﻿---
title: Elastic Agent Builder built-in skills reference
description: Reference of all built-in skills available in Elastic Agent Builder.
url: https://docs-v3-preview.elastic.dev/elastic/docs-content/pull/7255/explore-analyze/ai-features/agent-builder/builtin-skills-reference
products:
  - Elastic Cloud Serverless
  - Elastic Observability
  - Elastic Security
  - Elasticsearch
  - Kibana
applies_to:
  - Elastic Cloud Serverless: Generally available
  - Elastic Stack: Generally available since 9.4
---

# Elastic Agent Builder built-in skills reference
This page lists all built-in skills available in Elastic Agent Builder. Skills give agents domain-specific knowledge and tools for common task types. Built-in skills are read-only: you can't modify or delete them.
<tip>
  For an overview of how skills work in Elastic Agent Builder, refer to [Skills in Elastic Agent Builder](https://docs-v3-preview.elastic.dev/elastic/docs-content/pull/7255/explore-analyze/ai-features/agent-builder/skills).
</tip>


## Availability

Skills are solution-scoped: the set of available built-in skills depends on your deployment type. Platform skills are available across all deployments. Observability, Security, and Elasticsearch skills are available in their respective serverless projects or solution views.
Some skills are in technical preview or require an [advanced setting](https://docs-v3-preview.elastic.dev/elastic/kibana/tree/main/reference/advanced-settings#kibana-general-settings) or experimental feature flag to be turned on before they appear. These requirements are called out in each skill's entry.

## Platform skills

Platform skills are available across all deployment types. They cover core capabilities such as visualizations, dashboards, cases, alerting rules, streams, significant events, and workflows.

### Core skills

<definitions>
  <definition term="visualization-creation Elastic Stack: Generally available since 9.4">
    Creates standalone or reusable Lens visualizations from index and field context. Use when a user asks for a chart, metric, trend, or breakdown visualization, or wants to update an existing one.
    <dropdown title="Assigned tools">
      `platform.core.generate_esql`, `platform.core.execute_esql`, `platform.core.create_visualization`
    </dropdown>
  </definition>
  <definition term="graph-creation Elastic Stack: Generally available since 9.4">
    Creates graph attachments by transforming relationship data into nodes and edges rendered inline in the conversation. Use for topology, dependency, or entity-link visualizations.
  </definition>
  <definition term="dashboard-management Elastic Stack: Preview since 9.4 Elastic Cloud Serverless: Preview">
    Composes and updates in-memory Kibana dashboards. Use when a user asks to find, create, or modify a dashboard, add or remove panels, or edit existing panel visualizations.
    <dropdown title="Assigned tools">
      A skill-scoped inline tool for generating and updating dashboards.
    </dropdown>
  </definition>
  <definition term="discover-data-analysis Elastic Stack: Planned Elastic Cloud Serverless: Preview">
    Analyzes ES|QL query results in Kibana **Discover**, identifying patterns, trends, and anomalies by running aggregation queries against the full dataset. The skill receives the current query, columns, sample rows, and time range as an attachment, then runs 2 to 3 focused aggregation queries, renders an inline visualization for the main finding, and proposes drill-down queries. When the active [context-aware profile](/elastic/docs-content/pull/7255/explore-analyze/discover/discover-get-started#context-aware-discover) is logs, metrics, or traces, the skill receives shape-specific guidance. For example, it uses the ES|QL `TS` source command for time series metrics.
    <dropdown title="Assigned tools">
      `platform.core.generate_esql`, `platform.core.execute_esql`, `platform.core.search`, `platform.core.list_indices`, `platform.core.product_documentation`, `platform.core.create_visualization`
    </dropdown>
    **How to activate:** Activates from the [standard activation methods](/elastic/docs-content/pull/7255/explore-analyze/ai-features/agent-builder/skills#how-skills-are-invoked) when the conversation is started from a Discover session tab that is in ES|QL mode and has loaded results. The current query, columns, sample rows, and time range are automatically attached to the conversation, so the agent has the context it needs to run the analysis. Refer to [Analyze your data with AI](/elastic/docs-content/pull/7255/explore-analyze/discover/discover-get-started#analyze-with-ai) for the full workflow.
  </definition>
  <definition term="agent-builder-traces Elastic Stack: Planned Elastic Cloud Serverless: Preview">
    Answers questions about Elastic Agent Builder OpenTelemetry (OTel) traces and activity, including token usage, model and provider breakdowns, conversation and agent latency, tool-call volume, and error rates, and can help build dashboards from that trace data. The skill queries the Elastic Agent Builder OTel traces with ES|QL and is part of the default Elastic AI Agent.
    <dropdown title="Assigned tools">
      `platform.core.execute_esql`, plus an internal ES|QL generation tool scoped to trace data.
    </dropdown>
    **Prerequisites:** Controlled by the `agentBuilder:tracing:enabled` [advanced setting](https://docs-v3-preview.elastic.dev/elastic/kibana/tree/main/reference/advanced-settings#kibana-general-settings), which is on by default.
  </definition>
</definitions>


