Elastic Agent Builder built-in tools reference
This page lists all built-in tools available in Elastic Agent Builder and their availability. Unless otherwise specified, all built-in tools are available within all types of deployments. These tools are available to all custom agents.
Built-in tools provide core capabilities for working with Elasticsearch data. You can't modify or delete them. In the tools overview, the UI organizes built-in tools using labels (called tags in the API) such as observability, security, apm, and alerts to help you filter and find related tools. To learn more, refer to find all available tools.
For an overview of how tools work in Elastic Agent Builder, refer to the Tools overview.
Tool naming conventions help organize and identify tools by their source. Built-in tools use consistent prefixes such as platform.core, observability, and security. This convention:
- Prevents naming conflicts between system and custom tools
- Makes it easy to identify tool sources
- Provides a consistent pattern for tool identification
Platform Core tools provide fundamental capabilities for interacting with Elasticsearch data, executing queries, and working with indices. They are relevant to many use cases.
platform.core.execute_esql- Executes an ES|QL query and returns the results in a tabular format.
platform.core.generate_esql- Generates an ES|QL query from a natural language query.
platform.core.get_document_by_id- Retrieves the full content of an Elasticsearch document based on its ID and index name.
platform.core.get_index_mapping- Retrieves mappings for the specified index or indices.
platform.core.index_explorer- Lists relevant indices and corresponding mappings based on a natural language query.
platform.core.list_indices- Lists the indices, aliases, and data streams in the Elasticsearch cluster the current user has access to.
platform.core.search- Searches and analyzes data within your Elasticsearch cluster using full-text relevance searches or structured analytical queries.
platform.core.product_documentation- Searches and retrieves documentation about Elastic products (Kibana, Elasticsearch, Elastic Security, Elastic Observability).
platform.core.integration_knowledge- Searches and retrieves knowledge from Fleet-installed integrations, including information on how to configure and use integrations for data ingestion.
platform.core.create_visualization- Creates a Lens visualization based on specifications.
platform.core.cases- Searches and retrieves cases for tracking and managing issues.
platform.core.get_workflow_execution_status- Retrieves the execution status of a workflow.
The following tools manage file attachments in conversations:
platform.core.attachment_read- Reads the content of a file attachment.
platform.core.attachment_update- Updates the content of a file attachment.
platform.core.attachment_add- Adds a new file attachment to the conversation.
platform.core.attachment_list- Lists all file attachments in the conversation.
platform.core.attachment_diff- Shows the differences between versions of a file attachment.
Dashboard tools enable agents to create and manage Dashboards.
dashboard.create_dashboard- Creates a dashboard with specified title, description, panels, and markdown summary.
dashboard.update_dashboard- Updates an existing dashboard with new panels or modifications.
Observability tools provide specialized capabilities for monitoring applications, infrastructure, and logs.
observability.get_alerts- Retrieves Observability alerts within a specified time range, supporting filtering by status (active/recovered) and KQL queries.
observability.get_services- Retrieves information about services being monitored in APM.
observability.get_hosts- Retrieves information about hosts being monitored in infrastructure monitoring.
observability.get_index_info- Retrieves information about Observability indices and their fields. Supports operations for getting an overview of available data sources, listing fields that contain actual data, and retrieving distinct values or ranges for specific fields.
observability.get_trace_metrics- Retrieves metrics and statistics for distributed traces.
observability.get_downstream_dependencies- Identifies downstream dependencies (other services, databases, external APIs) for a specific service to understand service topology and blast radius.
observability.get_log_categories- Retrieves categorized log patterns to identify common log message types.
observability.get_log_change_points- Detects statistically significant changes in log patterns and volumes.
observability.get_metric_change_points- Detects statistically significant changes in metrics across groups (for example, by service, host, or custom fields), identifying spikes, dips, step changes, and trend changes.
observability.get_correlated_logs- Finds logs that are correlated with a specific event or time period.
observability.run_log_rate_analysis- Analyzes log ingestion rates to identify anomalies and trends.
observability.get_anomaly_detection_jobs- Retrieves Machine Learning anomaly detection jobs and their top anomaly records for investigating outliers and abnormal behavior.
Security tools provide specialized capabilities for security monitoring, threat detection, and incident response.
security.alerts- Searches and analyzes security alerts using full-text or structured queries for finding, counting, aggregating, or summarizing alerts.
security.entity_risk_score- Retrieves risk scores for entities (users, hosts, and services) to identify high-risk entities in the environment.
security.attack_discovery_search- Returns any related attack discoveries from the last week, given one or more alert IDs.
security.security_labs_search- Searches Elastic Security Labs research and threat intelligence content.