Elastic Agent Builder built-in tools reference

This page lists all built-in tools available in Elastic Agent Builder, grouped by namespace. Built-in tools are read-only: you can't modify or delete them.

Platform tools are available across all deployments. Observability and security tools are scoped to their respective solutions. Tool prefixes (platform.core, platform.streams, observability, security) reflect this scoping.

Built-in agents are pre-configured with relevant tools. You can also assign any available built-in tool to custom agents you create.

Tip

For an overview of how tools work in Elastic Agent Builder, refer to the Tools overview.

Platform tools

Platform tools are available across all deployments and serverless projects. They use the platform.* namespaces.

Platform core tools

Platform core tools provide fundamental capabilities for interacting with Elasticsearch data, executing queries, and working with indices. They are relevant to many use cases.

platform.core.execute_esql: Executes an ES|QL query and returns the results in a tabular format. Custom ES|QL tools execute their queries directly, so this tool is only needed for running arbitrary queries, such as those generated by generate_esql or provided by the user.
platform.core.generate_esql: Generates an ES|QL query from a natural language query.
platform.core.get_document_by_id: Retrieves the full content of an Elasticsearch document based on its ID and index name.
platform.core.get_index_mapping: Retrieves mappings for the specified index or indices.
platform.core.index_explorer: Lists relevant indices and corresponding mappings based on a natural language query.
platform.core.list_indices: Lists the indices, aliases, and data streams in the Elasticsearch cluster the current user has access to.
platform.core.search: Searches and analyzes data within your Elasticsearch cluster using full-text relevance searches or structured analytical queries.
platform.core.product_documentation: Searches and retrieves documentation about Elastic products. To use this tool, search for GenAI Settings in the global search field and install Elastic documentation from the Documentation section. This takes a few minutes.
platform.core.integration_knowledge: Searches and retrieves knowledge from Fleet-installed integrations, including information on how to configure and use integrations for data ingestion.
platform.core.create_visualization: Creates or updates a visualization configuration based on a natural language description.
platform.core.cases: Searches and retrieves cases for tracking and managing issues.
platform.core.get_workflow_execution_status: Retrieves the execution status of a workflow.
platform.core.resume_workflow_execution: Resumes a workflow execution that is paused and waiting for human input.

Dashboard tools

Dashboard tools enable agents to create and manage dashboards through chat.

dashboard.create_dashboard: Creates a dashboard with specified title, description, panels, and markdown summary.
dashboard.update_dashboard: Updates an existing dashboard with new panels or modifications.

Streams tools

Streams tools provide capabilities for exploring and managing Streams.

platform.streams.list_streams: Lists all streams the current user has access to, returning each stream's name, type, and description.
platform.streams.get_stream: Returns the full definition of a single stream: type, description, retention policy, processing rules, field mappings, routing/partitions, and parent-child hierarchy.
platform.streams.get_schema: Returns the schema of a stream: mapped fields (own and inherited) with their types, and unmapped fields detected from recent documents.
platform.streams.get_data_quality: Returns data quality metrics for a stream: degraded document percentage, failed document percentage, an overall quality indicator (good, degraded, or poor), and failure store status.
platform.streams.get_lifecycle_stats: Returns lifecycle and storage statistics for a stream: effective retention policy and its source, total storage size, document count, and ILM tier breakdown.
platform.streams.query_documents: Queries or aggregates data from a stream using a natural language description. The tool translates the description into an Elasticsearch query internally. Returns documents in flat dot-notation format or aggregation results.
platform.streams.get_failed_documents: Retrieves documents from a stream's failure store with error details (error type, message, stack trace) and the original document that failed ingestion. Use this tool for root cause analysis when data quality issues are detected.

