Skip to content
Docs SuperPlane Docs

Elastic

Index documents into Elasticsearch and receive Kibana webhooks

Triggers

Section titled “Triggers”
When Alert Fires Trigger a workflow when a Kibana alert rule fires
When Case Status Changes React when an Elastic Security case status changes
On Document Indexed React when new documents are indexed in Elasticsearch

Actions

Section titled “Actions”
Create Case Create a new case in Kibana Security
Get Case Retrieve a Kibana Security case by ID
Get Document Retrieve a document from Elasticsearch by index and document ID
Index Document Write a JSON document to an Elasticsearch index
Update Case Update an existing Kibana Security case
Update Document Partially update an existing document in an Elasticsearch index

Instructions

Section titled “Instructions”

To connect Elastic to SuperPlane:

  1. Paste your Elasticsearch URL and Kibana URL. In Elastic Cloud, open https://cloud.elastic.co/home and copy both endpoints from the same deployment under the manage section.
  2. In Settings, create an API key and paste it into SuperPlane. The key must be able to access Elasticsearch, Kibana cases, and Kibana connectors.

When Alert Fires

Section titled “When Alert Fires”

The When Alert Fires trigger starts a workflow execution when a Kibana alert rule fires via a webhook connector.

Shared Connector

Section titled “Shared Connector”

SuperPlane creates one Kibana Webhook connector per integration, shared across all triggers that use the same Kibana instance. Each incoming request is routed to the correct trigger using the eventType field in the request body — this trigger only processes requests where eventType is "alert_fired". Requests intended for other trigger types (e.g. "document_indexed") are silently ignored.

Setup

Section titled “Setup”
  1. Select the Kibana alert rule in SuperPlane and save the trigger.
  2. SuperPlane automatically creates or reuses the shared Kibana Webhook connector and attaches it to the selected rule if it is missing.

This provisioning happens when the live version is published. Autosave on a draft version does not create the connector.

Kibana action body

Section titled “Kibana action body”

SuperPlane configures the rule action body with these fields:

{
  "eventType": "alert_fired",
  "ruleId": "{{rule.id}}",
  "ruleName": "{{rule.name}}",
  "spaceId": "{{rule.spaceId}}",
  "tags": {{rule.tags}},
  "severity": "{{context.severity}}",
  "status": "{{rule.status}}"
}

The eventType field is required for routing. Kibana substitutes {{rule.id}} and {{rule.name}} at delivery time. Fields omitted from the body will not be filterable in SuperPlane.

Filtering

Section titled “Filtering”

Select at least one Rule. Additional filter fields are optional. When multiple values are provided in a list, any value matching is sufficient (OR). All active filter types must match simultaneously (AND across types).

Rule ID is the most reliable selector because rule names are user-editable. Use it when you need precise per-rule routing.

Webhook Verification

Section titled “Webhook Verification”

SuperPlane generates a random signing secret and configures the Kibana connector to include it on every request. Requests without the correct secret are rejected automatically.

Event Data

Section titled “Event Data”

Each received alert emits the parsed JSON body sent by Kibana directly as the event data. Use the workflow event timestamp to know when SuperPlane received it.

Example Data

Section titled “Example Data”
{
  "data": {
    "context": {
      "message": "Error rate exceeded threshold: 15%",
      "threshold": 10,
      "value": 15
    },
    "eventType": "alert_fired",
    "ruleId": "abc-123",
    "ruleName": "High error rate detected",
    "severity": "critical",
    "spaceId": "default",
    "status": "active",
    "tags": [
      "infrastructure",
      "prod"
    ]
  },
  "timestamp": "2026-03-12T09:00:00Z",
  "type": "elastic.alert"
}

When Case Status Changes

Section titled “When Case Status Changes”

The When Case Status Changes trigger fires a workflow execution when a Kibana Security case changes status.

Shared Connector

Section titled “Shared Connector”

SuperPlane creates one Kibana Webhook connector per integration, shared across Elastic triggers that use the same Kibana instance. Each incoming request is routed to the correct trigger instance using two fields in the request body:

  • eventType: must be "case_status_changed".
  • routeKey: a unique ID assigned per trigger node so multiple case-status triggers can coexist safely.

How it works

Section titled “How it works”
  1. When the trigger is saved, SuperPlane creates or reuses the shared Kibana Webhook connector.
  2. SuperPlane automatically provisions a Kibana Elasticsearch query rule against .kibana_alerting_cases using cases.updated_at as the time field.
  3. Every minute, that Kibana rule checks for case updates in the current window and fires the shared connector when matches are found.
  4. SuperPlane receives the webhook, verifies the secret, validates the routing fields, then queries Kibana for cases updated since the stored checkpoint.
  5. SuperPlane compares each returned case’s current status to the last status stored in trigger metadata and only emits when the value changed.
  6. SuperPlane emits one elastic.case.status.changed event per matching case whose status actually changed.

