Elastic Agent Builder built-in skills reference
This page lists all built-in skills available in Elastic Agent Builder. Skills give agents domain-specific knowledge and tools for common task types. Built-in skills are read-only: you can't modify or delete them.
For an overview of how skills work in Elastic Agent Builder, refer to Skills in Elastic Agent Builder.
Skills are solution-scoped: the set of available built-in skills depends on your deployment type. Platform skills are available across all deployments. Observability, Security, and Elasticsearch skills are available in their respective serverless projects or solution views.
Some skills are in technical preview or require an advanced setting or experimental feature flag to be turned on before they appear. These requirements are called out in each skill's entry.
Platform skills are available across all deployment types. They cover core capabilities such as visualizations, dashboards, cases, alerting rules, streams, significant events, and workflows.
-
visualization-creation -
Creates standalone or reusable Lens visualizations from index and field context. Use when a user asks for a chart, metric, trend, or breakdown visualization, or wants to update an existing one.
Assigned toolsplatform.core.generate_esql,platform.core.execute_esql,platform.core.create_visualization -
graph-creation - Creates graph attachments by transforming relationship data into nodes and edges rendered inline in the conversation. Use for topology, dependency, or entity-link visualizations.
-
dashboard-management -
Composes and updates in-memory Kibana dashboards. Use when a user asks to find, create, or modify a dashboard, add or remove panels, or edit existing panel visualizations.
Assigned toolsA skill-scoped inline tool for generating and updating dashboards.
-
discover-data-analysis -
Analyzes ES|QL query results in Kibana Discover, identifying patterns, trends, and anomalies by running aggregation queries against the full dataset. The skill receives the current query, columns, sample rows, and time range as an attachment, then runs 2 to 3 focused aggregation queries, renders an inline visualization for the main finding, and proposes drill-down queries. When the active context-aware profile is logs, metrics, or traces, the skill receives shape-specific guidance. For example, it uses the ES|QL
TSsource command for time series metrics.Assigned toolsplatform.core.generate_esql,platform.core.execute_esql,platform.core.search,platform.core.list_indices,platform.core.product_documentation,platform.core.create_visualizationHow to activate: Activates from the standard activation methods when the conversation is started from a Discover session tab that is in ES|QL mode and has loaded results. The current query, columns, sample rows, and time range are automatically attached to the conversation, so the agent has the context it needs to run the analysis. Refer to Analyze your data with AI for the full workflow.
-
agent-builder-traces -
Answers questions about Elastic Agent Builder OpenTelemetry (OTel) traces and activity, including token usage, model and provider breakdowns, conversation and agent latency, tool-call volume, and error rates, and can help build dashboards from that trace data. The skill queries the Elastic Agent Builder OTel traces with ES|QL and is part of the default Elastic AI Agent.
Assigned toolsplatform.core.execute_esql, plus an internal ES|QL generation tool scoped to trace data.Prerequisites: Controlled by the
agentBuilder:tracing:enabledadvanced setting, which is on by default.
-
cases-management -
Manages investigation and incident cases across Elastic Security, Observability, and Stack Management. Covers creating, updating, searching, and enriching cases with comments, alerts, events, and observables such as indicators of compromise.
Assigned toolsplatform.core.cases,platform.core.cases.manage,platform.core.cases.attachments,platform.core.cases.observables -
rule-management -
Composes, discovers, and modifies alerting rules and action policies (notification policies) from within a conversation.
Assigned toolsplatform.alerting.manage_rule, plus a skill-scoped inline tool for composing and modifying action policies (notification policies).