Observability tools

Observability tools provide specialized capabilities for monitoring applications, infrastructure, and logs.

observability.get_alerts: Retrieves Observability alerts within a specified time range, supporting filtering by status (active/recovered) and KQL queries.
observability.get_services: Retrieves information about services being monitored in APM.
observability.get_hosts: Retrieves information about hosts being monitored in infrastructure monitoring.
observability.get_index_info: Retrieves information about Observability indices and their fields. Supports operations for getting an overview of available data sources, listing fields that contain actual data, and retrieving distinct values or ranges for specific fields.
observability.get_trace_metrics: Retrieves metrics and statistics for distributed traces.
Supports sorting by latency, failureRate, or throughput, and returning average, p95, or p99 latency.
observability.get_downstream_dependencies: Identifies downstream dependencies (other services, databases, external APIs) for a specific service to understand service topology and blast radius.
observability.get_service_topology: Retrieves the service topology (dependency graph) for a service, including RED metrics (latency, throughput, and error rate) per connection.
observability.get_log_categories: Retrieves categorized log patterns to identify common log message types.
observability.get_log_groups: Returns categorized log messages and exceptions from logs and spans, grouped by type (spanException for APM errors, logException for log exceptions).
observability.get_log_change_points: Detects statistically significant changes in log patterns and volumes.
observability.get_metric_change_points: Detects statistically significant changes in metrics across groups (for example, by service, host, or custom fields), identifying spikes, dips, step changes, and trend changes.
observability.get_correlated_logs: Finds logs that are correlated with a specific event or time period.
observability.get_traces: Retrieves Observability documents (logs, transactions, spans, and errors) for one or more traces, grouped by trace ID.
observability.run_log_rate_analysis: Analyzes log ingestion rates to identify anomalies and trends.
observability.get_anomaly_detection_jobs: Retrieves Machine Learning anomaly detection jobs and their top anomaly records for investigating outliers and atypical behavior.
observability.get_logs: Searches and filters logs, returning a histogram trend, total count, log samples, and message pattern categories in a single query.
observability.get_runtime_metrics: Retrieves runtime metrics for services, including CPU usage, memory consumption, thread counts, and GC duration. Currently supports JVM (Java) metrics.
observability.get_trace_change_points: Detects statistically significant change points in trace latency, throughput, and failure rate across groups (for example, by service, transaction, or host).
observability.get_apm_correlations: Analyzes APM transaction correlations to identify which dimensions are most associated with slow or failed transactions. Use after identifying a high-latency or high-failure service to find which attributes (host, version, cloud region, and so on) are over-represented in slow or failed transactions. Requires a Platinum license.

Security tools

Security tools provide specialized capabilities for security monitoring, threat detection, and incident response.

security.alerts: Searches and analyzes security alerts using full-text or structured queries for finding, counting, aggregating, or summarizing alerts.

security.entity_risk_score: Retrieves risk scores for entities (users, hosts, and services) to identify high-risk entities in the environment. This tool is only available when the risk score index exists in the current space.

security.attack_discovery_search: Returns any related attack discoveries from the last week, given one or more alert IDs. Requires attack discovery to have been run at least once.
security.security_labs_search: Searches Elastic Security Labs research and threat intelligence content. To use this tool, search for GenAI Settings in the global search field and install Security labs from the Documentation section. This takes a few minutes.
security.create_detection_rule: Creates a security detection rule from a natural language description, including ES|QL query generation, metadata, tags, and scheduling. Currently supports ES|QL rules only. Form changes suggested in chat must be applied manually.
security.get_entity: Retrieves an entity profile (user, host, service, or generic) from the Entity store by entity ID (EUID), including any alerts that contributed to its risk score. Requires the entity risk engine and entity store to be enabled.
security.search_entities: Searches the Entity store for security entities (host, user, service, or generic), with filtering by risk score, asset criticality, entity attributes, and lifecycle timestamps. Use when the entity ID (EUID) is not known, use security.get_entity when it is.

Inline tools

Some built-in skills include inline tools that are only available while that skill is active.

Tip

You can also manage tools programmatically. To learn more, refer to Tools API.