### Cases and alerting

<definitions>
  <definition term="cases-management Elastic Stack: Planned Elastic Cloud Serverless: Preview">
    Manages investigation and incident cases across Elastic Security, Observability, and Stack Management. Covers creating, updating, searching, and enriching cases with comments, alerts, events, and observables such as indicators of compromise.
    <dropdown title="Assigned tools">
      `platform.core.cases`, `platform.core.cases.manage`, `platform.core.cases.attachments`, `platform.core.cases.observables`
    </dropdown>
  </definition>
  <definition term="rule-management Elastic Stack: Planned Elastic Cloud Serverless: Preview">
    Composes, discovers, and modifies alerting rules and action policies (notification policies) from within a conversation.
    <dropdown title="Assigned tools">
      `platform.alerting.manage_rule`, plus a skill-scoped inline tool for composing and modifying action policies (notification policies).
    </dropdown>
  </definition>
</definitions>


### Streams and significant events

<definitions>
  <definition term="streams-management Elastic Stack: Planned Elastic Cloud Serverless: Generally available">
    Explores and manages Elasticsearch streams. Use when a user mentions streams, stream names such as `logs.ecs` or `logs.otel`, data quality, processing pipelines, or ingestion failures. The skill can inspect stream definitions, schema, quality, lifecycle, and documents, and can modify processing, retention, partitions, field mappings, the failure store, and descriptions. This skill replaces the earlier `streams-exploration` skill and adds the ability to modify stream configuration.
    <dropdown title="Assigned tools">
      `platform.streams.inspect_streams`, `platform.streams.diagnose_stream`, `platform.streams.query_documents`, `platform.streams.design_pipeline`, `platform.streams.list_ilm_policies`, `platform.streams.update_stream`, `platform.streams.create_partition`, `platform.streams.delete_stream`
    </dropdown>
  </definition>
  <definition term="streams-exploration Elastic Stack: Planned for removal, Elastic Stack: Generally available in 9.4">
    Discovers, inspects, and queries Elasticsearch streams. Use when a user wants to list available streams, understand a stream's schema, check data quality or retention, or sample documents from a stream. This is a read-only skill: it cannot create, update, or delete streams or modify stream configuration. In 9.5, this skill is replaced by [`streams-management`](#agent-builder-streams-management-skill), which adds stream modification capabilities.
  </definition>
  <definition term="significant-events-management Elastic Stack: Planned Elastic Cloud Serverless: Preview">
    Searches, creates, and updates significant events for Streams, with guidance to avoid duplicates and keep event lifecycle state accurate.
    <dropdown title="Assigned tools">
      `platform.sig_events.event_search`, `platform.sig_events.event_create`, `platform.sig_events.event_status_update`
    </dropdown>
  </definition>
  <definition term="significant-events-onboarding Elastic Stack: Planned Elastic Cloud Serverless: Preview">
    Interviews the user to build a mental model of their system for significant events analysis. Use when a user wants to describe their architecture, deployment infrastructure, observability setup, or other operational context that should be remembered for root cause analysis and remediation.
    <dropdown title="Assigned tools">
      Significant events memory tools for reading, writing, and searching the significant events knowledge base.
    </dropdown>
    **Prerequisites:** Significant events memory must be enabled in the deployment.
  </definition>
  <definition term="knowledge-indicators-management Elastic Stack: Planned Elastic Cloud Serverless: Preview">
    Discovers and manages Streams Knowledge Indicators (KIs). Searches existing indicators to avoid duplicates and creates feature or query KIs with built-in confirmation.
    <dropdown title="Assigned tools">
      `platform.sig_events.ki_search`, `platform.sig_events.ki_feature_create`, `platform.sig_events.ki_query_create`
    </dropdown>
  </definition>
  <definition term="ki-identification-management Elastic Stack: Planned Elastic Cloud Serverless: Preview">
    Starts, monitors, and cancels stream KI identification background tasks. Triggers KI identification, surfaces a tracking link to the **Significant Events** page, checks task status and results, and cancels in-progress runs.
    <dropdown title="Assigned tools">
      Internal tools to start, check the status of, and cancel KI identification tasks.
    </dropdown>
  </definition>
  <definition term="streams-investigation-management Elastic Stack: Planned Elastic Cloud Serverless: Preview">
    Triggers a root cause analysis workflow for an observability issue, significant event, or alert, checks the status of a running investigation, and summarizes the structured findings once complete. Use when a user asks to investigate an incident, error, or anomaly, optionally scoped to specific data streams.
    <dropdown title="Assigned tools">
      `platform.core.execute_workflow`, `platform.core.get_workflow_execution_status`, `platform.core.generate_esql`, `platform.core.execute_esql`, `platform.sig_events.event_investigation_attach`
    </dropdown>
  </definition>
  <definition term="streams-gap-detection Elastic Stack: Planned Elastic Cloud Serverless: Preview">
    Audits the significant events memory knowledge base against a set of required knowledge dimensions and writes a structured gaps page that lists everything that is unknown, ambiguous, or missing.
    <dropdown title="Assigned tools">
      Significant events memory tools, `platform.sig_events.ki_search`, and `platform.streams.inspect_streams`.
    </dropdown>
    **Prerequisites:** Significant events memory must be enabled in the deployment.
  </definition>
</definitions>


