Elastic Agent Builder built-in agents reference

Built-in agents are pre-configured by Elastic with instructions and tools to handle common use cases.

The Elastic AI Agent is the default general-purpose agent. It is designed to help with a wide range of tasks, from writing ES|QL queries to exploring your data indices.

The Elastic AI Agent is a standard persisted agent that is space-aware. A separate instance is created automatically in each Kibana space when first accessed, and each instance can be customized independently: change its instructions, assign skills and tools, or clone it as a starting point for a new agent.

A specialized agent for logs, metrics, and traces. It is designed to assist with infrastructure monitoring and application performance troubleshooting.

Assigned tools:

• All Observability tools
• A subset of Platform core tools

A specialized agent for security alert analysis tasks, including alert investigation and Elastic Security documentation. It helps analysts triage alerts and understand complex security events. For more information and example use-cases, refer to Agent Builder for Elastic Security.

Assigned tools:

• All Security tools
• A subset of Platform core tools

The standalone Threat Hunting Agent is removed in 9.4. Threat hunting workflows now use the Elastic AI Agent with the threat-hunting skill enabled, which provides the same capabilities without switching between separate built-in agents. For Security-specific context, refer to Elastic AI Agent, skills, and tools in Elastic Security.

Migration path: Enable the threat-hunting skill on the Elastic AI Agent in place of that standalone agent. The skill ships with the same tool set and query templates previously bundled into the agent, plus platform core tools for generating and running ES|QL queries. For use cases and example prompts, refer to Security use cases for Elastic Agent Builder.

• Agents
• Create a custom agent
• Built-in tools reference