Loading

Elastic Agent Builder built-in skills reference

This page lists all built-in skills available in Elastic Agent Builder. Skills give agents domain-specific knowledge and tools for common task types. Built-in skills are read-only: you can't modify or delete them.

Tip

For an overview of how skills work in Elastic Agent Builder, refer to Skills in Elastic Agent Builder.

Skills are solution-scoped: the set of available built-in skills depends on your deployment type. Platform skills are available across all deployments. Observability, Security, and Elasticsearch skills are available in their respective serverless projects or solution views.

Some skills are in technical preview or require an advanced setting or experimental feature flag to be turned on before they appear. These requirements are called out in each skill's entry.

Platform skills are available across all deployment types. They cover core capabilities such as visualizations, dashboards, cases, alerting rules, streams, significant events, and workflows.

visualization-creation

Creates standalone or reusable Lens visualizations from index and field context. Use when a user asks for a chart, metric, trend, or breakdown visualization, or wants to update an existing one.

graph-creation
Creates graph attachments by transforming relationship data into nodes and edges rendered inline in the conversation. Use for topology, dependency, or entity-link visualizations.
dashboard-management

Composes and updates in-memory Kibana dashboards. Use when a user asks to find, create, or modify a dashboard, add or remove panels, or edit existing panel visualizations.

discover-data-analysis

Analyzes ES|QL query results in Kibana Discover, identifying patterns, trends, and anomalies by running aggregation queries against the full dataset. The skill receives the current query, columns, sample rows, and time range as an attachment, then runs 2 to 3 focused aggregation queries, renders an inline visualization for the main finding, and proposes drill-down queries. When the active context-aware profile is logs, metrics, or traces, the skill receives shape-specific guidance. For example, it uses the ES|QL TS source command for time series metrics.

How to activate: Activates from the standard activation methods when the conversation is started from a Discover session tab that is in ES|QL mode and has loaded results. The current query, columns, sample rows, and time range are automatically attached to the conversation, so the agent has the context it needs to run the analysis. Refer to Analyze your data with AI for the full workflow.

agent-builder-traces

Answers questions about Elastic Agent Builder OpenTelemetry (OTel) traces and activity, including token usage, model and provider breakdowns, conversation and agent latency, tool-call volume, and error rates, and can help build dashboards from that trace data. The skill queries the Elastic Agent Builder OTel traces with ES|QL and is part of the default Elastic AI Agent.

Prerequisites: Controlled by the agentBuilder:tracing:enabled advanced setting, which is on by default.

cases-management

Manages investigation and incident cases across Elastic Security, Observability, and Stack Management. Covers creating, updating, searching, and enriching cases with comments, alerts, events, and observables such as indicators of compromise.

rule-management

Composes, discovers, and modifies alerting rules and action policies (notification policies) from within a conversation.

streams-management

Explores and manages Elasticsearch streams. Use when a user mentions streams, stream names such as logs.ecs or logs.otel, data quality, processing pipelines, or ingestion failures. The skill can inspect stream definitions, schema, quality, lifecycle, and documents, and can modify processing, retention, partitions, field mappings, the failure store, and descriptions. This skill replaces the earlier streams-exploration skill and adds the ability to modify stream configuration.

streams-exploration
Discovers, inspects, and queries Elasticsearch streams. Use when a user wants to list available streams, understand a stream's schema, check data quality or retention, or sample documents from a stream. This is a read-only skill: it cannot create, update, or delete streams or modify stream configuration. In 9.5, this skill is replaced by streams-management, which adds stream modification capabilities.
significant-events-management

Searches, creates, and updates significant events for Streams, with guidance to avoid duplicates and keep event lifecycle state accurate.

significant-events-onboarding

Interviews the user to build a mental model of their system for significant events analysis. Use when a user wants to describe their architecture, deployment infrastructure, observability setup, or other operational context that should be remembered for root cause analysis and remediation.

Prerequisites: Significant events memory must be enabled in the deployment.

knowledge-indicators-management

Discovers and manages Streams Knowledge Indicators (KIs). Searches existing indicators to avoid duplicates and creates feature or query KIs with built-in confirmation.

ki-identification-management

Starts, monitors, and cancels stream KI identification background tasks. Triggers KI identification, surfaces a tracking link to the Significant Events page, checks task status and results, and cancels in-progress runs.

streams-investigation-management

Triggers a root cause analysis workflow for an observability issue, significant event, or alert, checks the status of a running investigation, and summarizes the structured findings once complete. Use when a user asks to investigate an incident, error, or anomaly, optionally scoped to specific data streams.

streams-gap-detection

Audits the significant events memory knowledge base against a set of required knowledge dimensions and writes a structured gaps page that lists everything that is unknown, ambiguous, or missing.

