Automate security operations

Use workflows to close the loop between detection and response. When a detection or alerting rule fires, a workflow can enrich the alert with additional context, create or update a case, notify the right channel, and take follow-up actions, all without leaving Elastic.

This section describes common security automation patterns you can build with workflows today. Each pattern uses capabilities that already exist in the workflow engine: alert triggers, Elasticsearch action steps, Cases action steps, AI steps, and external system connectors.

What you can automate

The following patterns map directly to workflow building blocks:

Respond to alerts automatically. An alert trigger starts the workflow when a detection rule or alerting rule fires. The full alert context is available as event.alerts[*], so later steps can query additional data, build case content, and route notifications based on alert fields.
Create and populate cases. Cases action steps give you 27 step types to create cases, attach alerts and observables, assign on-call reviewers, and manage the case lifecycle. Use cases.createCase to open a case from the alert payload, then cases.addAlerts and cases.addObservables to attach supporting evidence.
Route by severity or entity. Use if or switch steps to branch on alert severity, host, user, or rule name, and send notifications to different Slack channels, PagerDuty services, or Jira projects.
Enrich alerts with external context. Use HTTP actions to pull data from threat intelligence APIs, CMDBs, or identity providers, then write the enriched record back to Elasticsearch or into the case body.
Investigate with AI assistance. AI steps let a workflow classify alerts with ai.classify, summarize evidence with ai.summarize, or invoke an Elastic Agent Builder agent with ai.agent.
Gate destructive actions on human approval. Use human-in-the-loop with the waitForInput step to pause for analyst confirmation before the workflow isolates a host or blocks a user.

Example flow

A typical automated alert response workflow has the shape:

Alert trigger fires when a detection rule matches.
Elasticsearch step queries surrounding host and user context.
If step evaluates severity.
Kibana step creates a case with pre-populated fields.
AI step calls an Elastic Agent Builder agent for a triage summary and appends it to the case.
Connector step posts a notification to Slack or PagerDuty.

For a complete YAML example that creates a case from a step output, refer to the Chain steps to move output data example.

Learn more

Alert triggers: Configure a detection or alerting rule to invoke a workflow.
Cases action steps: 27 step types for working with Elastic Security cases.
Kibana action steps: Reference for alert-management and other Kibana API actions.
AI steps: Reference for ai.prompt, ai.classify, ai.summarize, and ai.agent steps.
Human-in-the-loop: Pause for reviewer approval before destructive actions.
Elastic Agent Builder for Elastic Security: How Agent Builder integrates with Security workflows.
Call Elastic Agent Builder agents from Elastic Workflows: Detailed patterns for invoking AI agents from workflow steps.
elastic/workflows GitHub repo: Security-focused example workflows you can adapt.