---
title: Automate security operations
description: Use workflows to automate security alert response, case creation, enrichment, and notification routing in Elastic Security.
url: https://docs-v3-preview.elastic.dev/elastic/docs-content/tree/main/explore-analyze/workflows/use-cases/security/automate-security-operations
products:
  - Elastic Cloud Enterprise
  - Elastic Cloud Hosted
  - Elastic Cloud Serverless
  - Elastic Cloud on Kubernetes
  - Elastic Stack
  - Kibana
applies_to:
  - Elastic Cloud Serverless: Generally available
  - Elastic Stack: Preview in 9.3
---

# Automate security operations
Use workflows to close the loop between detection and response. When a detection or alerting rule fires, a workflow can enrich the alert with additional context, create or update a case, notify the right channel, and take follow-up actions, all without leaving Elastic.
This section describes common security automation patterns you can build with workflows today. Each pattern uses capabilities that already exist in the workflow engine: [alert triggers](https://docs-v3-preview.elastic.dev/elastic/docs-content/tree/main/explore-analyze/workflows/triggers/alert-triggers), [Elasticsearch action steps](https://docs-v3-preview.elastic.dev/elastic/docs-content/tree/main/explore-analyze/workflows/steps/elasticsearch), [Cases action steps](https://docs-v3-preview.elastic.dev/elastic/docs-content/tree/main/explore-analyze/workflows/steps/cases), [AI steps](https://docs-v3-preview.elastic.dev/elastic/docs-content/tree/main/explore-analyze/workflows/steps/ai-steps), and [external system connectors](https://docs-v3-preview.elastic.dev/elastic/docs-content/tree/main/explore-analyze/workflows/steps/external-systems-apps).

## What you can automate

The following patterns map directly to workflow building blocks:
- **Respond to alerts automatically.** An [alert trigger](https://docs-v3-preview.elastic.dev/elastic/docs-content/tree/main/explore-analyze/workflows/triggers/alert-triggers) starts the workflow when a detection rule or alerting rule fires. The full alert context is available as `event.alerts[*]`, so later steps can query additional data, build case content, and route notifications based on alert fields.
- **Create and populate cases.** [Cases action steps](https://docs-v3-preview.elastic.dev/elastic/docs-content/tree/main/explore-analyze/workflows/steps/cases) give you 27 step types to create cases, attach alerts and observables, assign on-call reviewers, and manage the case lifecycle. Use `cases.createCase` to open a case from the alert payload, then `cases.addAlerts` and `cases.addObservables` to attach supporting evidence.
- **Route by severity or entity.** Use [`if`](https://docs-v3-preview.elastic.dev/elastic/docs-content/tree/main/explore-analyze/workflows/steps/if) or [`switch`](https://docs-v3-preview.elastic.dev/elastic/docs-content/tree/main/explore-analyze/workflows/steps/switch) steps to branch on alert severity, host, user, or rule name, and send notifications to different Slack channels, PagerDuty services, or Jira projects.
- **Enrich alerts with external context.** Use [HTTP actions](https://docs-v3-preview.elastic.dev/elastic/docs-content/tree/main/explore-analyze/workflows/steps/external-systems-apps) to pull data from threat intelligence APIs, CMDBs, or identity providers, then write the enriched record back to Elasticsearch or into the case body.
- **Investigate with AI assistance.** [AI steps](https://docs-v3-preview.elastic.dev/elastic/docs-content/tree/main/explore-analyze/workflows/steps/ai-steps) let a workflow classify alerts with `ai.classify`, summarize evidence with `ai.summarize`, or invoke an Elastic Agent Builder agent with `ai.agent`.
- **Gate destructive actions on human approval.** Use [human-in-the-loop](https://docs-v3-preview.elastic.dev/elastic/docs-content/tree/main/explore-analyze/workflows/authoring-techniques/human-in-the-loop) with the `waitForInput` step to pause for analyst confirmation before the workflow isolates a host or blocks a user.


## Example flow

A typical automated alert response workflow has the shape:
1. **Alert trigger** fires when a detection rule matches.
2. **Elasticsearch step** queries surrounding host and user context.
3. **If step** evaluates severity.
4. **Kibana step** creates a case with pre-populated fields.
5. **AI step** calls an Elastic Agent Builder agent for a triage summary and appends it to the case.
6. **Connector step** posts a notification to Slack or PagerDuty.

For a complete YAML example that creates a case from a step output, refer to the [Chain steps to move output data](/elastic/docs-content/tree/main/explore-analyze/workflows/authoring-techniques/pass-data-handle-errors#workflows-chain-steps-example) example.

## Learn more

- [Alert triggers](https://docs-v3-preview.elastic.dev/elastic/docs-content/tree/main/explore-analyze/workflows/triggers/alert-triggers): Configure a detection or alerting rule to invoke a workflow.
- [Cases action steps](https://docs-v3-preview.elastic.dev/elastic/docs-content/tree/main/explore-analyze/workflows/steps/cases): 27 step types for working with Elastic Security cases.
- [Kibana action steps](https://docs-v3-preview.elastic.dev/elastic/docs-content/tree/main/explore-analyze/workflows/steps/kibana): Reference for alert-management and other Kibana API actions.
- [AI steps](https://docs-v3-preview.elastic.dev/elastic/docs-content/tree/main/explore-analyze/workflows/steps/ai-steps): Reference for `ai.prompt`, `ai.classify`, `ai.summarize`, and `ai.agent` steps.
- [Human-in-the-loop](https://docs-v3-preview.elastic.dev/elastic/docs-content/tree/main/explore-analyze/workflows/authoring-techniques/human-in-the-loop): Pause for reviewer approval before destructive actions.
- [Elastic Agent Builder for Elastic Security](https://docs-v3-preview.elastic.dev/elastic/docs-content/tree/main/solutions/security/ai/agent-builder/agent-builder): How Agent Builder integrates with Security workflows.
- [Call Elastic Agent Builder agents from Elastic Workflows](https://docs-v3-preview.elastic.dev/elastic/docs-content/tree/main/explore-analyze/ai-features/agent-builder/agents-and-workflows): Detailed patterns for invoking AI agents from workflow steps.
- [`elastic/workflows` GitHub repo](https://github.com/elastic/workflows): Security-focused example workflows you can adapt.