-
streams-management -
Explores and manages Elasticsearch streams. Use when a user mentions streams, stream names such as
logs.ecsorlogs.otel, data quality, processing pipelines, or ingestion failures. The skill can inspect stream definitions, schema, quality, lifecycle, and documents, and can modify processing, retention, partitions, field mappings, the failure store, and descriptions. This skill replaces the earlierstreams-explorationskill and adds the ability to modify stream configuration.Assigned toolsplatform.streams.inspect_streams,platform.streams.diagnose_stream,platform.streams.query_documents,platform.streams.design_pipeline,platform.streams.list_ilm_policies,platform.streams.update_stream,platform.streams.create_partition,platform.streams.delete_stream -
streams-exploration - Discovers, inspects, and queries Elasticsearch streams. Use when a user wants to list available streams, understand a stream's schema, check data quality or retention, or sample documents from a stream. This is a read-only skill: it cannot create, update, or delete streams or modify stream configuration. In 9.5, this skill is replaced by
streams-management, which adds stream modification capabilities. -
significant-events-management -
Searches, creates, and updates significant events for Streams, with guidance to avoid duplicates and keep event lifecycle state accurate.
Assigned toolsplatform.sig_events.event_search,platform.sig_events.event_create,platform.sig_events.event_status_update -
significant-events-onboarding -
Interviews the user to build a mental model of their system for significant events analysis. Use when a user wants to describe their architecture, deployment infrastructure, observability setup, or other operational context that should be remembered for root cause analysis and remediation.
Assigned toolsSignificant events memory tools for reading, writing, and searching the significant events knowledge base.
Prerequisites: Significant events memory must be enabled in the deployment.
-
knowledge-indicators-management -
Discovers and manages Streams Knowledge Indicators (KIs). Searches existing indicators to avoid duplicates and creates feature or query KIs with built-in confirmation.
Assigned toolsplatform.sig_events.ki_search,platform.sig_events.ki_feature_create,platform.sig_events.ki_query_create -
ki-identification-management -
Starts, monitors, and cancels stream KI identification background tasks. Triggers KI identification, surfaces a tracking link to the Significant Events page, checks task status and results, and cancels in-progress runs.
Assigned toolsInternal tools to start, check the status of, and cancel KI identification tasks.
-
streams-investigation-management -
Triggers a root cause analysis workflow for an observability issue, significant event, or alert, checks the status of a running investigation, and summarizes the structured findings once complete. Use when a user asks to investigate an incident, error, or anomaly, optionally scoped to specific data streams.
Assigned toolsplatform.core.execute_workflow,platform.core.get_workflow_execution_status,platform.core.generate_esql,platform.core.execute_esql,platform.sig_events.event_investigation_attach -
streams-gap-detection -
Audits the significant events memory knowledge base against a set of required knowledge dimensions and writes a structured gaps page that lists everything that is unknown, ambiguous, or missing.
Assigned toolsSignificant events memory tools,
platform.sig_events.ki_search, andplatform.streams.inspect_streams.Prerequisites: Significant events memory must be enabled in the deployment.
-
workflow-authoring -
Provides Elastic Workflows knowledge and discovery, covering YAML syntax, Liquid templating, trigger event schemas, step and connector inspection, validation error debugging, and execution debugging. Use this skill when a user asks how workflows work, requests advanced syntax help, debugs an execution, or asks to inspect the step, connector, or example libraries. This skill is not required to create, edit, or run workflows: the agent calls the workflow generation and execution tools directly.
Assigned toolsplatform.workflows.get_step_definitions,platform.workflows.get_trigger_definitions,platform.workflows.validate_workflow,platform.workflows.get_examples,platform.workflows.get_connectors,platform.workflows.workflow_execute_step,platform.core.generate_workflow,platform.core.execute_workflowPrerequisites: Elastic Workflows enabled in the deployment, with the privileges required to create and run workflows.
