Skip to content

[Security] [9.4 / Serverless: Mar 10] Run workflows from Alerts table #5266

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
natasha-moore-elastic merged 5 commits into from
Mar 19, 2026
Merged

[Security] [9.4 / Serverless: Mar 10] Run workflows from Alerts table #5266

Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
dc01193
[Security] Run workflows from Alerts table
natasha-moore-elastic Feb 23, 2026
98f42b1
Merge branch 'main' into issue-5093-wf-from-alerts
natasha-moore-elastic Mar 19, 2026
515fe0f
Merge branch 'main' into issue-5093-wf-from-alerts
natasha-moore-elastic Mar 19, 2026
715225f
Merge branch 'main' into issue-5093-wf-from-alerts
natasha-moore-elastic Mar 19, 2026
5f3c4cf
Merge branch 'main' into issue-5093-wf-from-alerts
natasha-moore-elastic Mar 19, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
19 changes: 19 additions & 0 deletions solutions/security/detect-and-alert/manage-detection-alerts.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -147,6 +147,7 @@ Access actions from the **More actions** (**…**) menu in the Alerts table, or
|--------|-------------|
| [Change status](#detection-alert-status) | Mark as open, acknowledged, or closed |
| [Add to case](/explore-analyze/cases/attach-objects-to-cases.md) | Attach alert to a new or existing case |
| {applies_to}`stack: ga 9.4+` {applies_to}`serverless: ga` [Run a workflow from an alert](#run-workflow-from-alert) | Run an Elastic workflow for on-demand response or investigation |
| [Add rule exception](#add-exception-from-alerts) | Prevent rule from generating similar alerts |
| [Add {{elastic-endpoint}} exception](/solutions/security/detect-and-alert/add-manage-exceptions.md#endpoint-rule-exceptions) | Prevent {{elastic-endpoint}} alerts for specific conditions |
| [Apply alert tags](#apply-alert-tags) | Categorize alerts for filtering |
Expand Down Expand Up @@ -200,6 +201,24 @@ When closing alerts, you can specify a reason:

The closing reason is stored in `kibana.alert.workflow_reason` and can be used for filtering. Reopening an alert removes this field.

### Run a workflow from an alert [run-workflow-from-alert]
```yaml {applies_to}
stack: ga 9.4+
serverless: ga
```

You can run an [Elastic workflow](/explore-analyze/workflows.md) directly from an alert to trigger an on-demand response or investigation. To use this feature, make sure you meet the [workflows prerequisites](/explore-analyze/workflows/get-started.md#workflows-prerequisites).

To run a workflow on an individual alert, do one of the following:

* In the Alerts table, click **More actions** ({icon}`boxes_vertical`) in an alert's row, then click **Run workflow**. Use the search bar to select a workflow, then click **Run workflow**.
* In an alert's details flyout, click **Take action → Run workflow**. Use the search bar to select a workflow, then click **Run workflow**.

::::{note}
You can select only enabled workflows.
::::

To run a workflow on multiple alerts, select the alerts, then click **Selected *x* alerts** at the upper-left above the table. Click **Run workflow**, select a workflow, then click **Run workflow**.

### Apply alert tags [apply-alert-tags]

Expand Down
Loading