Prerequisites: Significant events memory must be enabled in the deployment.

workflow-authoring

Provides Elastic Workflows knowledge and discovery, covering YAML syntax, Liquid templating, trigger event schemas, step and connector inspection, validation error debugging, and execution debugging. Use this skill when a user asks how workflows work, requests advanced syntax help, debugs an execution, or asks to inspect the step, connector, or example libraries. This skill is not required to create, edit, or run workflows: the agent calls the workflow generation and execution tools directly.

Prerequisites: Elastic Workflows enabled in the deployment, with the privileges required to create and run workflows.

Note

Without this skill, the agent can still check the status of a workflow execution and resume a paused workflow that is waiting for human input, using the platform.core.get_workflow_execution_status and platform.core.resume_workflow_execution tools. To trigger a specific workflow from a conversation, configure a workflow tool and assign it to the agent.

skill-authoring

Authors a new Elastic Agent Builder skill from a chat description. Use when a user asks to create, build, generate, or design a skill, capability, or expertise area for an agent.

connector-authoring

Sets up a Kibana connector from chat. Use when a user wants to add, connect, set up, or integrate an external system such as GitHub, Slack, PagerDuty, or Notion so the agent can act on it. Also use when a user mentions giving the agent access to a tool, repository, or data source, even if they do not use the word connector.

observability.investigation

Answers observability questions, lists and diagnoses observability alerts, and investigates service or infrastructure issues. Covers APM, logs, metrics, threshold, SLO burn rate, uptime and synthetics, and infrastructure alerts. Use when a user asks about alerts, service health, error rates, latency, failed transactions, topology, traces, log patterns, SLO breaches, or infrastructure issues.

observability.rca

Performs structured root cause analysis for incidents, outages, errors, and service degradations. Use when a user asks why something is broken, failing, or slow, when an alert fires or an SLA is breached, when they need to understand what happened during an outage or performance regression, or when they need to trace a cascading failure across services.

observability.service-map

Shows a service map when a user asks to see or visualize a service map, service topology, or service dependencies in an APM or observability context. Use for questions about how services connect or their upstream and downstream dependencies.

alert-analysis

Investigates Elastic Security alerts and recommends a disposition. Fetches alert context, finds related alerts that share entities (host.name, user.name, source.ip, destination.ip), correlates with Elastic Security Labs threat intelligence, and assesses entity risk. Use when investigating a specific alert, triaging alert queues, or understanding alert context.

Prerequisites: Entity risk scoring enabled so risk scores are available for involved hosts and users. To use threat intelligence correlation, install Security Labs documentation from GenAI Settings.

How to activate: In addition to the standard activation methods, this skill activates automatically when you attach an alert from the alert flyout in Elastic Security, which provides the alert context the skill needs.

entity-analytics

Finds and investigates security entities including hosts, users, services, and generic entities. Analyzes entity risk scores, asset criticality, and historical behavior, including signals from Security Machine Learning anomaly detection jobs. Use to discover risky entities or profile a specific entity by ID.

From 9.5, the skill can also list watchlists to discover watchlist names and members (security.list_watchlists) and set entity asset criticality (security.set_asset_criticality).

Prerequisites: Entity risk scoring enabled and the entity store populated.

Related skills: find-security-ml-jobs for deeper investigation of anomalies surfaced during entity analysis. manage-watchlists to create and modify watchlists.

entity-analytics-leads

Surfaces AI-generated investigation leads for security entities. Use when a user asks to review, list, show, triage, dismiss, or generate investigation leads, or wants to find proactive threat hunting opportunities surfaced from entity data.

Prerequisites: The leadGenerationEnabled Elastic Security experimental feature flag must be enabled.

manage-watchlists

Manages Entity Analytics watchlists. Creates, updates, and deletes watchlists and adds or removes entity membership. Resolves watchlist names to IDs by discovering existing watchlists. All mutating actions require explicit user confirmation before running. For read-only questions about which watchlists exist, the entity-analytics skill also applies.

Prerequisites: The entityAnalyticsWatchlistEnabled Elastic Security experimental feature flag must be enabled.

find-security-ml-jobs

Investigates atypical behavior detected by Machine Learning jobs, including unusual or first-time access patterns, access outside working hours, privileged accounts with unusual command patterns, logins from unexpected geographic locations, lateral movement, and large or unusual data transfers.

Prerequisites: Relevant Security Machine Learning jobs installed and running. For guidance, refer to Machine learning job and rule requirements.

threat-hunting

Runs hypothesis-driven threat hunts using iterative ES|QL exploration. Covers IOC search, anomaly identification, baseline behavioral comparison, lateral movement tracking, and converting hunt findings into actionable intelligence. Use when investigating suspected threats, running proactive hunts, or analyzing suspicious activity patterns.

detection-rule-edit

Creates and edits Elastic Security detection rules. Supports ES|QL rule type only. Use when a user asks to build a rule from natural language or edit rule fields such as severity, tags, MITRE ATT&CK mappings, schedule, or query.

