---
title: Elastic Agent Builder built-in skills reference
description: Reference of all built-in skills available in Elastic Agent Builder.
url: https://www.elastic.co/elastic/docs-builder/docs/3202/explore-analyze/ai-features/agent-builder/builtin-skills-reference
products:
  - Elastic Cloud Serverless
  - Elastic Observability
  - Elastic Security
  - Elasticsearch
  - Kibana
applies_to:
  - Elastic Cloud Serverless: Generally available
  - Elastic Stack: Planned
---

# Elastic Agent Builder built-in skills reference
This page lists all built-in skills available in Elastic Agent Builder. Skills give agents domain-specific knowledge and tools for common task types. Built-in skills are read-only: you can't modify or delete them.
<tip>
  For an overview of how skills work in Elastic Agent Builder, refer to [Skills in Elastic Agent Builder](https://www.elastic.co/elastic/docs-builder/docs/3202/explore-analyze/ai-features/agent-builder/skills).
</tip>


## Availability

Skills are solution-scoped: the set of available built-in skills depends on your deployment type. Platform skills are available across all deployments. Observability, Security, and Elasticsearch skills are available in their respective serverless projects or solution views.

## Platform skills

<definitions>
  <definition term="visualization-creation Elastic Stack: Planned">
    Creates standalone or reusable Lens visualizations from index and field context. Use when a user asks for a chart, metric, trend, or breakdown visualization, or wants to update an existing one.
  </definition>
  <definition term="graph-creation Elastic Stack: Planned">
    Creates graph attachments by transforming relationship data into nodes and edges rendered inline in the conversation. Use for topology, dependency, or entity-link visualizations.
  </definition>
  <definition term="dashboard-management Elastic Stack: Planned Elastic Cloud Serverless: Preview">
    Composes and updates in-memory Kibana dashboards. Use when a user asks to find, create, or modify a dashboard, add or remove panels, or edit existing panel visualizations.
  </definition>
  <definition term="streams-exploration Elastic Stack: Planned">
    Discovers, inspects, and queries Elasticsearch streams. Use when a user wants to list available streams, understand a stream's schema, check data quality or retention, or sample documents from a stream. This is a read-only skill: it cannot create, update, or delete streams or modify stream configuration.
  </definition>
</definitions>


## Observability skills

<applies-to>
  - Serverless Observability projects: Generally available
</applies-to>

<definitions>
  <definition term="observability.investigation Elastic Stack: Planned">
    Answers observability questions and diagnoses issues across APM services and infrastructure. Use when a user asks about service health, error rates, latency, failed transactions, service topology, trace analysis, log patterns, SLO breaches, alert investigations, or general questions about services and their performance.
  </definition>
</definitions>


