analyze/workflows/authoring-techniques/pass-data-handle-errors#workflows-chain-steps-example) example.

## Learn more

- [Alert triggers](https://www.elastic.co/elastic/docs-builder/docs/3109/explore-analyze/workflows/triggers/alert-triggers): Configure a detection or alerting rule to invoke a workflow.
- [Kibana action steps](https://www.elastic.co/elastic/docs-builder/docs/3109/explore-analyze/workflows/steps/kibana): Reference for case, alert, and other Kibana API actions.
- [AI steps](https://www.elastic.co/elastic/docs-builder/docs/3109/explore-analyze/workflows/steps/ai-steps): Reference for `ai.prompt` and `ai.agent` steps.
- [Elastic Agent Builder for Elastic Security](https://www.elastic.co/elastic/docs-builder/docs/3109/solutions/security/ai/agent-builder/agent-builder): How Agent Builder integrates with Security workflows.
- [Call Elastic Agent Builder agents from Elastic Workflows](https://www.elastic.co/elastic/docs-builder/docs/3109/explore-analyze/ai-features/agent-builder/agents-and-workflows): Detailed patterns for invoking AI agents from workflow steps.
- [`elastic/workflows` GitHub repo](https://github.com/elastic/workflows): Security-focused example workflows you can adapt.