---
title: Elastic Agent Builder built-in tools reference
description: Reference of all built-in tools available in Elastic Agent Builder.
url: https://docs-v3-preview.elastic.dev/elastic/docs-content/pull/5867/explore-analyze/ai-features/agent-builder/tools/builtin-tools-reference
products:
  - Elastic Cloud Serverless
  - Elastic Observability
  - Elastic Security
  - Elasticsearch
  - Kibana
applies_to:
  - Elastic Cloud Serverless: Generally available
  - Elastic Stack: Generally available
---

# Elastic Agent Builder built-in tools reference
This page lists all built-in tools available in Elastic Agent Builder, grouped by namespace. Built-in tools are read-only: you can't modify or delete them.
Platform tools are available across all deployments. Observability and security tools are scoped to their respective solutions. Tool prefixes (`platform.core`, `platform.streams`, `observability`, `security`) reflect this scoping.
[Built-in agents](https://docs-v3-preview.elastic.dev/elastic/docs-content/pull/5867/explore-analyze/ai-features/agent-builder/builtin-agents-reference) are pre-configured with relevant tools. You can also assign any available built-in tool to [custom agents](/elastic/docs-content/pull/5867/explore-analyze/ai-features/agent-builder/custom-agents#create-a-new-agent) you create.
<tip>
  For an overview of how tools work in Elastic Agent Builder, refer to the [Tools overview](https://docs-v3-preview.elastic.dev/elastic/docs-content/pull/5867/explore-analyze/ai-features/agent-builder/tools).
</tip>


## Platform tools

Platform tools are available across all deployments and serverless projects. They use the `platform.*` namespaces.

### Platform core tools

Platform core tools provide fundamental capabilities for interacting with Elasticsearch data, executing queries, and working with indices. They are relevant to many use cases.
<definitions>
  <definition term="platform.core.execute_esql Elastic Stack: Preview since 9.2 Elastic Stack: Generally available since 9.3">
    Executes an [ES|QL](https://docs-v3-preview.elastic.dev/elastic/elasticsearch/tree/main/reference/query-languages/esql) query and returns the results in a tabular format. [Custom ES|QL tools](https://docs-v3-preview.elastic.dev/elastic/docs-content/pull/5867/explore-analyze/ai-features/agent-builder/tools/esql-tools) execute their queries directly, so this tool is only needed for running arbitrary queries, such as those generated by `generate_esql` or provided by the user.
  </definition>
  <definition term="platform.core.generate_esql Elastic Stack: Preview since 9.2 Elastic Stack: Generally available since 9.3">
    Generates an [ES|QL](https://docs-v3-preview.elastic.dev/elastic/elasticsearch/tree/main/reference/query-languages/esql) query from a natural language query.
  </definition>
  <definition term="platform.core.get_document_by_id Elastic Stack: Preview since 9.2 Elastic Stack: Generally available since 9.3">
    Retrieves the full content of an Elasticsearch document based on its ID and index name.
  </definition>
  <definition term="platform.core.get_index_mapping Elastic Stack: Preview since 9.2 Elastic Stack: Generally available since 9.3">
    Retrieves mappings for the specified index or indices.
  </definition>
  <definition term="platform.core.index_explorer Elastic Stack: Preview since 9.2 Elastic Stack: Generally available since 9.3">
    Lists relevant indices and corresponding mappings based on a natural language query.
  </definition>
  <definition term="platform.core.list_indices Elastic Stack: Preview since 9.2 Elastic Stack: Generally available since 9.3">
    Lists the indices, aliases, and data streams in the Elasticsearch cluster the current user has access to.
  </definition>
  <definition term="platform.core.search Elastic Stack: Preview since 9.2 Elastic Stack: Generally available since 9.3">
    Searches and analyzes data within your Elasticsearch cluster using full-text relevance searches or structured analytical queries.
  </definition>
  <definition term="platform.core.product_documentation Elastic Stack: Generally available since 9.3">
    Searches and retrieves documentation about Elastic products. To use this tool, search for **GenAI Settings** in the [global search field](https://docs-v3-preview.elastic.dev/elastic/docs-content/pull/5867/explore-analyze/find-and-organize/find-apps-and-objects) and install **Elastic documentation** from the **Documentation** section. This takes a few minutes.
  </definition>
  <definition term="platform.core.integration_knowledge Elastic Stack: Generally available since 9.3">
    Searches and retrieves knowledge from [Fleet](https://docs-v3-preview.elastic.dev/elastic/docs-content/pull/5867/reference/fleet)-installed integrations, including information on how to configure and use integrations for data ingestion.
  </definition>
  <definition term="platform.core.create_visualization Elastic Stack: Planned">
    Creates or updates a visualization configuration based on a natural language description.
  </definition>
  <definition term="platform.core.cases Elastic Stack: Generally available since 9.3">
    Searches and retrieves [cases](https://docs-v3-preview.elastic.dev/elastic/docs-content/pull/5867/explore-analyze/cases) for tracking and managing issues.
  </definition>
  <definition term="platform.core.get_workflow_execution_status Elastic Stack: Generally available since 9.3">
    Retrieves the execution status of a workflow.
  </definition>
  <definition term="platform.core.resume_workflow_execution Elastic Stack: Planned">
    Resumes a workflow execution that is paused and waiting for human input.
  </definition>
</definitions>


