All use cases
SecOps

Threat Alert Triage

Enrich security alerts with asset and user context, deduplicate repeat signals, and route each incident to the right responder based on severity.

ElasticsearchPagerDutyJira

The problem

Security tooling produces far more alerts than a team can read, and most arrive without the asset or identity context needed to judge them. Analysts burn hours re-querying the same systems for every alert, and duplicates of one incident get triaged three times. Real threats wait in the same queue as noise.

How it runs on Neblex

A Neblex flow watches your Elasticsearch alert indices with poll-based change detection, or receives alerts directly over webhooks from your detection tooling. Dedup with matching rules collapses repeated signals for the same host, user, or rule into a single working incident, with state held in Data Tables.

Enrichment runs as a parallel fan-out with bounded concurrency: asset ownership, user details, and recent related events are gathered from Elasticsearch and your inventory sources at the same time rather than one by one. Conditional branching then routes by severity: high-severity incidents page the on-call responder through PagerDuty, while lower ones become Jira tickets in the right team queue.

Per-step retries keep a flaky enrichment source from dropping an alert, and event-sourced run history shows exactly what was looked up and decided for each one. If a downstream system was unavailable, bulk replay reprocesses the affected runs from the step that failed.

Step by step

1

Ingest new alerts

Alerts arrive via webhooks or are picked up from Elasticsearch indices with poll-based change detection.

2

Deduplicate repeat signals

Matching rules collapse alerts that share host, user, or detection rule into one incident, tracked in Data Tables.

3

Enrich in parallel

A parallel fan-out gathers asset ownership, user context, and related events with bounded concurrency.

4

Route by severity

Conditional branching pages on-call through PagerDuty for high severity and files Jira tickets for the rest.

5

Handle failures cleanly

Per-step retries cover transient enrichment errors, and failed runs can be replayed from the exact step that broke.

Platform capabilities used

  • Webhook triggers
  • Poll-based change detection
  • Dedup via matching rules
  • Parallel fan-out with bounded concurrency
  • Conditional branching
  • Bulk replay

Common questions

Can this run inside our network next to Elasticsearch?

Yes. On-Prem Workers run flows inside your own network, so alert and log data for those flows is processed inside your network. The worker connects outbound only, with no inbound access required.

How does deduplication actually work?

Matching rules define which fields identify the same incident, such as host, user, and detection rule. Incoming alerts that match an open incident attach to it instead of creating a new ticket, with state kept in Data Tables.

What if PagerDuty or Jira is briefly unavailable?

Each step retries on its own policy, and a run that still fails can be replayed from the failed step once the system recovers. Bulk replay handles a backlog of affected runs in one action.

Want this running on your stack?

Neblex Integration Fabric is in beta: full platform, free while in beta. Bring this workflow and we will map it to your systems.