Menu
Reference the workflows example library when answering questions about Elastic Workflows YAML syntax, structure, patterns, or examples. Use when the user asks about workflows, YAML syntax, workflow steps, triggers, Liquid templating, or needs examples of workflow patterns.
Based on SOC occupation classification
Register and implement custom workflow steps from an external Kibana plugin using `@kbn/workflows-extensions`. Use when adding or modifying a step type with `registerStepDefinition`, designing input/output/config Zod schemas, implementing `createServerStepDefinition` / `createPublicStepDefinition`, choosing `StepCategory`, building `editorHandlers` (selection / dynamicSchema), wiring `callKibanaApi` / `onCancel`, deciding sync vs async loader registration, updating `APPROVED_STEP_DEFINITIONS`, or reviewing PRs that touch any of these.
Register and implement custom workflow triggers from an external Kibana plugin using `@kbn/workflows-extensions`. Use when adding or modifying an event-driven trigger with `registerTriggerDefinition`, designing `eventSchema` Zod schemas, writing `documentation` and KQL `snippets`, wiring `emitEvent` via request context or `getClient`, choosing sync vs async public loader registration, updating `APPROVED_TRIGGER_DEFINITIONS`, or reviewing PRs that touch any of these. Always ask for the user's plugin id first to locate the correct plugin and file paths.
Register and roll out managed workflows from a Kibana plugin using `@kbn/workflows-extensions` and `@kbn/workflows/managed`. Use when adding or modifying a code-owned workflow definition, `registerManagedWorkflowOwner`, `initManagedWorkflowsClient`, `install` / `uninstall` / `ready`, choosing `lifecycle` / `versionStrategy` / `enablement`, authoring `yaml` vs `yamlTemplate`, space-scoped vs global installs, `getWorkflowStatus`, or `execute`, or reviewing PRs that touch managed workflow definitions or rollout. Always ask for the user's plugin id first to locate the correct plugin and definition file paths.
Implement and quality-check OpenTelemetry metric instrumentation in Kibana code that uses `@kbn/metrics`. Use whenever the user wants to add, change, or review OTel metrics — including any call to `metrics.getMeter`, `meter.createCounter`/`createUpDownCounter`/`createGauge`/`createHistogram`/`createObservable*`/`addBatchObservableCallback`, edits to `kibana.yml` `telemetry.metrics` config, or questions like "is this metric well-designed?", "what should I name this counter?", or "which instrument type is right here?". Trigger this skill even when the user does not say "OTel" or "OpenTelemetry" but is clearly adding observability to Kibana server code and already knows what they want to measure.
Primary guided playbook for Elasticsearch search in Kibana Agent Builder: intent → data → mapping → Dev Tools API snippets (SENSE), with one question at a time. Load this skill whenever the user wants to learn Elasticsearch search, get started, begin building, take first steps, onboard, follow a walkthrough or tutorial, go from zero to a working query, or get structured help setting up indices and search — including casual openers like hi, help, getting started, new to Elasticsearch, how do I build search, or I want to try search. Use when they need end-to-end onboarding, not a single narrow API answer. If they only ask what they can build with Elastic (exploration without the full playbook), prefer invoking /use-case-library first; you can still load this skill afterward for the guided build.
Topic-driven, hands-on Elasticsearch tutorial flow that runs in Kibana Dev Console. Use whenever the user says "walk me through", "give me a tutorial for", "teach me", "show me how X works", "tutorial on", or similar topical learning intent — and they are NOT asking you to build their real, specific use case. Topics are open-ended: any Elasticsearch / Kibana search concept the user names (e.g. mappings, analyzers, bool queries, semantic_text, kNN, RRF, aggregations, ingest pipelines, reranking, data streams, ES|QL). Tutorials use sample data on isolated resources, present every step as a SENSE snippet to run in Dev Tools, and end with cleanup plus pointers to docs and the onboarding / pattern skills.
| name | workflows-yaml-reference |
| description | Reference the workflows example library when answering questions about Elastic Workflows YAML syntax, structure, patterns, or examples. Use when the user asks about workflows, YAML syntax, workflow steps, triggers, Liquid templating, or needs examples of workflow patterns. |
This skill helps you reference the workflows example library located at https://github.com/elastic/workflows when answering questions about Elastic Workflows YAML syntax.
Use this skill when the user asks about:
The workflows example library is located at:
https://github.com/elastic/workflows
Always reference these files for comprehensive information:
The library is organized by use case:
| Category | Path | Description |
|---|---|---|
| Examples | workflows/examples/ | Getting started demos |
| Security | workflows/security/ | Detection, response, enrichment |
| Integrations | workflows/integrations/ | Splunk, Slack, Jenkins, JIRA, etc. |
| Search | workflows/search/ | ES|QL, semantic search |
| AI Agents | workflows/ai-agents/ | AI-powered automation |
| Data | workflows/data/ | ETL and data management |
| Utilities | workflows/utilities/ | Common utility workflows |
| Observability | workflows/observability/ | Monitoring and analysis |
Every workflow follows this structure:
name: "Workflow Name" # Required
description: "What it does" # Optional
tags: ["category", "type"] # Optional
triggers: # Optional (defaults to manual)
- type: manual | scheduled | alert
consts: # Optional - workflow constants
api_key: "value"
inputs: # Optional - runtime parameters
- name: param_name
type: string
required: true
steps: # Required - at least one step
- name: "step_name"
type: "action.type"
with:
param: value
When the user asks about specific patterns, reference these examples:
Example: workflows/examples/national-parks-demo.yaml
Example: workflows/security/enrichment/ip-reputation-check.yaml
Example: workflows/search/semantic-knowledge-search.yaml
Example: workflows/security/enrichment/rootcausefromdiscover.yaml
foreach.item)Example: workflows/security/detection/hash-threat-check.yaml
type: if stepsExample: Any workflow with scheduled trigger
every: "6h")workflows/integrations/slack/workflows/integrations/splunk/workflows/integrations/jira/workflows/integrations/jenkins/Workflows use Liquid templating extensively. Key concepts:
{{ consts.api_key }} # Constants
{{ inputs.target_ip }} # Runtime inputs
{{ steps.search.output.hits }} # Step outputs
{{ foreach.item._id }} # Loop context
{{ text | upcase }} # String manipulation
{{ items | size }} # Array length
{{ data | json }} # Convert to JSON
{{ value | default: "fallback" }} # Default values
{{ array | map: "name" }} # Extract property
{{ items | where: "status", "active" }} # Filter array
{%- if condition -%}
content
{%- elsif other -%}
other content
{%- else -%}
fallback
{%- endif -%}
{%- for item in items -%}
{{ item.name }}
{%- endfor -%}
When answering workflow questions:
Read relevant documentation first
docs/schema.mddocs/concepts.mdworkflows/Find relevant examples
Provide complete answers
Cite sources
When the user asks "How do I make an HTTP request in a workflow?", follow this approach:
docs/schema.md for the HTTP action syntaxworkflows/security/enrichment/*.yamlip-reputation-check.yamlFor complex questions:
https://liquidjs.com/filters/overview.html for filters