﻿---
title: Elastic Agent Builder built-in tools reference
description: Reference of all built-in tools available in Elastic Agent Builder.
url: https://www.elastic.co/elastic/docs-builder/docs/3655/explore-analyze/ai-features/agent-builder/tools/builtin-tools-reference
products:
  - Elastic Cloud Serverless
  - Elastic Observability
  - Elastic Security
  - Elasticsearch
  - Kibana
applies_to:
  - Elastic Cloud Serverless: Generally available
  - Elastic Stack: Generally available
---

# Elastic Agent Builder built-in tools reference
This page lists all built-in tools available in Elastic Agent Builder, grouped by [namespace](/elastic/docs-builder/docs/3655/explore-analyze/ai-features/agent-builder/tools/custom-tools#protected-namespaces). Built-in tools are read-only: you can't modify or delete them.
Platform tools are available across all deployments. Observability and security tools are scoped to their respective solutions. Tool prefixes (`platform.core`, `platform.streams`, `platform.sig_events`, `platform.workflows`, `observability`, `security`) reflect this scoping.
Some tools are in technical preview or require a license, an [advanced setting](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3655/reference/kibana/advanced-settings#kibana-general-settings), or an experimental feature flag before they become available. These requirements are called out in each tool's entry.
[Built-in agents](https://www.elastic.co/elastic/docs-builder/docs/3655/explore-analyze/ai-features/agent-builder/builtin-agents-reference) are pre-configured with relevant tools. You can also assign any available built-in tool to [custom agents](/elastic/docs-builder/docs/3655/explore-analyze/ai-features/agent-builder/custom-agents#create-a-new-agent) you create.
<tip>
  For an overview of how tools work in Elastic Agent Builder, refer to the [Tools overview](https://www.elastic.co/elastic/docs-builder/docs/3655/explore-analyze/ai-features/agent-builder/tools).
</tip>


## Platform tools

Platform tools are available across all deployments and serverless projects. They use the `platform.*` namespaces.

### Platform core tools

Platform core tools provide fundamental capabilities for interacting with Elasticsearch data, executing queries, and working with indices. They are relevant to many use cases.
<definitions>
  <definition term="platform.core.execute_esql Elastic Stack: Preview since 9.2 Elastic Stack: Generally available since 9.3">
    Executes an [ES|QL](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3655/reference/query-languages/esql) query and returns the results in a tabular format. [Custom ES|QL tools](https://www.elastic.co/elastic/docs-builder/docs/3655/explore-analyze/ai-features/agent-builder/tools/esql-tools) execute their queries directly, so this tool is only needed for running arbitrary queries, such as those generated by `generate_esql` or provided by the user.
  </definition>
  <definition term="platform.core.generate_esql Elastic Stack: Preview since 9.2 Elastic Stack: Generally available since 9.3">
    Generates an [ES|QL](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3655/reference/query-languages/esql) query from a natural language query.
  </definition>
  <definition term="platform.core.get_document_by_id Elastic Stack: Preview since 9.2 Elastic Stack: Generally available since 9.3">
    Retrieves the full content of an Elasticsearch document based on its ID and index name.
  </definition>
  <definition term="platform.core.get_index_mapping Elastic Stack: Preview since 9.2 Elastic Stack: Generally available since 9.3">
    Retrieves mappings for the specified index or indices.
  </definition>
  <definition term="platform.core.index_explorer Elastic Stack: Preview since 9.2 Elastic Stack: Generally available since 9.3">
    Lists relevant indices and corresponding mappings based on a natural language query.
  </definition>
  <definition term="platform.core.list_indices Elastic Stack: Preview since 9.2 Elastic Stack: Generally available since 9.3">
    Lists the indices, aliases, and data streams in the Elasticsearch cluster the current user has access to.
  </definition>
  <definition term="platform.core.search Elastic Stack: Preview since 9.2 Elastic Stack: Generally available since 9.3">
    Searches Elasticsearch data using natural language, automatically selecting between query DSL and ES|QL based on the query intent.
  </definition>
  <definition term="platform.core.product_documentation Elastic Stack: Generally available since 9.3">
    Searches and retrieves documentation about Elastic products. To use this tool, search for **GenAI Settings** in the [global search field](https://www.elastic.co/elastic/docs-builder/docs/3655/explore-analyze/find-and-organize/find-apps-and-objects) and install **Elastic documentation** from the **Documentation** section. This takes a few minutes.
  </definition>
  <definition term="platform.core.integration_knowledge Elastic Stack: Generally available since 9.3">
    Searches and retrieves knowledge from [Fleet](https://www.elastic.co/elastic/docs-builder/docs/3655/reference/fleet)-installed integrations, including information on how to configure and use integrations for data ingestion.
  </definition>
  <definition term="platform.core.create_visualization Elastic Stack: Generally available since 9.4">
    Creates or updates a visualization configuration based on a natural language description.
  </definition>
  <definition term="platform.core.execute_connector_sub_action Elastic Stack: Preview since 9.4">
    Runs a single sub-action on a saved Kibana [connector](https://www.elastic.co/elastic/docs-builder/docs/3655/explore-analyze/ai-features/agent-builder/connectors) (for example, sending an email or creating an issue), given a connector ID, sub-action name, and parameters. This lets an agent act on external systems without a dedicated [workflow tool](https://www.elastic.co/elastic/docs-builder/docs/3655/explore-analyze/ai-features/agent-builder/tools/workflow-tools) for each connector.
    **Prerequisites:** The `agentBuilder:experimentalFeatures` [advanced setting](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3655/reference/kibana/advanced-settings#kibana-general-settings) must be turned on.
  </definition>
</definitions>


