---
title: Observability workflows
description: Use workflows to respond to anomaly detection alerts, correlate signals across data sources, and automate scheduled data operations in Elastic Observability.
url: https://docs-v3-preview.elastic.dev/elastic/docs-content/pull/5950/explore-analyze/workflows/use-cases/observability
products:
  - Elastic Cloud Enterprise
  - Elastic Cloud Hosted
  - Elastic Cloud Serverless
  - Elastic Cloud on Kubernetes
  - Elastic Stack
  - Kibana
applies_to:
  - Elastic Cloud Serverless: Preview
  - Elastic Stack: Preview since 9.3
---

# Observability workflows
Observability signals (infrastructure metrics, application logs, traces, and anomaly detection results) generate the same kind of "observe a problem, do something about it" loop that security does. Use workflows to close that loop: correlate signals across sources, route to the right team, and run scheduled maintenance or reporting tasks.

## What you can automate

The following patterns use existing workflow capabilities:
- **Respond to anomaly detection alerts.** Configure an [alert trigger](https://docs-v3-preview.elastic.dev/elastic/docs-content/pull/5950/explore-analyze/workflows/triggers/alert-triggers) on an anomaly detection rule. The workflow runs with the alert's context, and can query log data in a window around the anomaly, enrich with host or service metadata, and open a case or post a notification.
- **Correlate signals across data sources.** Use [Elasticsearch search actions](https://docs-v3-preview.elastic.dev/elastic/docs-content/pull/5950/explore-analyze/workflows/steps/elasticsearch) to query metrics, logs, and traces in the same workflow, then combine results with [`if` steps](https://docs-v3-preview.elastic.dev/elastic/docs-content/pull/5950/explore-analyze/workflows/steps/if) to decide on next actions.
- **Automate scheduled data operations.** Use a [scheduled trigger](https://docs-v3-preview.elastic.dev/elastic/docs-content/pull/5950/explore-analyze/workflows/triggers/scheduled-triggers) to run periodic health checks, index rollover tasks, or data quality audits.
- **Analyze signals with AI.** Use [AI steps](https://docs-v3-preview.elastic.dev/elastic/docs-content/pull/5950/explore-analyze/workflows/steps/ai-steps) to have an agent interpret anomaly patterns or summarize a multi-signal investigation before the workflow takes action.


## Example flow

An anomaly response workflow has the shape:
1. **Alert trigger** fires when an anomaly detection rule surfaces an anomaly.
2. **Elasticsearch step** queries log data in a window around `event.alerts[0].kibana.alert.start`.
3. **AI step** calls an Elastic Agent Builder agent to interpret the pattern.
4. **Kibana step** creates a case with the anomaly details and the agent's interpretation.
5. **Connector step** posts a summary to the on-call channel.


## Learn more

- [Alert triggers](https://docs-v3-preview.elastic.dev/elastic/docs-content/pull/5950/explore-analyze/workflows/triggers/alert-triggers): Use anomaly detection or alerting rules to invoke a workflow.
- [Scheduled triggers](https://docs-v3-preview.elastic.dev/elastic/docs-content/pull/5950/explore-analyze/workflows/triggers/scheduled-triggers): Run a workflow on a fixed schedule.
- [Elasticsearch action steps](https://docs-v3-preview.elastic.dev/elastic/docs-content/pull/5950/explore-analyze/workflows/steps/elasticsearch): Reference for search, index, and request actions.
- [Elastic Agent Builder for Observability](https://docs-v3-preview.elastic.dev/elastic/docs-content/pull/5950/solutions/observability/ai/agent-builder-observability): How Agent Builder integrates with observability workflows.