## Dashboard tools

<applies-to>
  - Elastic Cloud Serverless: Preview
  - Elastic Stack: Planned
</applies-to>

Dashboard tools enable agents to create and manage [dashboards](https://docs-v3-preview.elastic.dev/elastic/docs-content/pull/5867/explore-analyze/dashboards) through [chat](https://docs-v3-preview.elastic.dev/elastic/docs-content/pull/5867/explore-analyze/ai-features/agent-builder/chat).
<definitions>
  <definition term="dashboard.create_dashboard">
    Creates a dashboard with specified title, description, panels, and markdown summary.
  </definition>
  <definition term="dashboard.update_dashboard">
    Updates an existing dashboard with new panels or modifications.
  </definition>
</definitions>


## Streams tools

<applies-to>
  - Elastic Stack: Planned
</applies-to>

Streams tools provide capabilities for exploring and managing [Streams](https://docs-v3-preview.elastic.dev/elastic/docs-content/pull/5867/solutions/observability/streams/streams).
<definitions>
  <definition term="platform.streams.list_streams Elastic Stack: Planned">
    Lists all streams the current user has access to, returning each stream's name, type, and description.
  </definition>
  <definition term="platform.streams.get_stream Elastic Stack: Planned">
    Returns the full definition of a single stream: type, description, retention policy, processing rules, field mappings, routing/partitions, and parent-child hierarchy.
  </definition>
  <definition term="platform.streams.get_schema Elastic Stack: Planned">
    Returns the schema of a stream: mapped fields (own and inherited) with their types, and unmapped fields detected from recent documents.
  </definition>
  <definition term="platform.streams.get_data_quality Elastic Stack: Planned">
    Returns data quality metrics for a stream: degraded document percentage, failed document percentage, an overall quality indicator (good, degraded, or poor), and failure store status.
  </definition>
  <definition term="platform.streams.get_lifecycle_stats Elastic Stack: Planned">
    Returns lifecycle and storage statistics for a stream: effective retention policy and its source, total storage size, document count, and ILM tier breakdown.
  </definition>
  <definition term="platform.streams.query_documents Elastic Stack: Planned">
    Queries or aggregates data from a stream using a natural language description. The tool translates the description into an Elasticsearch query internally. Returns documents in flat dot-notation format or aggregation results.
  </definition>
  <definition term="platform.streams.get_failed_documents Elastic Stack: Planned">
    Retrieves documents from a stream's failure store with error details (error type, message, stack trace) and the original document that failed ingestion. Use this tool for root cause analysis when data quality issues are detected.
  </definition>
</definitions>