#### Workflow execution tools

These platform core tools let agents run and track [Elastic Workflows](https://www.elastic.co/elastic/docs-builder/docs/3655/explore-analyze/workflows). For the tools that inspect workflow syntax and definitions, refer to [Workflows tools](#workflows-tools).
<definitions>
  <definition term="platform.core.get_workflow_execution_status Elastic Stack: Generally available since 9.3">
    Retrieves the status and, if available, the final output of an [Elastic Workflows](https://www.elastic.co/elastic/docs-builder/docs/3655/explore-analyze/workflows) execution from its execution ID.
  </definition>
  <definition term="platform.core.resume_workflow_execution Elastic Stack: Generally available since 9.4">
    Resumes an [Elastic Workflows](https://www.elastic.co/elastic/docs-builder/docs/3655/explore-analyze/workflows) execution that is paused at a [`waitForInput`](https://www.elastic.co/elastic/docs-builder/docs/3655/explore-analyze/workflows/authoring-techniques/human-in-the-loop) step, providing the reviewer's input to the workflow so it can continue.
  </definition>
  <definition term="platform.core.generate_workflow Elastic Stack: Planned">
    Generates or updates an [Elastic Workflows](https://www.elastic.co/elastic/docs-builder/docs/3655/explore-analyze/workflows) definition from a natural language description, delegating to a specialized workflow-authoring agent that knows workflow syntax, step types, and available connectors.
  </definition>
  <definition term="platform.core.execute_workflow Elastic Stack: Planned">
    Executes an [Elastic Workflows](https://www.elastic.co/elastic/docs-builder/docs/3655/explore-analyze/workflows) definition, given a saved workflow ID, inline YAML for an ephemeral run, or a workflow YAML attachment.
  </definition>
  <definition term="platform.core.list_workflow_executions Elastic Stack: Planned">
    Lists recent [Elastic Workflows](https://www.elastic.co/elastic/docs-builder/docs/3655/explore-analyze/workflows) executions in the current space, most recent first, so you can find an execution ID to pass to `get_workflow_execution_status`.
  </definition>
</definitions>