Behavior in 9.4In 9.4, this skill creates, modifies, and validates Elastic Workflows YAML definitions from natural language input. It covers step types, triggers, Liquid templating, connector integrations, and validation, and validates the generated or modified YAML before proposing the change so the user can accept or decline it. The
agentBuilder:experimentalFeaturesadvanced setting must be turned on for the skill to appear. Assigned tools: lookup tools (platform.workflows.get_step_definitions,platform.workflows.get_trigger_definitions,platform.workflows.get_examples,platform.workflows.get_connectors,platform.workflows.validate_workflow) and edit tools (platform.workflows.workflow_set_yaml,platform.workflows.workflow_insert_step,platform.workflows.workflow_modify_step,platform.workflows.workflow_modify_step_property,platform.workflows.workflow_modify_property,platform.workflows.workflow_delete_step).NoteWithout this skill, the agent can still check the status of a workflow execution and resume a paused workflow that is waiting for human input, using the
platform.core.get_workflow_execution_statusandplatform.core.resume_workflow_executiontools. To trigger a specific workflow from a conversation, configure a workflow tool and assign it to the agent.
-
skill-authoring -
Authors a new Elastic Agent Builder skill from a chat description. Use when a user asks to create, build, generate, or design a skill, capability, or expertise area for an agent.
Assigned toolsInternal tools to list available tools and to propose or patch a skill definition.
-
connector-authoring -
Sets up a Kibana connector from chat. Use when a user wants to add, connect, set up, or integrate an external system such as GitHub, Slack, PagerDuty, or Notion so the agent can act on it. Also use when a user mentions giving the agent access to a tool, repository, or data source, even if they do not use the word connector.
Assigned toolsInternal tools to list connector types and to propose a connector.
-
observability.investigation -
Answers observability questions, lists and diagnoses observability alerts, and investigates service or infrastructure issues. Covers APM, logs, metrics, threshold, SLO burn rate, uptime and synthetics, and infrastructure alerts. Use when a user asks about alerts, service health, error rates, latency, failed transactions, topology, traces, log patterns, SLO breaches, or infrastructure issues.
Assigned toolsAll Observability tools.
-
observability.rca -
Performs structured root cause analysis for incidents, outages, errors, and service degradations. Use when a user asks why something is broken, failing, or slow, when an alert fires or an SLA is breached, when they need to understand what happened during an outage or performance regression, or when they need to trace a cascading failure across services.
Assigned toolsObservability log analysis tools,
platform.core.generate_esql,platform.core.execute_esql, and significant events knowledge indicator search. -
observability.service-map -
Shows a service map when a user asks to see or visualize a service map, service topology, or service dependencies in an APM or observability context. Use for questions about how services connect or their upstream and downstream dependencies.
Assigned toolsobservability.get_service_topology,observability.get_services
-
alert-analysis -
Investigates Elastic Security alerts and recommends a disposition. Fetches alert context, finds related alerts that share entities (
host.name,user.name,source.ip,destination.ip), correlates with Elastic Security Labs threat intelligence, and assesses entity risk. Use when investigating a specific alert, triaging alert queues, or understanding alert context.Assigned toolssecurity.alerts,security.security_labs_search,security.entity_risk_scorePrerequisites: Entity risk scoring enabled so risk scores are available for involved hosts and users. To use threat intelligence correlation, install Security Labs documentation from GenAI Settings.
How to activate: In addition to the standard activation methods, this skill activates automatically when you attach an alert from the alert flyout in Elastic Security, which provides the alert context the skill needs.
-
entity-analytics -
Finds and investigates security entities including hosts, users, services, and generic entities. Analyzes entity risk scores, asset criticality, and historical behavior, including signals from Security Machine Learning anomaly detection jobs. Use to discover risky entities or profile a specific entity by ID.
Assigned toolssecurity.get_entity,security.search_entitiesFrom 9.5, the skill can also list watchlists to discover watchlist names and members ( security.list_watchlists) and set entity asset criticality (security.set_asset_criticality).Prerequisites: Entity risk scoring enabled and the entity store populated.
