Stay on top of system issues without watching dashboards all day. A scheduled job checks your Elasticsearch alerts and sends clear emails through Outlook so your team reacts fast. It fits IT and security teams that need quick notice when things break or look risky.

Here is how it works step by step. A Schedule Trigger runs on your chosen interval and calls an HTTP Request to your Elasticsearch alerts endpoint. An If check makes sure the response is not empty. The Split In Batches node loops through each alert item so every alert becomes its own email. Another HTTP Request posts to Microsoft Graph to send an HTML email with the alert name and details. If there are no alerts, the flow exits safely with no action. This turns raw alert data into readable messages that land in the right inbox.

Setup needs access to an Elasticsearch endpoint and a Microsoft 365 mailbox with permission to send mail. Tune the schedule to your incident rules, then map fields like alert name and severity into the email body. Expect fewer missed issues, faster triage, and less manual log checking. Useful for production incidents, security events, and application errors where timely email alerts keep teams informed.

• Scheduled polling of the alerts endpoint using a Schedule Trigger.
• HTTP GET to Elasticsearch to fetch the latest alert data as JSON.
• If node checks for empty responses and avoids sending blank emails.
• Split In Batches loops through each alert so every item becomes its own message.
• Microsoft Graph POST sends HTML email with alert name and details.
• No operation branches safely end runs when no alerts are found.

• Reduce manual log checks from 60 minutes a day to 5 minutes.
• Automate up to 90% of alert monitoring with scheduled runs.
• Cut missed incidents by sending one email per alert item.
• Connect Elasticsearch and Outlook for a single alert channel.
• Handle higher alert volume by batching and looping items.

1. Import the template into n8n: Create a new workflow in n8n > Click the three dots menu > Select 'Import from File' > Choose the downloaded JSON file.
2. You'll need accounts with Elasticsearch and Microsoft Graph. See the Tools Required section above for links to create accounts with these services.
3. Open the Schedule Trigger node and set the interval that matches your response time goals, such as every 5 minutes or every hour. Save the node.
4. Double click the Get Elastic Alert HTTP Request node. Set the URL to your Elasticsearch alerts endpoint. If your cluster needs auth, on the 'Credential to connect with' dropdown click 'Create new credential' and follow the on screen instructions to add an API Key or Basic Auth.
5. In the same node, set any required headers such as Authorization and Content Type. Click 'Execute Node' to confirm you get JSON alert data back.
6. Check the If node labeled Response is not empty. Make sure it tests that the returned data contains items. Leave default logic if it already checks for non empty data.
7. Open the Split In Batches node. Set batch size to 1 to send one email per alert. This helps clarity and reduces confusion when multiple alerts arrive at once.
8. Double click the Send Email Notification HTTP Request node. On 'Credential to connect with', choose OAuth2, click 'Create new credential', and follow the sign in steps for Microsoft. Ensure the account has Mail.Send permission.
9. In the Send Email node, set the to recipients, subject, and HTML body. Use expressions like {{$json["alert_name"]}} and other fields from your alert payload to personalize each message.
10. Run the workflow once with Test mode. Confirm the Execution list shows the loop sending an email for each alert. Check your inbox to verify formatting and delivery.
11. If no emails arrive, verify the If node path, confirm Microsoft OAuth is connected, and compare your JSON field names with the expressions in the email body.
12. Set the workflow to Active. Monitor runs over the next day and adjust the schedule or email fields as needed for noise reduction and clarity.