### Cases tools

Cases tools search and manage [cases](https://www.elastic.co/elastic/docs-builder/docs/3655/explore-analyze/cases) for tracking and managing issues. Access follows the current user's Cases privileges.
<definitions>
  <definition term="platform.core.cases Elastic Stack: Generally available since 9.3">
    Searches and retrieves [cases](https://www.elastic.co/elastic/docs-builder/docs/3655/explore-analyze/cases).
  </definition>
  <definition term="platform.core.cases.manage Elastic Stack: Planned">
    Creates, updates, deletes, and assigns cases, and manages their tags and custom fields. Supports creating from a template and bulk updates.
  </definition>
  <definition term="platform.core.cases.attachments Elastic Stack: Planned">
    Manages case attachments, including adding comments, linking alerts, linking events, and listing existing attachments.
  </definition>
  <definition term="platform.core.cases.observables Elastic Stack: Planned">
    Manages case observables such as IP addresses, domains, file hashes, URLs, emails, and registry keys.
  </definition>
</definitions>


### Workflows tools

<applies-to>
  - Elastic Stack: Planned
</applies-to>

Workflows tools help agents author and inspect [Elastic Workflows](https://www.elastic.co/elastic/docs-builder/docs/3655/explore-analyze/workflows) by exposing step, trigger, connector, and example libraries, and by validating and previewing workflow definitions. To run or track a workflow, use the [workflow execution tools](#workflow-execution-tools) in the platform core namespace.
<definitions>
  <definition term="platform.workflows.validate_workflow Elastic Stack: Planned">
    Validates a workflow YAML definition against all validation rules, including YAML syntax, schema conformance, step-name uniqueness, and Liquid template syntax.
  </definition>
  <definition term="platform.workflows.get_step_definitions Elastic Stack: Planned">
    Returns the available workflow step types with their input and configuration parameters and usage examples. Supports filtering by step type, keyword, or category.
  </definition>
  <definition term="platform.workflows.get_trigger_definitions Elastic Stack: Planned">
    Returns the available workflow trigger types with their schemas and YAML examples, including manual, scheduled, alert, and event-driven triggers.
  </definition>
  <definition term="platform.workflows.get_connectors Elastic Stack: Planned">
    Returns the connector instances configured in the deployment, including their action type and supported step types, so a workflow step can reference the correct connector.
  </definition>
  <definition term="platform.workflows.get_examples Elastic Stack: Planned">
    Searches and retrieves example workflow YAML files from a bundled library to illustrate correct syntax patterns.
  </definition>
  <definition term="platform.workflows.workflow_execute_step Elastic Stack: Planned">
    Executes a single workflow step against the live environment for testing and field discovery. Steps that write data or call external systems require explicit user confirmation before running.
  </definition>
</definitions>


### Streams tools

<applies-to>
  - Elastic Stack: Generally available since 9.4
</applies-to>

Streams tools provide capabilities for exploring and managing [Streams](https://www.elastic.co/elastic/docs-builder/docs/3655/solutions/observability/streams/streams).
<note>
  In 9.5, the individual stream read tools were consolidated into `inspect_streams` and `diagnose_stream`, and the individual stream write tools were consolidated into `update_stream`, `create_partition`, and `delete_stream`. The tools removed in 9.5 are listed at the end of this section.
</note>