Provisioning happens when the live version is published. Autosave on a draft version does not create the connector or rule.

Configuration

Section titled “Configuration”
  • Cases: Select one or more specific cases to monitor.
  • Statuses (optional): Only fire when a case has one of these statuses. Leave empty to fire for any case update.
  • Severities (optional): Only fire for cases with one of these severities. Leave empty to accept all severities.
  • Tags (optional): Only fire for cases that include at least one tag matching any of these predicates. Leave empty to accept all cases.

Event Data

Section titled “Event Data”

The trigger emits the full case details including id, title, status, severity, version, tags, description, and timestamps.

Example Data

Section titled “Example Data”
{
  "data": {
    "createdAt": "2026-03-12T09:00:00.000Z",
    "description": "Elevated error rate detected in production.",
    "id": "3c0a2b10-4e5f-11ee-be56-0242ac120002",
    "severity": "high",
    "status": "in-progress",
    "tags": [
      "production",
      "incident"
    ],
    "title": "Production incident",
    "updatedAt": "2026-03-12T10:00:00.000Z",
    "version": "WzE3LDFd"
  },
  "timestamp": "2026-03-12T10:00:00Z",
  "type": "elastic.case.status.changed"
}

On Document Indexed

Section titled “On Document Indexed”

The On Document Indexed trigger starts a workflow execution when a new document is indexed into an Elasticsearch index.

Shared Connector

Section titled “Shared Connector”

SuperPlane creates one Kibana Webhook connector per integration, shared across all triggers that use the same Kibana instance. Each incoming request is routed to the correct trigger instance using two fields in the request body:

  • eventType: must be "document_indexed" — requests with any other value are silently ignored, allowing the shared connector to serve both this trigger and others (e.g. When Alert Fires).
  • routeKey: a unique ID assigned per trigger node — allows multiple On Document Indexed nodes on the same canvas to each react only to their own Kibana rule.

How it works

Section titled “How it works”
  1. When the trigger is saved, SuperPlane creates or reuses the shared Kibana Webhook connector and provisions a Kibana Elasticsearch query rule for the configured index.
  2. Every minute, the rule checks for documents with an @timestamp value within the current window. When matches are found, Kibana fires the connector.
  3. SuperPlane receives the webhook, queries Elasticsearch for all documents newer than its stored checkpoint, and emits one event per document.

Provisioning happens when the live version is published. Autosave on a draft version does not create the connector or rule.

Configuration

Section titled “Configuration”
  • Index: The Elasticsearch index to monitor for new documents.

Note: This trigger requires an @timestamp field mapped as date on indexed documents. Documents without that field will be missed. To ensure all documents are captured, configure an ingest pipeline on the index to auto-populate the field if absent:

{ "set": { "field": "@timestamp", "value": "{{{_ingest.timestamp}}}", "override": false } }

Webhook Verification

Section titled “Webhook Verification”

SuperPlane generates a random signing secret and configures the Kibana connector to include it on every request. Requests without the correct secret are rejected automatically.

Event Data

Section titled “Event Data”

The webhook acts as a signal. When it fires, SuperPlane queries Elasticsearch for documents newer than the stored checkpoint and emits one event per document containing its ID, index, and full source.

Example Data

Section titled “Example Data”
{
  "data": {
    "id": "doc-1",
    "index": "workflow-audit",
    "source": {
      "@timestamp": "2026-03-12T09:00:00Z",
      "message": "deployment started",
      "service": "api"
    }
  },
  "timestamp": "2026-03-12T09:00:00Z",
  "type": "elastic.document.indexed"
}

Create Case

Section titled “Create Case”

The Create Case component opens a new case in Kibana Security.

Configuration

Section titled “Configuration”
  • Title: The case title
  • Severity: Case severity (low, medium, high, or critical)
  • Owner: The Kibana application that owns the case
  • Description: A description of the case
  • Tags: Optional list of tags to attach to the case

Outputs

Section titled “Outputs”

The component emits an event containing:

  • id: The case ID assigned by Kibana
  • title: The case title
  • status: The initial case status
  • severity: The case severity
  • version: The case version (can be provided to later updates for explicit optimistic locking)
  • createdAt: The timestamp when the case was created

Example Output

Section titled “Example Output”
{
  "data": {
    "createdAt": "2026-03-12T09:00:00.000Z",
    "id": "3c0a2b10-4e5f-11ee-be56-0242ac120002",
    "severity": "high",
    "status": "open",
    "title": "Production incident",
    "version": "WzE2LDFd"
  },
  "timestamp": "2026-03-12T09:00:00Z",
  "type": "elastic.case.created"
}

Get Case

Section titled “Get Case”

The Get Case component retrieves an existing case from Kibana Security by its ID.