### Workflows

<definitions>
  <definition term="workflow-authoring Elastic Stack: Preview in 9.4 Elastic Cloud Serverless: Generally available">
    Provides Elastic Workflows knowledge and discovery, covering YAML syntax, Liquid templating, trigger event schemas, step and connector inspection, validation error debugging, and execution debugging. Use this skill when a user asks how workflows work, requests advanced syntax help, debugs an execution, or asks to inspect the step, connector, or example libraries. This skill is not required to create, edit, or run workflows: the agent calls the workflow generation and execution tools directly.
    <dropdown title="Assigned tools">
      `platform.workflows.get_step_definitions`, `platform.workflows.get_trigger_definitions`, `platform.workflows.validate_workflow`, `platform.workflows.get_examples`, `platform.workflows.get_connectors`, `platform.workflows.workflow_execute_step`, `platform.core.generate_workflow`, `platform.core.execute_workflow`
    </dropdown>
    **Prerequisites:** [Elastic Workflows](https://docs-v3-preview.elastic.dev/elastic/docs-content/pull/7255/explore-analyze/workflows) enabled in the deployment, with the privileges required to create and run workflows.
    <dropdown title="Behavior in 9.4">
      In 9.4, this skill creates, modifies, and validates Elastic Workflows YAML definitions from natural language input. It covers step types, triggers, Liquid templating, connector integrations, and validation, and validates the generated or modified YAML before proposing the change so the user can accept or decline it. The `agentBuilder:experimentalFeatures` [advanced setting](https://docs-v3-preview.elastic.dev/elastic/kibana/tree/main/reference/advanced-settings#kibana-general-settings) must be turned on for the skill to appear. **Assigned tools:** lookup tools (`platform.workflows.get_step_definitions`, `platform.workflows.get_trigger_definitions`, `platform.workflows.get_examples`, `platform.workflows.get_connectors`, `platform.workflows.validate_workflow`) and edit tools (`platform.workflows.workflow_set_yaml`, `platform.workflows.workflow_insert_step`, `platform.workflows.workflow_modify_step`, `platform.workflows.workflow_modify_step_property`, `platform.workflows.workflow_modify_property`, `platform.workflows.workflow_delete_step`).
    </dropdown>
    <note>
      Without this skill, the agent can still check the status of a workflow execution and resume a paused workflow that is waiting for human input, using the [`platform.core.get_workflow_execution_status`](https://docs-v3-preview.elastic.dev/elastic/docs-content/pull/7255/explore-analyze/ai-features/agent-builder/tools/builtin-tools-reference) and [`platform.core.resume_workflow_execution`](https://docs-v3-preview.elastic.dev/elastic/docs-content/pull/7255/explore-analyze/ai-features/agent-builder/tools/builtin-tools-reference) tools. To trigger a specific workflow from a conversation, configure a [workflow tool](https://docs-v3-preview.elastic.dev/elastic/docs-content/pull/7255/explore-analyze/ai-features/agent-builder/tools/workflow-tools) and assign it to the agent.
    </note>
  </definition>
</definitions>


