Elastic Agent Builder built-in skills reference

This page lists all built-in skills available in Elastic Agent Builder. Skills give agents domain-specific knowledge and tools for common task types. Built-in skills are read-only: you can't modify or delete them.

Skills are solution-scoped: the set of available built-in skills depends on your deployment type. Platform skills are available across all deployments. Observability, Security, and Elasticsearch skills are available in their respective serverless projects or solution views.

visualization-creation

Creates standalone or reusable Lens visualizations from index and field context. Use when a user asks for a chart, metric, trend, or breakdown visualization, or wants to update an existing one.

graph-creation

Creates graph attachments by transforming relationship data into nodes and edges rendered inline in the conversation. Use for topology, dependency, or entity-link visualizations.

dashboard-management

Composes and updates in-memory Kibana dashboards. Use when a user asks to find, create, or modify a dashboard, add or remove panels, or edit existing panel visualizations.

streams-exploration

Discovers, inspects, and queries Elasticsearch streams. Use when a user wants to list available streams, understand a stream's schema, check data quality or retention, or sample documents from a stream. This is a read-only skill: it cannot create, update, or delete streams or modify stream configuration.

observability.investigation

Answers observability questions and diagnoses issues across APM services and infrastructure. Use when a user asks about service health, error rates, latency, failed transactions, service topology, trace analysis, log patterns, SLO breaches, alert investigations, or general questions about services and their performance.

alert-analysis

Investigates Elastic Security alerts and recommends a disposition. Fetches alert context, finds related alerts that share entities (host.name, user.name, source.ip, destination.ip), correlates with Elastic Security Labs threat intelligence, and assesses severity. Use when investigating a specific alert, triaging alert queues, or understanding alert context.

Assigned tools: security.alerts, security.security_labs_search, security.entity_risk_score

Prerequisites: Entity risk scoring enabled so risk scores are available for involved hosts and users. To use threat intelligence correlation, install Security Labs documentation from GenAI Settings.

How to activate: In addition to the standard activation methods, this skill activates automatically when you attach an alert from the alert flyout in Elastic Security, which provides the alert context the skill needs.

entity-analytics

Finds and investigates security entities including hosts, users, services, and generic entities. Analyzes entity risk scores, asset criticality, and historical behavior, including signals from Security Machine Learning anomaly detection jobs. Use to discover risky entities or profile a specific entity by ID.

Assigned tools: security.get_entity, security.search_entities

Prerequisites: Entity risk scoring enabled and the entity store populated.

Related skills: find-security-ml-jobs for deeper investigation of anomalies surfaced during entity analysis.

find-security-ml-jobs

Investigates atypical behavior detected by Machine Learning jobs, including unusual access patterns, lateral movement, unexpected logins, suspicious domain activity, and large data transfers.

Assigned tools: platform.core.execute_esql, platform.core.generate_esql, security.get_entity

Prerequisites: Relevant Security Machine Learning jobs installed and running. For guidance, refer to Machine learning job and rule requirements.

threat-hunting

Runs hypothesis-driven threat hunts using iterative ES|QL exploration. Covers IOC search, anomaly identification, baseline behavioral comparison, and lateral movement tracking.

Assigned tools: platform.core.generate_esql, platform.core.execute_esql, platform.core.search, platform.core.list_indices, platform.core.get_index_mapping, platform.core.cases

detection-rule-edit

Creates and edits Elastic Security detection rules. Supports ES|QL rule type only. Use when a user asks to build a rule from natural language or edit rule fields such as severity, tags, MITRE ATT&CK mappings, schedule, or query.

Assigned tools: security.create_detection_rule, security.security_labs_search, platform.core.generate_esql, platform.core.product_documentation

Prerequisites: To ground rule drafting in threat research, install Security Labs documentation from GenAI Settings.

How to activate: This skill is attachment-driven and activates when a rule attachment is present in the conversation. You can start a rule attachment from the rule creation form, the rule details page, or by asking the agent to "create a detection rule" in chat — the skill creates the attachment and renders an Apply to creation or Update rule button so you can save the change to the rule form.

automatic_troubleshooting

Diagnoses Elastic Defend endpoint configuration issues such as endpoints not reporting, policy response failures, agent enrollment problems, or incompatible antivirus. Queries endpoint data, inspects package configuration, and produces structured findings with specific endpoint IDs and remediation steps. Registered only when the automaticTroubleshootingSkill experimental feature flag is enabled.

Assigned tools: platform.core.search, platform.core.get_document_by_id, platform.core.integration_knowledge

Prerequisites: Elastic Defend deployed and reporting. The automaticTroubleshootingSkill experimental feature flag must be enabled for the skill to appear.

search.catalog-ecommerce

Guides agents through building catalog and e-commerce search solutions on Elasticsearch.

search.elasticsearch-onboarding

Guides developers through building a complete search experience on Elasticsearch, from understanding requirements and designing an index mapping to generating and testing API snippets in Dev Tools.

search.hybrid-search

Guides agents through building hybrid search solutions that combine keyword and semantic search.

search.keyword-search

Guides agents through building keyword and full-text search solutions on Elasticsearch.

search.rag-chatbot

Guides agents through building retrieval-augmented generation chatbot solutions on Elasticsearch.

search.semantic-search

Guides agents through building semantic and vector search solutions on Elasticsearch.

search.use-case-library

Presents a library of Elasticsearch use cases when users want to explore what they can build, need help identifying which category their project falls into, or are looking for inspiration. Covers product search, knowledge base search, AI assistants, recommendations, customer support, location-based search, log and event search, and vector database use cases.

search.vector-database

Guides agents through using Elasticsearch as a vector database.

• Skills in Elastic Agent Builder
• Custom skills
• Skill creation guidelines
• Tools in Elastic Agent Builder
• Built-in tools reference
• Custom agents