Prerequisites: To ground rule drafting in threat research, install Security Labs documentation from GenAI Settings.

How to activate: This skill is attachment-driven and activates when a rule attachment is present in the conversation. You can start a rule attachment from the rule creation form, the rule details page, or by asking the agent to "create a detection rule" in chat. The skill creates the attachment and renders an Apply to creation or Update rule button so you can save the change to the rule form.

recommend-prebuilt-rules

Discovers and recommends Elastic prebuilt detection rules to install on the deployment. Handles install recommendations and browse or coverage questions about the installable catalog, filtered by tag, MITRE technique, rule type, integration, or keyword. This is a read-only skill.

Prerequisites: The dexAiSkillRecommendPrebuiltRules Elastic Security experimental feature flag must be enabled.

find-security-rules

Discovers, lists, ranks, and counts Elastic Security detection rules. Filters by tag, MITRE technique, severity, rule type, name, or enabled state. This is a read-only skill.

Prerequisites: The dexAiSkillFindRules Elastic Security experimental feature flag must be enabled.

pci-compliance

Runs PCI DSS v4.0.1 compliance assessments with violation detection, confidence scoring, data quality preflight checks, and visual audit reporting. Use when a user asks about PCI compliance, PCI DSS requirements, compliance audits, or cardholder data security.

Prerequisites: The pciComplianceAgentBuilder Elastic Security experimental feature flag must be enabled.

siem-readiness

Assesses SIEM readiness across four dimensions: coverage (data ingested per category), quality (ECS field compatibility), continuity (ingest pipeline health), and retention (data retention compliance). Use when a user asks about SIEM health, readiness, data coverage, pipeline failures, ECS quality, or retention compliance.

automatic_troubleshooting

Diagnoses Elastic Defend endpoint configuration issues such as endpoints not reporting, policy response failures, agent enrollment problems, or incompatible antivirus software. Queries endpoint data, inspects package configuration, and produces structured findings with specific endpoint IDs and remediation steps.

Prerequisites: Elastic Defend deployed and reporting.

In this version, the automaticTroubleshootingSkill experimental feature flag must be enabled for the skill to appear.

search.elasticsearch-onboarding
Guides developers through building a complete search experience on Elasticsearch, from understanding requirements and designing an index mapping to generating and testing API snippets in Dev Tools. Use for end-to-end onboarding rather than a single narrow API answer.
search.elasticsearch-tutorial
Runs a topic-driven, hands-on Elasticsearch tutorial in the Kibana Dev Console. Use when a user asks you to walk them through, teach, or give a tutorial on an Elasticsearch or Kibana search concept such as mappings, analyzers, bool queries, semantic_text, kNN, reciprocal rank fusion (RRF), aggregations, ingest pipelines, or ES|QL. Tutorials use sample data on isolated resources, present each step as a snippet to run in Dev Tools, and end with cleanup and pointers to documentation.
search.keyword-search
Guides agents through building keyword and full-text search solutions on Elasticsearch. Use for text matching, filters, faceted search, autocomplete, or traditional search functionality.
search.vector-hybrid-search
Guides agents through building vector search, hybrid search, and using Elasticsearch as a vector database. Covers semantic_text, dense_vector, embedding strategies, hybrid search that combines BM25 and kNN with reciprocal rank fusion (RRF), reranking, and production optimization. In 9.5, this skill consolidates the former search.hybrid-search, search.semantic-search, and search.vector-database skills.
search.hybrid-search
Guides agents through building hybrid search solutions that combine keyword and semantic search. In 9.5, this skill is consolidated into search.vector-hybrid-search.
search.semantic-search
Guides agents through building semantic and vector search solutions on Elasticsearch. In 9.5, this skill is consolidated into search.vector-hybrid-search.
search.vector-database
Guides agents through using Elasticsearch as a vector database. In 9.5, this skill is consolidated into search.vector-hybrid-search.
search.rag-chatbot
Guides agents through building retrieval-augmented generation (RAG) chatbots and question-and-answer systems on Elasticsearch. Use when a developer wants to build a chatbot, question-and-answer system, or AI assistant that answers questions from their own data.
search.catalog-ecommerce
Guides agents through building catalog and e-commerce search solutions on Elasticsearch. Use for product search, faceted navigation, autocomplete, "did you mean" suggestions, or shopping-oriented search experiences.
search.use-case-library
Presents a library of Elasticsearch use cases when users want to explore what they can build, need help identifying which category their project falls into, or are looking for inspiration. Covers product search, knowledge base search, AI assistants, recommendations, customer support, location-based search, log and event search, and vector database use cases.