<definitions>
  <definition term="platform.streams.inspect_streams Elastic Stack: Planned">
    Inspects one or more streams in a single call, returning only the requested aspects: overview, schema, quality, lifecycle, processing, or routing. Supports inspecting all streams at once.
  </definition>
  <definition term="platform.streams.diagnose_stream Elastic Stack: Planned">
    Gathers time-windowed health metrics, failure store error samples, and a per-field degraded-field breakdown for a single stream. Use this tool for root cause analysis when data quality issues are detected.
  </definition>
  <definition term="platform.streams.query_documents Elastic Stack: Generally available since 9.4">
    Queries or aggregates data from a stream using a natural language description. The tool translates the description into an Elasticsearch query internally. Returns documents in flat dot-notation format or aggregation results, and can query either the primary data store or the failure store.
  </definition>
  <definition term="platform.streams.design_pipeline Elastic Stack: Planned">
    Designs changes to a stream's processing pipeline from a natural language instruction, simulates them against sample documents, and returns the proposed pipeline for review. The change is applied only when committed with `update_stream`.
  </definition>
  <definition term="platform.streams.list_ilm_policies Elastic Stack: Planned">
    Lists the index lifecycle management (ILM) policies available on the cluster, including phase definitions and which streams and indices use them. On serverless, ILM is not available.
  </definition>
  <definition term="platform.streams.update_stream Elastic Stack: Planned">
    Updates a stream's configuration, including its processing pipeline, description, retention lifecycle, field mappings, and failure store. Requires user confirmation before applying changes.
  </definition>
  <definition term="platform.streams.create_partition Elastic Stack: Planned">
    Creates a child stream (partition) under a parent wired stream, using a routing condition to select the documents it receives. [Partitioning](https://www.elastic.co/elastic/docs-builder/docs/3655/solutions/observability/streams/management/partitioning) and [wired streams](https://www.elastic.co/elastic/docs-builder/docs/3655/solutions/observability/streams/streams) are in technical preview. Requires user confirmation.
  </definition>
  <definition term="platform.streams.delete_stream Elastic Stack: Planned">
    Permanently deletes a stream and all of its child streams. This action cannot be undone and requires user confirmation.
  </definition>
</definitions>

The following streams tools were available in 9.4 and were removed in 9.5:
<definitions>
  <definition term="platform.streams.list_streams Elastic Stack: Planned for removal, Elastic Stack: Generally available in 9.4">
    Listed all streams the current user had access to. Replaced by `inspect_streams` with the `overview` aspect.
  </definition>
  <definition term="platform.streams.get_stream Elastic Stack: Planned for removal, Elastic Stack: Generally available in 9.4">
    Returned the full definition of a single stream. Replaced by `inspect_streams`.
  </definition>
  <definition term="platform.streams.get_schema Elastic Stack: Planned for removal, Elastic Stack: Generally available in 9.4">
    Returned the schema of a stream. Replaced by `inspect_streams` with the `schema` aspect.
  </definition>
  <definition term="platform.streams.get_data_quality Elastic Stack: Planned for removal, Elastic Stack: Generally available in 9.4">
    Returned data quality metrics for a stream. Replaced by `inspect_streams` with the `quality` aspect and by `diagnose_stream`.
  </definition>
  <definition term="platform.streams.get_lifecycle_stats Elastic Stack: Planned for removal, Elastic Stack: Generally available in 9.4">
    Returned lifecycle and storage statistics for a stream. Replaced by `inspect_streams` with the `lifecycle` aspect.
  </definition>
  <definition term="platform.streams.get_failed_documents Elastic Stack: Planned for removal, Elastic Stack: Generally available in 9.4">
    Retrieved documents from a stream's failure store with error details. Replaced by `diagnose_stream` and by `query_documents` with the failure store source.
  </definition>
</definitions>