Configuration

Section titled “Configuration”
  • Case: The Kibana case to retrieve

Outputs

Section titled “Outputs”

The component emits an event containing:

  • id: The case ID
  • title: The case title
  • description: The case description
  • status: The case status
  • severity: The case severity
  • tags: The case tags
  • version: The current case version returned by Kibana
  • createdAt: The timestamp when the case was created
  • updatedAt: The timestamp when the case was last updated

Example Output

Section titled “Example Output”
{
  "data": {
    "createdAt": "2026-03-12T09:00:00.000Z",
    "description": "Elevated error rate detected in production.",
    "id": "3c0a2b10-4e5f-11ee-be56-0242ac120002",
    "severity": "high",
    "status": "open",
    "tags": [
      "production",
      "incident"
    ],
    "title": "Production incident",
    "updatedAt": "2026-03-12T10:00:00.000Z",
    "version": "WzE2LDFd"
  },
  "timestamp": "2026-03-12T09:00:00Z",
  "type": "elastic.case.retrieved"
}

Get Document

Section titled “Get Document”

The Get Document component retrieves a JSON document from an Elasticsearch index by its ID.

Configuration

Section titled “Configuration”
  • Index: The Elasticsearch index to read from
  • Document: The document to retrieve

Outputs

Section titled “Outputs”

The component emits an event containing:

  • id: The document ID
  • index: The index the document was read from
  • version: The document version number
  • source: The document fields

Example Output

Section titled “Example Output”
{
  "data": {
    "id": "aB3kLmN4oPqR",
    "index": "workflow-audit",
    "source": {
      "env": "production",
      "message": "deployment started"
    },
    "version": 3
  },
  "timestamp": "2026-03-12T09:00:00Z",
  "type": "elastic.document.retrieved"
}

Index Document

Section titled “Index Document”

The Index Document component writes a JSON document to an Elasticsearch index.

Use Cases

Section titled “Use Cases”
  • Audit logging: Record workflow actions in Elasticsearch for centralized search and dashboards
  • Incident records: Index structured incident data for analysis and alerting
  • Workflow output: Store results from any workflow step for downstream querying

Configuration

Section titled “Configuration”
  • Index: The Elasticsearch index name to write to (e.g. workflow-audit)
  • Document: The JSON object to index. The editor starts with an @timestamp template so documents are compatible with On Document Indexed by default.
  • Document ID (optional): A stable ID for idempotent writes. If omitted, Elasticsearch generates one automatically. Providing an ID means re-runs update the existing document rather than creating a duplicate.

Outputs

Section titled “Outputs”

The component emits an event containing:

  • id: The document ID assigned by Elasticsearch
  • index: The index the document was written to
  • result: Operation result (created or updated)
  • version: The document version number

Example Output

Section titled “Example Output”
{
  "data": {
    "id": "aB3kLmN4oPqR",
    "index": "workflow-audit",
    "result": "created",
    "version": 1
  },
  "timestamp": "2026-03-12T09:00:00Z",
  "type": "elastic.document.indexed"
}

Update Case

Section titled “Update Case”

The Update Case component applies a partial update to an existing Kibana Security case.

Configuration

Section titled “Configuration”
  • Case: The Kibana case to update
  • Title: New title for the case (optional)
  • Description: New description for the case (optional)
  • Status: New status for the case (optional)
  • Severity: New severity for the case (optional)
  • Tags: New tags for the case (optional)

Outputs

Section titled “Outputs”

The component emits an event containing:

  • id: The case ID
  • title: The updated case title
  • status: The updated case status
  • severity: The updated case severity
  • version: The new case version
  • updatedAt: The timestamp when the case was last updated

Example Output

Section titled “Example Output”
{
  "data": {
    "id": "3c0a2b10-4e5f-11ee-be56-0242ac120002",
    "severity": "high",
    "status": "in-progress",
    "title": "Production incident",
    "updatedAt": "2026-03-12T10:00:00.000Z",
    "version": "WzE3LDFd"
  },
  "timestamp": "2026-03-12T09:00:00Z",
  "type": "elastic.case.updated"
}

Update Document

Section titled “Update Document”

The Update Document component applies a partial update to an existing document in an Elasticsearch index.

Configuration

Section titled “Configuration”
  • Index: The Elasticsearch index containing the document
  • Document: The document to update
  • Fields: The fields to merge into the existing document (partial update). The editor starts with an @timestamp template for convenience.

Outputs

Section titled “Outputs”

The component emits an event containing:

  • id: The document ID
  • index: The index the document belongs to
  • result: Operation result (updated)
  • version: The new document version number

Example Output

Section titled “Example Output”
{
  "data": {
    "id": "aB3kLmN4oPqR",
    "index": "workflow-audit",
    "result": "updated",
    "version": 4
  },
  "timestamp": "2026-03-12T09:00:00Z",
  "type": "elastic.document.updated"
}