## Observability tools

Observability tools provide specialized capabilities for monitoring applications, infrastructure, and logs.
<definitions>
  <definition term="observability.get_alerts Elastic Stack: Generally available since 9.3">
    Retrieves Observability [alerts](https://docs-v3-preview.elastic.dev/elastic/docs-content/pull/5867/solutions/observability/incident-management/alerting) within a specified time range, supporting filtering by status (active/recovered) and KQL queries.
  </definition>
  <definition term="observability.get_services Elastic Stack: Generally available since 9.3">
    Retrieves information about services being monitored in [APM](https://docs-v3-preview.elastic.dev/elastic/docs-content/pull/5867/solutions/observability/apm).
  </definition>
  <definition term="observability.get_hosts Elastic Stack: Generally available since 9.3">
    Retrieves information about hosts being monitored in infrastructure monitoring.
  </definition>
  <definition term="observability.get_index_info Elastic Stack: Generally available since 9.3">
    Retrieves information about Observability indices and their fields. Supports operations for getting an overview of available data sources, listing fields that contain actual data, and retrieving distinct values or ranges for specific fields.
  </definition>
  <definition term="observability.get_trace_metrics Elastic Stack: Generally available since 9.3">
    Retrieves metrics and statistics for distributed traces.
    Supports sorting by `latency`, `failureRate`, or `throughput`, and returning average, p95, or p99 latency. <applies-to>Elastic Stack: Planned</applies-to>
  </definition>
  <definition term="observability.get_downstream_dependencies Elastic Stack: Planned for removal">
    Identifies downstream dependencies (other services, databases, external APIs) for a specific service to understand service topology and blast radius.
  </definition>
  <definition term="observability.get_service_topology Elastic Stack: Planned">
    Retrieves the service topology (dependency graph) for a service, including RED metrics (latency, throughput, and error rate) per connection.
  </definition>
  <definition term="observability.get_log_categories Elastic Stack: Planned for removal">
    Retrieves categorized log patterns to identify common log message types.
  </definition>
  <definition term="observability.get_log_groups Elastic Stack: Planned">
    Returns categorized log messages and exceptions from logs and spans, grouped by type (`spanException` for APM errors, `logException` for log exceptions).
  </definition>
  <definition term="observability.get_log_change_points Elastic Stack: Generally available since 9.3">
    Detects statistically significant changes in log patterns and volumes.
  </definition>
  <definition term="observability.get_metric_change_points Elastic Stack: Generally available since 9.3">
    Detects statistically significant changes in metrics across groups (for example, by service, host, or custom fields), identifying spikes, dips, step changes, and trend changes.
  </definition>
  <definition term="observability.get_correlated_logs Elastic Stack: Planned for removal">
    Finds logs that are correlated with a specific event or time period.
  </definition>
  <definition term="observability.get_traces Elastic Stack: Planned">
    Retrieves Observability documents (logs, transactions, spans, and errors) for one or more traces, grouped by trace ID.
  </definition>
  <definition term="observability.run_log_rate_analysis Elastic Stack: Generally available since 9.3">
    Analyzes log ingestion rates to identify anomalies and trends.
  </definition>
  <definition term="observability.get_anomaly_detection_jobs Elastic Stack: Generally available since 9.3">
    Retrieves Machine Learning [anomaly detection jobs](https://docs-v3-preview.elastic.dev/elastic/docs-content/pull/5867/explore-analyze/machine-learning/anomaly-detection) and their top anomaly records for investigating outliers and atypical behavior.
  </definition>
  <definition term="observability.get_logs Elastic Stack: Planned">
    Searches and filters logs, returning a histogram trend, total count, log samples, and message pattern categories in a single query.
  </definition>
  <definition term="observability.get_runtime_metrics Elastic Stack: Planned">
    Retrieves runtime metrics for services, including CPU usage, memory consumption, thread counts, and GC duration. Currently supports JVM (Java) metrics.
  </definition>
  <definition term="observability.get_trace_change_points Elastic Stack: Planned">
    Detects statistically significant change points in trace latency, throughput, and failure rate across groups (for example, by service, transaction, or host).
  </definition>
  <definition term="observability.get_apm_correlations Elastic Stack: Generally available since 9.3">
    Analyzes APM transaction correlations to identify which dimensions are most associated with slow or failed transactions. Use after identifying a high-latency or high-failure service to find which attributes (host, version, cloud region, and so on) are over-represented in slow or failed transactions. Requires a [Platinum license](https://www.elastic.co/subscriptions).
  </definition>
</definitions>