### Significant events tools

<applies-to>
  - Elastic Stack: Planned
</applies-to>

Significant events tools search, create, and manage [significant events](https://www.elastic.co/elastic/docs-builder/docs/3655/solutions/observability/streams/management/significant-events) and Knowledge Indicators for [Streams](https://www.elastic.co/elastic/docs-builder/docs/3655/solutions/observability/streams/streams).
**Prerequisites:** Significant events require an [Enterprise license](https://www.elastic.co/subscriptions) and must be enabled for the deployment through the `observability:streamsEnableSignificantEvents` [advanced setting](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3655/reference/kibana/advanced-settings#kibana-general-settings).
<definitions>
  <definition term="platform.sig_events.ki_search Elastic Stack: Planned">
    Searches Knowledge Indicators (both feature-based and query-based) derived from streams data to enrich context for a target stream, service, or group of streams.
  </definition>
  <definition term="platform.sig_events.ki_feature_create Elastic Stack: Planned">
    Creates a feature Knowledge Indicator that captures a newly discovered stream behavior pattern. Requires user confirmation.
  </definition>
  <definition term="platform.sig_events.ki_query_create Elastic Stack: Planned">
    Creates a query Knowledge Indicator that saves a newly discovered detection query. Requires user confirmation.
  </definition>
  <definition term="platform.sig_events.event_search Elastic Stack: Planned">
    Searches significant events across all streams or a specific stream, so the agent can check current event state before creating or updating events.
  </definition>
  <definition term="platform.sig_events.event_create Elastic Stack: Planned">
    Creates a significant event for one or more streams. Requires user confirmation.
  </definition>
  <definition term="platform.sig_events.event_status_update Elastic Stack: Planned">
    Updates the status of an existing significant event.
  </definition>
  <definition term="platform.streams.sig_events.event_investigation_attach Elastic Stack: Planned">
    Records an investigation run against a significant event, keeping the event up to date as an investigation starts and finishes.
  </definition>
</definitions>


## Observability tools

Observability tools provide specialized capabilities for monitoring applications, infrastructure, and logs.
<definitions>
  <definition term="observability.get_alerts Elastic Stack: Generally available since 9.3">
    Retrieves Observability [alerts](https://www.elastic.co/elastic/docs-builder/docs/3655/solutions/observability/incident-management/alerting) within a specified time range, supporting filtering by status (active/recovered) and KQL queries.
  </definition>
  <definition term="observability.get_services Elastic Stack: Generally available since 9.3">
    Retrieves information about services being monitored in [APM](https://www.elastic.co/elastic/docs-builder/docs/3655/solutions/observability/apm).
  </definition>
  <definition term="observability.get_hosts Elastic Stack: Generally available since 9.3">
    Retrieves information about hosts being monitored in infrastructure monitoring.
  </definition>
  <definition term="observability.get_index_info Elastic Stack: Generally available since 9.3">
    Retrieves information about Observability indices and their fields. Supports operations for getting an overview of available data sources, listing fields that contain actual data, and retrieving distinct values or ranges for specific fields.
  </definition>
  <definition term="observability.get_trace_metrics Elastic Stack: Generally available since 9.3">
    Retrieves metrics and statistics for distributed traces.
    Supports sorting by `latency`, `failureRate`, or `throughput`, and returning average, p95, or p99 latency. <applies-to>Elastic Stack: Generally available since 9.4</applies-to>
  </definition>
  <definition term="observability.get_downstream_dependencies Elastic Stack: Removed in 9.4">
    Identifies downstream dependencies (other services, databases, external APIs) for a specific service to understand service topology and blast radius.
  </definition>
  <definition term="observability.get_service_topology Elastic Stack: Generally available since 9.4">
    Retrieves the service topology (dependency graph) for a service, including RED metrics (latency, throughput, and error rate) per connection.
  </definition>
  <definition term="observability.get_log_categories Elastic Stack: Removed in 9.4">
    Retrieves categorized log patterns to identify common log message types.
  </definition>
  <definition term="observability.get_log_groups Elastic Stack: Generally available since 9.4">
    Returns categorized log messages and exceptions from logs and spans, grouped by type (`spanException` for APM errors, `logException` for log exceptions).
  </definition>
  <definition term="observability.get_log_change_points Elastic Stack: Generally available since 9.3">
    Detects statistically significant changes in log patterns and volumes.
  </definition>
  <definition term="observability.get_metric_change_points Elastic Stack: Generally available since 9.3">
    Detects statistically significant changes in metrics across groups (for example, by service, host, or custom fields), identifying spikes, dips, step changes, and trend changes.
  </definition>
  <definition term="observability.get_correlated_logs Elastic Stack: Removed in 9.4">
    Finds logs that are correlated with a specific event or time period.
  </definition>
  <definition term="observability.get_traces Elastic Stack: Generally available since 9.4">
    Retrieves Observability documents (logs, transactions, spans, and errors) for one or more traces, grouped by trace ID.
  </definition>
  <definition term="observability.run_log_rate_analysis Elastic Stack: Generally available since 9.3">
    Analyzes log ingestion rates to identify anomalies and trends.
  </definition>
  <definition term="observability.get_anomaly_detection_jobs Elastic Stack: Generally available since 9.3">
    Retrieves Machine Learning [anomaly detection jobs](https://www.elastic.co/elastic/docs-builder/docs/3655/explore-analyze/machine-learning/anomaly-detection) and their top anomaly records for investigating outliers and atypical behavior.
  </definition>
  <definition term="observability.get_logs Elastic Stack: Generally available since 9.4">
    Searches and filters logs, returning a histogram trend, total count, log samples, and message pattern categories in a single query.
  </definition>
  <definition term="observability.get_runtime_metrics Elastic Stack: Generally available since 9.4">
    Retrieves runtime metrics for services, including CPU usage, memory consumption, thread counts, and GC duration. Currently supports JVM (Java) metrics.
  </definition>
  <definition term="observability.get_trace_change_points Elastic Stack: Generally available since 9.4">
    Detects statistically significant change points in trace latency, throughput, and failure rate across groups (for example, by service, transaction, or host).
  </definition>
  <definition term="observability.get_apm_correlations Elastic Stack: Generally available since 9.3">
    Analyzes APM transaction correlations to identify which dimensions are most associated with slow or failed transactions. Use after identifying a high-latency or high-failure service to find which attributes (host, version, cloud region, and so on) are over-represented in slow or failed transactions. Requires a [Platinum license](https://www.elastic.co/subscriptions).
  </definition>
</definitions>


