elastic · nastasha-solomon · Jan 28, 2026 · Jan 20, 2026 · Jan 20, 2026 · Jan 21, 2026
@@ -402,4 +402,35 @@ toc:
           - file: alerts-cases/cases/manage-cases.md
           - file: alerts-cases/cases/manage-cases-settings.md
           - file: alerts-cases/cases/cases-as-data.md   
-  - file: numeral-formatting.md
+  - file: workflows.md
+    children:
+      - file: workflows/setup.md
+      - file: workflows/get-started.md
+      - file: workflows/core-components.md
+        children:
+          - file: workflows/triggers.md
+            children:
+              - file: workflows/triggers/manual-triggers.md
+              - file: workflows/triggers/scheduled-triggers.md
+              - file: workflows/triggers/alert-triggers.md
+          - file: workflows/steps.md
+            children:
+              - file: workflows/steps/action-steps.md
+                children:
+                  - file: workflows/steps/elasticsearch.md
+                  - file: workflows/steps/kibana.md                  
+                  - file: workflows/steps/external-systems-apps.md
+              - file: workflows/steps/flow-control-steps.md
+                children:
+                  - file: workflows/steps/if.md
+                  - file: workflows/steps/foreach.md
+                  - file: workflows/steps/wait.md
+      - file: workflows/data.md
+        children:
+          - file: workflows/data/templating.md
+      - file: workflows/author-workflows.md
+      - file: workflows/monitor-troubleshoot.md
+      - file: workflows/manage-workflows.md
+      - hidden: workflows/use-cases.md
+      - file: workflows/templates.md
+  - file: numeral-formatting.md
@@ -0,0 +1,107 @@
+---
+applies_to:
+  stack: preview 9.3
+  serverless: preview
+description: Learn about Elastic workflows. 
+---
+
+# Workflows [workflows-overview]
+
+A workflow is a defined sequence of steps designed to achieve a specific outcome through automation. It is a reusable, versionable "recipe" that transforms inputs into actions.
+
+## Why use workflows [workflows-why]
+
+Insight into your data isn't enough. The ultimate value lies in action and outcomes. Workflows complete the journey from data to insights to automated outcomes. Your critical operational data already lives in the Elastic cluster: security events, infrastructure metrics, application logs, and business context. Workflows let you automate end-to-end processes to achieve outcomes directly where that data lives, without needing external automation tools.
+
+Workflows address common operational challenges, such as:
+
+* **Alert fatigue**: Automate responses to reduce manual triage.
+* **Understaffing**: Enable teams to do more with fewer resources.
+* **Manual, repetitive work**: Automate routine tasks consistently.
+* **Tool fragmentation**: Eliminate the need to add on external automation tools.
+
+Workflows can handle a wide range of tasks, from simple, repeatable steps to complex processes.
+
+## Who should use workflows [workflows-who]
+
+Workflows are for you if you want to cut down on manual effort, speed up response times, and make sure recurring situations are handled consistently.
+
+## Key concepts [workflows-concepts]
+
+Some key concepts to understand while working with workflows: 
+
+* **Triggers**: The events or conditions that initiate a workflow. Refer to [](/explore-analyze/workflows/triggers.md) to learn more.
+* **Steps**: The individual units of logic or action that make up a workflow. Refer to [](/explore-analyze/workflows/steps.md) to learn more.
+* **Data**: How data flows through your workflow, including inputs, constants, context variables, step outputs, and Liquid templating for dynamic values. Refer to [](/explore-analyze/workflows/data.md) to learn more.
+
+## Workflow structure [workflow-structure]
+
+Workflows are defined in YAML. In the YAML editor, describe _what_ the workflow should do, and the platform handles execution.
