Elastic Agent Builder built-in agents reference
Built-in agents are pre-configured by Elastic with specific instructions and tools to handle common use cases.
The Elastic AI Agent is now a standard persisted default agent that is space-aware and modifiable. Refer to Elastic AI Agent for details.
You cannot modify or delete built-in agents. To customize one, you can clone it and create a custom agent.
The availability of specific agents depends on your solution view or serverless project type.
Built-in agents are space-agnostic: they are available across all Kibana spaces. The default Elastic AI Agent is an exception: it is created automatically per space and is only available in the space where it was created.
Built-in agents are space-agnostic: they are available across all Kibana spaces.
Elastic Observability and Elastic Security users must opt-in to use Elastic Agent Builder. To learn more, refer to Compare Agent Builder and AI Assistant > Switch between chat experiences.
The Elastic AI Agent is the default general-purpose agent for Elasticsearch. Unlike the other built-in agents, it is a standard persisted agent that is automatically created in each Kibana space when first accessed.
Because the default agent is space-aware, you can customize it independently for each space. You can change its instructions, adjust which tools it has access to, or clone it as a starting point for a new agent.
Default assigned tools:
The Elastic AI Agent is the default general-purpose agent for Elasticsearch. It is designed to help with a wide range of tasks, from writing ES|QL queries to exploring your data indices.
Assigned tools:
Previous versions
A specialized agent for logs, metrics, and traces. It is designed to assist with infrastructure monitoring and application performance troubleshooting.
Assigned tools:
- All Observability tools
- A subset of Platform core tools
A specialized agent for security alert analysis tasks, including alert investigation and Elastic Security documentation. It helps analysts triage alerts and understand complex security events. For more information and example use-cases, refer to Agent Builder for Elastic Security.
Assigned tools:
- All Security tools
- A subset of Platform core tools
The standalone Threat Hunting Agent is removed in 9.4. Threat hunting workflows now use the Elastic AI Agent with the threat-hunting skill enabled, which provides the same capabilities without switching between separate built-in agents. For Security-specific context, refer to Elastic AI Agent, skills, and tools in Elastic Security.
Migration path: Enable the threat-hunting skill on the Elastic AI Agent in place of that standalone agent. The skill ships with the same tool set and query templates previously bundled into the agent, plus platform core tools for generating and running ES|QL queries. For use cases and example prompts, refer to Security use cases for Elastic Agent Builder.