## Security tools

Security tools provide specialized capabilities for security monitoring, threat detection, and incident response.
<definitions>
  <definition term="security.alerts Elastic Stack: Generally available since 9.3">
    Searches and analyzes [security alerts](https://www.elastic.co/elastic/docs-builder/docs/3655/solutions/security/detect-and-alert/manage-detection-alerts) using full-text or structured queries for finding, counting, aggregating, or summarizing alerts.
  </definition>
  <definition term="">
    Returns any related [attack discoveries](https://www.elastic.co/elastic/docs-builder/docs/3655/solutions/security/ai/attack-discovery) from the last week, given one or more alert IDs. Requires attack discovery to have been run at least once.
  </definition>
  <definition term="security.security_labs_search">
    Searches [Elastic Security Labs](https://www.elastic.co/security-labs) research and threat intelligence content. To use this tool, search for **GenAI Settings** in the [global search field](https://www.elastic.co/elastic/docs-builder/docs/3655/explore-analyze/find-and-organize/find-apps-and-objects) and install **Security labs** from the **Documentation** section. This takes a few minutes.
  </definition>
  <definition term="security.create_detection_rule Elastic Stack: Generally available since 9.4">
    Creates a security detection [rule](https://www.elastic.co/elastic/docs-builder/docs/3655/solutions/security/detect-and-alert/rule-types) from a natural language description, including ES|QL query generation, metadata, tags, and scheduling. Currently supports [ES|QL rules](https://www.elastic.co/elastic/docs-builder/docs/3655/solutions/security/detect-and-alert/esql) only. Form changes suggested in chat must be applied manually.
  </definition>
  <definition term="security.run_rule_preview Elastic Stack: Planned">
    Runs a security detection rule preview over a time range without saving the rule, then stores the result as a rule preview attachment so you can inspect the alerts the rule would have generated.
    **Prerequisites:** The `rulePreviewAttachmentEnabled` Elastic Security [experimental feature flag](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3655/reference/kibana/configuration-reference/security-solution-settings#experimental-features) must be enabled.
  </definition>
</definitions>