+
+```yaml
+# ═══════════════════════════════════════════════════════════════
+# METADATA - Identifies and describes the workflow
+# ═══════════════════════════════════════════════════════════════
+name: My Workflow                    # Required: Unique identifier 
+description: What this workflow does # Optional: Shown in UI
+enabled: true                        # Optional: Enable or disable execution
+tags: ["demo", "production"]         # Optional: For organizing workflows
+
+# ═══════════════════════════════════════════════════════════════
+# CONSTANTS - Reusable values defined once, used throughout
+# ═══════════════════════════════════════════════════════════════
+consts:
+  indexName: "my-index"
+  environment: "production"
+  alertThreshold: 100
+  endpoints:                          # Can be objects/arrays
+    api: "https://api.example.com"
+    backup: "https://backup.example.com"
+
+# ═══════════════════════════════════════════════════════════════
+# INPUTS - Parameters passed when the workflow is triggered
+# ═══════════════════════════════════════════════════════════════
+inputs:
+  - name: environment
+    type: string
+    required: true
+    default: "staging"
+    description: "Target environment"
+  - name: dryRun
+    type: boolean
+    default: true
+
+# ═══════════════════════════════════════════════════════════════
+# TRIGGERS - How/when the workflow starts
+# ═══════════════════════════════════════════════════════════════
+triggers:
+  - type: manual                      # User clicks Run button
+  # - type: scheduled                  # Runs on a schedule
+  #   with:
+        every: 1d
+  # - type: alert                     # Triggered by an alert
+
+# ═══════════════════════════════════════════════════════════════
+# STEPS - The actual workflow logic (executed in order)
+# ═══════════════════════════════════════════════════════════════
+steps:
+  - name: step_one
+    type: elasticsearch.search
+    with:
+      index: "{{consts.indexName}}"   # Reference constants
+      query:
+        match_all: {}
+
+  - name: step_two
+    type: console
+    with:
+      message: |
+        Environment: {{inputs.environment}}              # Reference inputs
+        Found: {{steps.step_one.output.hits.total.value}} # Reference step output
+
+```
+
+## Learn more
+
+- To create and run your first workflow, refer to [](/explore-analyze/workflows/get-started.md).
+- Understand how to use the YAML editor in {{kib}} to define and run your workflows. Refer to [](/explore-analyze/workflows/author-workflows.md) to learn more.
@@ -0,0 +1,35 @@
+---
+applies_to:
+  stack: preview 9.3
+  serverless: preview
+description: Reference guide for the workflow YAML editor interface.
+---
+
+# Author workflows [workflows-yaml-editor]
+
+The YAML editor is the primary interface for creating and editing workflows. This page describes the editor's components and features.
+
+::::{admonition} Requirements
+To use workflows, you must turn on the feature and ensure your role has the appropriate privileges. Refer to [](setup.md) for more information.
+
+You must also have the appropriate subscription. Refer to the subscription page for [Elastic Cloud](https://www.elastic.co/subscriptions/cloud) and [Elastic Stack/self-managed](https://www.elastic.co/subscriptions) for the breakdown of available features and their associated subscription tiers.
+::::
+
+
+:::{image} /explore-analyze/images/workflows-editor.png
+:alt: A view of Workflows editor
+:screenshot:
+:::
+
+## Editor layout [workflows-editor-layout]
+
+The editor layout is composed of the following elements:
+
+| Component | Description |
+|-----------|-------------|
+| **Editor pane** | The main area for writing and editing workflows. To learn more about the expected workflow structure, refer to [](/explore-analyze/workflows.md) |
+| **Actions menu** | A quick-add menu for pre-formatted [triggers](triggers.md) and [step types](steps.md).  |
+| **Save button** | Saves the current workflow. |
+| **Run button** | Manually runs the entire workflow or an individual step. <br> - Entire workflow: Click the **Run** icon {icon}`play` (next to **Save**).  <br> - Individual step: Select the step in the editor pane, then click the **Run** icon {icon}`play`.   |
+| **Executions tab** | Shows [execution history](monitor-troubleshoot.md) and real-time logs. |
+| **Validation logs** | Shows validation successes and failures. Some common validation errors include: <br> - Invalid YAML syntax because of incorrect indentation or formatting <br> - Missing a required field or property (for example, `name`, `type`) <br> - The step type is unknown or doesn't match a valid action <br> - Invalid template syntax because of malformed template expression|
@@ -0,0 +1,34 @@
+---
+applies_to:
+  stack: preview 9.3
+  serverless: preview
+description: Learn about the core components that make up Elastic workflows. 
+---
+
+# Core components
+
+Workflows are composed of three core elements that make workflow automation possible: triggers, steps, and connectors. Together, these components define when workflows run, what they do, and what external systems they connect to.
+
+## Triggers
+
+Triggers define _when_ a workflow runs. A trigger is an event or condition that initiates a workflow, such as an alert firing or a scheduled time occurring. Every workflow begins with a trigger.
+
+Examples of triggers include:
+
+* A user runs a workflow manually
+* A specific time or interval is reached
+* A detection alert is generated
+
+For more information, refer to [](/explore-analyze/workflows/triggers.md).
+
+## Steps
+
+Steps define _what_ a workflow does. A step is an individual unit of logic or action within a workflow. Steps control how data moves, how decisions are made, and what results are produced. Workflows can contain one or more steps, executed in sequence.
+
+For more information, refer to [](/explore-analyze/workflows/steps.md).
+
+## {{connectors-ui}}
+
+{{connectors-ui}} define _where_ workflows can reach. A connector is the interface between {{kib}} and an external system, allowing workflows to act on or respond to events and services outside of {{kib}}.
+
+For more information, refer to [](/explore-analyze/workflows/steps/external-systems-apps.md#connector-based-actions).