Action steps
Action steps are the building blocks that perform tasks in your workflows. They are the operations that do the work, such as searching data, calling an API, managing cases, or interacting with external systems.
Action steps are organized into the following categories.
Elasticsearch actions provide native integration with Elasticsearch APIs. These actions are automatically authenticated and offer a simplified interface for common operations. Use Elasticsearch actions to:
- Search and query data
- Index new documents
- Update or delete existing documents
- Manage indices and data streams
Refer to Elasticsearch action steps for more information.
Kibana actions provide native integration with Kibana APIs. Like Elasticsearch actions, they're automatically authenticated. Use Kibana actions to:
- Change detection alert status or tags (
kibana.SetAlertsStatus,kibana.SetAlertTags) - Call any Kibana API through the
kibana.requeststep
Refer to Kibana action steps for more information.
Cases actions provide 27 step types for creating, querying, updating, and managing the lifecycle of cases in Elastic Security and other Cases-enabled apps. Use Cases actions to:
- Create cases with a full schema or from a template
- Attach alerts, events, observables, and comments
- Assign, tag, categorize, and close cases
- Find cases by criteria or similarity
Refer to Cases action steps for the complete 27-step catalog.
Streams actions let workflows operate on Observability Streams. Use Streams actions to:
- List available streams
- Fetch a specific stream
- Pull significant events from a stream's time window
Refer to Streams action steps for more information.
External actions let workflows communicate with third-party systems using connectors. Use external actions to:
- Send notifications to Slack or email
- Create incidents in ServiceNow
- Create issues in Jira
- Call any external API using HTTP requests
Refer to External systems and apps steps for more information.