### Entity Analytics tools

[Entity Analytics](https://www.elastic.co/elastic/docs-builder/docs/3655/solutions/security/advanced-entity-analytics) tools work with security entities and their risk scores, asset criticality, watchlists, and threat hunting leads.
<definitions>
  <definition term="">
    Retrieves [risk scores for entities](https://www.elastic.co/elastic/docs-builder/docs/3655/solutions/security/advanced-entity-analytics/entity-risk-scoring) (users, hosts, and services) to identify high-risk entities in the environment. This tool is only available when the risk score index exists in the current space.
  </definition>
  <definition term="security.get_entity Elastic Stack: Generally available since 9.4">
    Retrieves an entity profile (user, host, service, or generic) from the Entity store by entity ID (EUID), including any alerts that contributed to its risk score. Requires the entity risk engine and entity store to be enabled.
  </definition>
  <definition term="security.search_entities Elastic Stack: Generally available since 9.4">
    Searches the Entity store for security entities (host, user, service, or generic), with filtering by risk score, asset criticality, entity attributes, and lifecycle timestamps. Use when the entity ID (EUID) is not known, use `security.get_entity` when it is.
  </definition>
  <definition term="security.set_asset_criticality Elastic Stack: Planned">
    Sets or removes the [asset criticality](https://www.elastic.co/elastic/docs-builder/docs/3655/solutions/security/advanced-entity-analytics/asset-criticality) level for a security entity and recalculates the entity's risk score.
  </definition>
</definitions>

**Watchlist tools** manage [entity watchlists](https://www.elastic.co/elastic/docs-builder/docs/3655/solutions/security/advanced-entity-analytics/watchlists). Mutating actions require user confirmation before running. A [Platinum or higher license](https://www.elastic.co/subscriptions) is required, and adding or removing entities also requires the [entity store](https://www.elastic.co/elastic/docs-builder/docs/3655/solutions/security/advanced-entity-analytics/entity-store) to be enabled and populated.
<definitions>
  <definition term="security.list_watchlists Elastic Stack: Planned">
    Lists the entity watchlists in the current space, including name, description, risk modifier, and member sources.
  </definition>
  <definition term="security.create_watchlist Elastic Stack: Planned">
    Creates a new watchlist in the current space.
  </definition>
  <definition term="security.update_watchlist Elastic Stack: Planned">
    Updates an existing watchlist, such as renaming it or changing its description or risk modifier.
  </definition>
  <definition term="security.delete_watchlist Elastic Stack: Planned">
    Permanently deletes a watchlist. This action cannot be undone.
  </definition>
  <definition term="security.add_entities_to_watchlist Elastic Stack: Planned">
    Adds one or more entities to a watchlist by entity ID (EUID).
  </definition>
  <definition term="security.remove_entities_from_watchlist Elastic Stack: Planned">
    Removes one or more entities from a watchlist by entity ID (EUID).
  </definition>
</definitions>

**Lead generation tools** surface AI-generated [threat hunting leads](/elastic/docs-builder/docs/3655/solutions/security/advanced-entity-analytics/monitor-entity-risk#entity-threat-hunting-leads) for security entities. An [Enterprise license](https://www.elastic.co/subscriptions) is required.
<definitions>
  <definition term="security.list_leads Elastic Stack: Planned">
    Lists AI-generated threat hunting leads for security entities, sorted by priority.
  </definition>
  <definition term="security.generate_leads Elastic Stack: Planned">
    Generates new threat hunting leads. The job runs asynchronously and returns immediately.
  </definition>
  <definition term="security.dismiss_lead Elastic Stack: Planned">
    Dismisses an AI-generated threat hunting lead by ID, marking it as triaged.
  </definition>
</definitions>