## Security tools

Security tools provide specialized capabilities for security monitoring, threat detection, and incident response.
<definitions>
  <definition term="security.alerts Elastic Stack: Generally available since 9.3">
    Searches and analyzes [security alerts](https://docs-v3-preview.elastic.dev/elastic/docs-content/pull/5867/solutions/security/detect-and-alert/manage-detection-alerts) using full-text or structured queries for finding, counting, aggregating, or summarizing alerts.
  </definition>
  <definition term="">
    Retrieves [risk scores for entities](https://docs-v3-preview.elastic.dev/elastic/docs-content/pull/5867/solutions/security/advanced-entity-analytics/entity-risk-scoring) (users, hosts, and services) to identify high-risk entities in the environment. This tool is only available when the risk score index exists in the current space. <applies-to>Elastic Stack: Planned</applies-to>
  </definition>
  <definition term="">
    Returns any related [attack discoveries](https://docs-v3-preview.elastic.dev/elastic/docs-content/pull/5867/solutions/security/ai/attack-discovery) from the last week, given one or more alert IDs. Requires attack discovery to have been run at least once. <applies-to>Elastic Stack: Planned</applies-to>
  </definition>
  <definition term="security.security_labs_search">
    Searches [Elastic Security Labs](https://www.elastic.co/security-labs) research and threat intelligence content. To use this tool, search for **GenAI Settings** in the [global search field](https://docs-v3-preview.elastic.dev/elastic/docs-content/pull/5867/explore-analyze/find-and-organize/find-apps-and-objects) and install **Security labs** from the **Documentation** section. This takes a few minutes.
  </definition>
  <definition term="security.create_detection_rule Elastic Stack: Planned">
    Creates a security detection [rule](https://docs-v3-preview.elastic.dev/elastic/docs-content/pull/5867/solutions/security/detect-and-alert/rule-types) from a natural language description, including ES|QL query generation, metadata, tags, and scheduling. Currently supports [ES|QL rules](https://docs-v3-preview.elastic.dev/elastic/docs-content/pull/5867/solutions/security/detect-and-alert/esql) only. Form changes suggested in chat must be applied manually.
  </definition>
  <definition term="security.get_entity Elastic Stack: Planned">
    Retrieves an entity profile (user, host, service, or generic) from the Entity store by entity ID (EUID), including any alerts that contributed to its risk score. Requires the entity risk engine and entity store to be enabled.
  </definition>
  <definition term="security.search_entities Elastic Stack: Planned">
    Searches the Entity store for security entities (host, user, service, or generic), with filtering by risk score, asset criticality, entity attributes, and lifecycle timestamps. Use when the entity ID (EUID) is not known, use `security.get_entity` when it is.
  </definition>
</definitions>


## Inline tools

Some [built-in skills](https://docs-v3-preview.elastic.dev/elastic/docs-content/pull/5867/explore-analyze/ai-features/agent-builder/builtin-skills-reference) include inline tools that are only available while that skill is active.
<tip>
  You can also manage tools programmatically. To learn more, refer to [Tools API](/elastic/docs-content/pull/5867/explore-analyze/ai-features/agent-builder/tools#tools-api).
</tip>


## Related pages

- [Tools in Elastic Agent Builder](https://docs-v3-preview.elastic.dev/elastic/docs-content/pull/5867/explore-analyze/ai-features/agent-builder/tools)
- [Custom ES|QL tools](https://docs-v3-preview.elastic.dev/elastic/docs-content/pull/5867/explore-analyze/ai-features/agent-builder/tools/esql-tools)
- [Custom index search tools](https://docs-v3-preview.elastic.dev/elastic/docs-content/pull/5867/explore-analyze/ai-features/agent-builder/tools/index-search-tools)