## Security skills

<applies-to>
  - Serverless Security projects: Generally available
</applies-to>

<definitions>
  <definition term="alert-analysis Elastic Stack: Planned">
    Investigates Elastic Security alerts and recommends a disposition. Fetches alert context, finds related alerts that share entities (`host.name`, `user.name`, `source.ip`, `destination.ip`), correlates with Elastic Security Labs threat intelligence, and assesses severity. Use when investigating a specific alert, triaging alert queues, or understanding alert context.
    **Assigned tools:** `security.alerts`, `security.security_labs_search`, `security.entity_risk_score`
    **Prerequisites:** [Entity risk scoring](https://www.elastic.co/elastic/docs-builder/docs/3202/solutions/security/advanced-entity-analytics/entity-risk-scoring) enabled so risk scores are available for involved hosts and users. To use threat intelligence correlation, install **Security Labs** documentation from [**GenAI Settings**](https://www.elastic.co/elastic/docs-builder/docs/3202/explore-analyze/ai-features/manage-access-to-ai-assistant).
    **How to activate:** In addition to the [standard activation methods](/elastic/docs-builder/docs/3202/explore-analyze/ai-features/agent-builder/skills#how-skills-are-invoked), this skill activates automatically when you attach an alert from the alert flyout in Elastic Security, which provides the alert context the skill needs.
  </definition>
  <definition term="entity-analytics Elastic Stack: Planned">
    Finds and investigates security entities including hosts, users, services, and generic entities. Analyzes entity risk scores, asset criticality, and historical behavior, including signals from Security Machine Learning anomaly detection jobs. Use to discover risky entities or profile a specific entity by ID.
    **Assigned tools:** `security.get_entity`, `security.search_entities`
    **Prerequisites:** [Entity risk scoring](https://www.elastic.co/elastic/docs-builder/docs/3202/solutions/security/advanced-entity-analytics/entity-risk-scoring) enabled and the [entity store](https://www.elastic.co/elastic/docs-builder/docs/3202/solutions/security/advanced-entity-analytics/entity-store) populated.
    **Related skills:** [`find-security-ml-jobs`](#agent-builder-find-security-ml-jobs-skill) for deeper investigation of anomalies surfaced during entity analysis.
  </definition>
  <definition term="find-security-ml-jobs Elastic Stack: Planned">
    Investigates atypical behavior detected by Machine Learning jobs, including unusual access patterns, lateral movement, unexpected logins, suspicious domain activity, and large data transfers.
    **Assigned tools:** `platform.core.execute_esql`, `platform.core.generate_esql`, `security.get_entity`
    **Prerequisites:** Relevant Security Machine Learning jobs installed and running. For guidance, refer to [Machine learning job and rule requirements](https://www.elastic.co/elastic/docs-builder/docs/3202/solutions/security/advanced-entity-analytics/machine-learning-job-rule-requirements).
  </definition>
  <definition term="threat-hunting Elastic Stack: Planned">
    Runs hypothesis-driven threat hunts using iterative ES|QL exploration. Covers IOC search, anomaly identification, baseline behavioral comparison, and lateral movement tracking.
    **Assigned tools:** `platform.core.generate_esql`, `platform.core.execute_esql`, `platform.core.search`, `platform.core.list_indices`, `platform.core.get_index_mapping`, `platform.core.cases`
  </definition>
  <definition term="detection-rule-edit Elastic Stack: Planned">
    Creates and edits Elastic Security detection rules. Supports ES|QL rule type only. Use when a user asks to build a rule from natural language or edit rule fields such as severity, tags, MITRE ATT&CK mappings, schedule, or query.
    **Assigned tools:** `security.create_detection_rule`, `security.security_labs_search`, `platform.core.generate_esql`, `platform.core.product_documentation`
    **Prerequisites:** To ground rule drafting in threat research, install **Security Labs** documentation from [**GenAI Settings**](https://www.elastic.co/elastic/docs-builder/docs/3202/explore-analyze/ai-features/manage-access-to-ai-assistant).
    **How to activate:** This skill is attachment-driven and activates when a rule attachment is present in the conversation. You can start a rule attachment from the rule creation form, the rule details page, or by asking the agent to "create a detection rule" in chat — the skill creates the attachment and renders an **Apply to creation** or **Update rule** button so you can save the change to the rule form.
  </definition>
  <definition term="automatic_troubleshooting Elastic Stack: Planned Elastic Cloud Serverless: Preview">
    Diagnoses [Elastic Defend](https://www.elastic.co/elastic/docs-builder/docs/3202/solutions/security/configure-elastic-defend) endpoint configuration issues such as endpoints not reporting, policy response failures, agent enrollment problems, or incompatible antivirus. Queries endpoint data, inspects package configuration, and produces structured findings with specific endpoint IDs and remediation steps. Registered only when the `automaticTroubleshootingSkill` experimental feature flag is enabled.
    **Assigned tools:** `platform.core.search`, `platform.core.get_document_by_id`, `platform.core.integration_knowledge`
    **Prerequisites:** [Elastic Defend](https://www.elastic.co/elastic/docs-builder/docs/3202/solutions/security/configure-elastic-defend) deployed and reporting. The `automaticTroubleshootingSkill` experimental feature flag must be enabled for the skill to appear.
  </definition>
</definitions>


## Elasticsearch skills

<applies-to>
  - Serverless Elasticsearch projects: Generally available
</applies-to>

<definitions>
  <definition term="search.catalog-ecommerce Elastic Stack: Planned">
    Guides agents through building catalog and e-commerce search solutions on Elasticsearch.
  </definition>
  <definition term="search.elasticsearch-onboarding Elastic Stack: Planned">
    Guides developers through building a complete search experience on Elasticsearch, from understanding requirements and designing an index mapping to generating and testing API snippets in Dev Tools.
  </definition>
  <definition term="search.hybrid-search Elastic Stack: Planned">
    Guides agents through building hybrid search solutions that combine keyword and semantic search.
  </definition>
  <definition term="search.keyword-search Elastic Stack: Planned">
    Guides agents through building keyword and full-text search solutions on Elasticsearch.
  </definition>
  <definition term="search.rag-chatbot Elastic Stack: Planned">
    Guides agents through building retrieval-augmented generation chatbot solutions on Elasticsearch.
  </definition>
  <definition term="search.semantic-search Elastic Stack: Planned">
    Guides agents through building semantic and vector search solutions on Elasticsearch.
  </definition>
  <definition term="search.use-case-library Elastic Stack: Planned">
    Presents a library of Elasticsearch use cases when users want to explore what they can build, need help identifying which category their project falls into, or are looking for inspiration. Covers product search, knowledge base search, AI assistants, recommendations, customer support, location-based search, log and event search, and vector database use cases.
  </definition>
  <definition term="search.vector-database Elastic Stack: Planned">
    Guides agents through using Elasticsearch as a vector database.
  </definition>
</definitions>


## Related pages

- [Skills in Elastic Agent Builder](https://www.elastic.co/elastic/docs-builder/docs/3202/explore-analyze/ai-features/agent-builder/skills)
- [Custom skills](https://www.elastic.co/elastic/docs-builder/docs/3202/explore-analyze/ai-features/agent-builder/custom-skills)
- [Skill creation guidelines](https://www.elastic.co/elastic/docs-builder/docs/3202/explore-analyze/ai-features/agent-builder/skill-creation-guidelines)
- [Tools in Elastic Agent Builder](https://www.elastic.co/elastic/docs-builder/docs/3202/explore-analyze/ai-features/agent-builder/tools)
- [Built-in tools reference](https://www.elastic.co/elastic/docs-builder/docs/3202/explore-analyze/ai-features/agent-builder/tools/builtin-tools-reference)
- [Custom agents](https://www.elastic.co/elastic/docs-builder/docs/3202/explore-analyze/ai-features/agent-builder/custom-agents)