### SIEM readiness tools

SIEM readiness tools assess [SIEM readiness](https://www.elastic.co/elastic/docs-builder/docs/3655/solutions/security/get-started/siem-readiness) across four dimensions: coverage, quality, continuity, and retention.
<definitions>
  <definition term="security.siem_readiness.get_coverage Elastic Stack: Planned">
    Retrieves SIEM data coverage health across the SIEM data categories (endpoint, identity, network, cloud, and application/SaaS), including document counts, detection-rule presence, health status, and findings.
  </definition>
  <definition term="security.siem_readiness.get_quality Elastic Stack: Planned">
    Retrieves SIEM data quality health based on ECS compatibility check results, including incompatible field mappings, health status, and findings. Requires a prior Data Quality dashboard run.
  </definition>
  <definition term="security.siem_readiness.get_continuity Elastic Stack: Planned">
    Retrieves SIEM ingest pipeline continuity health, including active pipelines, failure rates, silent data streams, and volume drops.
  </definition>
  <definition term="security.siem_readiness.get_retention Elastic Stack: Planned">
    Retrieves SIEM data retention health, including data streams and indices with retention configuration, retention days, and compliance status.
  </definition>
</definitions>


### PCI compliance tools

<applies-to>
  - Elastic Stack: Planned
</applies-to>

PCI compliance tools support PCI DSS v4.0.1 compliance assessments.
**Prerequisites:** The `pciComplianceAgentBuilder` Elastic Security [experimental feature flag](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3655/reference/kibana/configuration-reference/security-solution-settings#experimental-features) must be enabled.
<definitions>
  <definition term="security.pci_scope_discovery Elastic Stack: Planned">
    Discovers PCI-relevant data coverage across indices, including custom-ingested data, and classifies it by scope area.
  </definition>
  <definition term="security.pci_compliance Elastic Stack: Planned">
    Runs PCI DSS v4.0.1 compliance checks or reports, returning either per-requirement findings with ES|QL evidence or a visual scorecard.
  </definition>
  <definition term="security.pci_field_mapper Elastic Stack: Planned">
    Inspects non-ECS index fields and suggests mappings to ECS fields for PCI queries. Use when scope discovery reports low ECS coverage.
  </definition>
</definitions>


## Inline tools

Some [built-in skills](https://www.elastic.co/elastic/docs-builder/docs/3655/explore-analyze/ai-features/agent-builder/builtin-skills-reference) include inline tools that are only available while that skill is active. Because they are scoped to a skill rather than assignable on their own, they are not listed among the namespaced tools in this reference. For example:
- The [`dashboard-management`](/elastic/docs-builder/docs/3655/explore-analyze/ai-features/agent-builder/builtin-skills-reference#agent-builder-dashboard-management-skill) skill includes an inline tool for generating and updating dashboards.
- The `rule-management` skill includes the `platform.alerting.manage_rule` and `platform.alerting.manage_action_policy` tools for composing and modifying alerting rules and their action policies.
- The `alert-triage` skill includes the `security.alert-triage` tool for prioritizing the alert queue.

<tip>
  You can also manage tools programmatically. To learn more, refer to [Tools API](/elastic/docs-builder/docs/3655/explore-analyze/ai-features/agent-builder/tools#tools-api).
</tip>


## Related pages

- [Tools in Elastic Agent Builder](https://www.elastic.co/elastic/docs-builder/docs/3655/explore-analyze/ai-features/agent-builder/tools)
- [Custom ES|QL tools](https://www.elastic.co/elastic/docs-builder/docs/3655/explore-analyze/ai-features/agent-builder/tools/esql-tools)
- [Custom index search tools](https://www.elastic.co/elastic/docs-builder/docs/3655/explore-analyze/ai-features/agent-builder/tools/index-search-tools)