Related skills:
find-security-ml-jobsfor deeper investigation of anomalies surfaced during entity analysis.manage-watchliststo create and modify watchlists. -
entity-analytics-leads -
Surfaces AI-generated investigation leads for security entities. Use when a user asks to review, list, show, triage, dismiss, or generate investigation leads, or wants to find proactive threat hunting opportunities surfaced from entity data.
Assigned toolssecurity.list_leads,security.generate_leads,security.dismiss_leadPrerequisites: The
leadGenerationEnabledElastic Security experimental feature flag must be enabled. -
manage-watchlists -
Manages Entity Analytics watchlists. Creates, updates, and deletes watchlists and adds or removes entity membership. Resolves watchlist names to IDs by discovering existing watchlists. All mutating actions require explicit user confirmation before running. For read-only questions about which watchlists exist, the
entity-analyticsskill also applies.Assigned toolssecurity.list_watchlists,security.create_watchlist,security.update_watchlist,security.delete_watchlist,security.add_entities_to_watchlist,security.remove_entities_from_watchlistPrerequisites: The
entityAnalyticsWatchlistEnabledElastic Security experimental feature flag must be enabled. -
find-security-ml-jobs -
Investigates atypical behavior detected by Machine Learning jobs, including unusual or first-time access patterns, access outside working hours, privileged accounts with unusual command patterns, logins from unexpected geographic locations, lateral movement, and large or unusual data transfers.
Assigned toolsplatform.core.execute_esql,platform.core.generate_esql,security.get_entity, plus internal tools to discover Security Machine Learning jobs.Prerequisites: Relevant Security Machine Learning jobs installed and running. For guidance, refer to Machine learning job and rule requirements.
-
threat-hunting -
Runs hypothesis-driven threat hunts using iterative ES|QL exploration. Covers IOC search, anomaly identification, baseline behavioral comparison, lateral movement tracking, and converting hunt findings into actionable intelligence. Use when investigating suspected threats, running proactive hunts, or analyzing suspicious activity patterns.
Assigned toolsplatform.core.generate_esql,platform.core.execute_esql,platform.core.search,platform.core.list_indices,platform.core.get_index_mapping,platform.core.cases -
detection-rule-edit -
Creates and edits Elastic Security detection rules. Supports ES|QL rule type only. Use when a user asks to build a rule from natural language or edit rule fields such as severity, tags, MITRE ATT&CK mappings, schedule, or query.
Assigned toolssecurity.create_detection_rule,security.security_labs_search,platform.core.generate_esql,platform.core.product_documentationPrerequisites: To ground rule drafting in threat research, install Security Labs documentation from GenAI Settings.
How to activate: This skill is attachment-driven and activates when a rule attachment is present in the conversation. You can start a rule attachment from the rule creation form, the rule details page, or by asking the agent to "create a detection rule" in chat. The skill creates the attachment and renders an Apply to creation or Update rule button so you can save the change to the rule form.
-
recommend-prebuilt-rules -
Discovers and recommends Elastic prebuilt detection rules to install on the deployment. Handles install recommendations and browse or coverage questions about the installable catalog, filtered by tag, MITRE technique, rule type, integration, or keyword. This is a read-only skill.
Assigned toolsInternal tools to find prebuilt rules, read the user data inventory, inspect the installable catalog, and check installed rule MITRE coverage.
Prerequisites: The
dexAiSkillRecommendPrebuiltRulesElastic Security experimental feature flag must be enabled. -
find-security-rules -
Discovers, lists, ranks, and counts Elastic Security detection rules. Filters by tag, MITRE technique, severity, rule type, name, or enabled state. This is a read-only skill.
Assigned toolssecurity.alerts, plus internal tools to find rules and discover rule tags.Prerequisites: The
dexAiSkillFindRulesElastic Security experimental feature flag must be enabled. -
pci-compliance -
Runs PCI DSS v4.0.1 compliance assessments with violation detection, confidence scoring, data quality preflight checks, and visual audit reporting. Use when a user asks about PCI compliance, PCI DSS requirements, compliance audits, or cardholder data security.
