Loading

Observability workflows

Observability signals (infrastructure metrics, application logs, traces, and anomaly detection results) generate the same kind of "observe a problem, do something about it" loop that security does. Use workflows to close that loop: correlate signals across sources, route to the right team, and run scheduled maintenance or reporting tasks.

The following patterns use existing workflow capabilities:

  • Respond to anomaly detection alerts. Configure an alert trigger on an anomaly detection rule. The workflow runs with the alert's context, and can query log data in a window around the anomaly, enrich with host or service metadata, and open a case or post a notification.
  • Correlate signals across data sources. Use Elasticsearch search actions to query metrics, logs, and traces in the same workflow, then combine results with if steps to decide on next actions. Use data action steps to filter, group, and deduplicate results before acting on them.
  • Automate scheduled data operations. Use a scheduled trigger to run periodic health checks, index rollover tasks, or data quality audits.
  • Analyze signals with AI. Use AI steps to summarize a multi-signal investigation with ai.summarize, classify anomaly shapes with ai.classify, or invoke an Elastic Agent Builder agent with ai.agent before the workflow takes action.
  • Operate on Observability Streams. Use Streams action steps to list available streams and pull significant events into a workflow for further processing.

An anomaly response workflow has the shape:

  1. Alert trigger fires when an anomaly detection rule surfaces an anomaly.
  2. Elasticsearch step queries log data in a window around event.alerts[0].kibana.alert.start.
  3. AI step calls an Elastic Agent Builder agent to interpret the pattern.
  4. Kibana step creates a case with the anomaly details and the agent's interpretation.
  5. Connector step posts a summary to the on-call channel.