Assigned toolssecurity.pci_scope_discovery,security.pci_compliance,security.pci_field_mapper,platform.core.generate_esql,platform.core.execute_esqlPrerequisites: The
pciComplianceAgentBuilderElastic Security experimental feature flag must be enabled. -
siem-readiness -
Assesses SIEM readiness across four dimensions: coverage (data ingested per category), quality (ECS field compatibility), continuity (ingest pipeline health), and retention (data retention compliance). Use when a user asks about SIEM health, readiness, data coverage, pipeline failures, ECS quality, or retention compliance.
Assigned toolssecurity.siem_readiness.get_coverage,security.siem_readiness.get_quality,security.siem_readiness.get_continuity,security.siem_readiness.get_retention -
automatic_troubleshooting -
Diagnoses Elastic Defend endpoint configuration issues such as endpoints not reporting, policy response failures, agent enrollment problems, or incompatible antivirus software. Queries endpoint data, inspects package configuration, and produces structured findings with specific endpoint IDs and remediation steps.
Assigned toolsplatform.core.search,platform.core.get_document_by_id,platform.core.integration_knowledgePrerequisites: Elastic Defend deployed and reporting.
In this version, the automaticTroubleshootingSkillexperimental feature flag must be enabled for the skill to appear.
-
search.elasticsearch-onboarding - Guides developers through building a complete search experience on Elasticsearch, from understanding requirements and designing an index mapping to generating and testing API snippets in Dev Tools. Use for end-to-end onboarding rather than a single narrow API answer.
-
search.elasticsearch-tutorial - Runs a topic-driven, hands-on Elasticsearch tutorial in the Kibana Dev Console. Use when a user asks you to walk them through, teach, or give a tutorial on an Elasticsearch or Kibana search concept such as mappings, analyzers, bool queries,
semantic_text, kNN, reciprocal rank fusion (RRF), aggregations, ingest pipelines, or ES|QL. Tutorials use sample data on isolated resources, present each step as a snippet to run in Dev Tools, and end with cleanup and pointers to documentation. -
search.keyword-search - Guides agents through building keyword and full-text search solutions on Elasticsearch. Use for text matching, filters, faceted search, autocomplete, or traditional search functionality.
-
search.vector-hybrid-search - Guides agents through building vector search, hybrid search, and using Elasticsearch as a vector database. Covers
semantic_text,dense_vector, embedding strategies, hybrid search that combines BM25 and kNN with reciprocal rank fusion (RRF), reranking, and production optimization. In 9.5, this skill consolidates the formersearch.hybrid-search,search.semantic-search, andsearch.vector-databaseskills. -
search.hybrid-search - Guides agents through building hybrid search solutions that combine keyword and semantic search. In 9.5, this skill is consolidated into
search.vector-hybrid-search. -
search.semantic-search - Guides agents through building semantic and vector search solutions on Elasticsearch. In 9.5, this skill is consolidated into
search.vector-hybrid-search. -
search.vector-database - Guides agents through using Elasticsearch as a vector database. In 9.5, this skill is consolidated into
search.vector-hybrid-search. -
search.rag-chatbot - Guides agents through building retrieval-augmented generation (RAG) chatbots and question-and-answer systems on Elasticsearch. Use when a developer wants to build a chatbot, question-and-answer system, or AI assistant that answers questions from their own data.
-
search.catalog-ecommerce - Guides agents through building catalog and e-commerce search solutions on Elasticsearch. Use for product search, faceted navigation, autocomplete, "did you mean" suggestions, or shopping-oriented search experiences.
-
search.use-case-library - Presents a library of Elasticsearch use cases when users want to explore what they can build, need help identifying which category their project falls into, or are looking for inspiration. Covers product search, knowledge base search, AI assistants, recommendations, customer support, location-based search, log and event search, and vector database use cases.