### Agent and skill authoring

<definitions>
  <definition term="skill-authoring Elastic Stack: Planned Elastic Cloud Serverless: Preview">
    Authors a new Elastic Agent Builder skill from a chat description. Use when a user asks to create, build, generate, or design a skill, capability, or expertise area for an agent.
    <dropdown title="Assigned tools">
      Internal tools to list available tools and to propose or patch a skill definition.
    </dropdown>
  </definition>
  <definition term="connector-authoring Elastic Stack: Planned Elastic Cloud Serverless: Preview">
    Sets up a Kibana connector from chat. Use when a user wants to add, connect, set up, or integrate an external system such as GitHub, Slack, PagerDuty, or Notion so the agent can act on it. Also use when a user mentions giving the agent access to a tool, repository, or data source, even if they do not use the word connector.
    <dropdown title="Assigned tools">
      Internal tools to list connector types and to propose a connector.
    </dropdown>
  </definition>
</definitions>


## Observability skills

<applies-to>
  - Serverless Observability projects: Generally available
</applies-to>

<definitions>
  <definition term="observability.investigation Elastic Stack: Generally available since 9.4">
    Answers observability questions, lists and diagnoses observability alerts, and investigates service or infrastructure issues. Covers APM, logs, metrics, threshold, SLO burn rate, uptime and synthetics, and infrastructure alerts. Use when a user asks about alerts, service health, error rates, latency, failed transactions, topology, traces, log patterns, SLO breaches, or infrastructure issues.
    <dropdown title="Assigned tools">
      All [Observability tools](/elastic/docs-content/pull/7255/explore-analyze/ai-features/agent-builder/tools/builtin-tools-reference#observability-tools).
    </dropdown>
  </definition>
  <definition term="observability.rca Elastic Stack: Preview since 9.4 Elastic Cloud Serverless: Preview">
    Performs structured root cause analysis for incidents, outages, errors, and service degradations. Use when a user asks why something is broken, failing, or slow, when an alert fires or an SLA is breached, when they need to understand what happened during an outage or performance regression, or when they need to trace a cascading failure across services.
    <dropdown title="Assigned tools">
      Observability log analysis tools, `platform.core.generate_esql`, `platform.core.execute_esql`, and significant events knowledge indicator search.
    </dropdown>
  </definition>
  <definition term="observability.service-map Elastic Stack: Planned Elastic Cloud Serverless: Preview">
    Shows a service map when a user asks to see or visualize a service map, service topology, or service dependencies in an APM or observability context. Use for questions about how services connect or their upstream and downstream dependencies.
    <dropdown title="Assigned tools">
      `observability.get_service_topology`, `observability.get_services`
    </dropdown>
  </definition>
</definitions>


## Security skills

<applies-to>
  - Serverless Security projects: Generally available
</applies-to>

<definitions>
  <definition term="alert-analysis Elastic Stack: Generally available since 9.4">
    Investigates Elastic Security alerts and recommends a disposition. Fetches alert context, finds related alerts that share entities (`host.name`, `user.name`, `source.ip`, `destination.ip`), correlates with Elastic Security Labs threat intelligence, and assesses entity risk. Use when investigating a specific alert, triaging alert queues, or understanding alert context.
    <dropdown title="Assigned tools">
      `security.alerts`, `security.security_labs_search`, `security.entity_risk_score`
    </dropdown>
    **Prerequisites:** [Entity risk scoring](https://docs-v3-preview.elastic.dev/elastic/docs-content/pull/7255/solutions/security/advanced-entity-analytics/entity-risk-scoring) enabled so risk scores are available for involved hosts and users. To use threat intelligence correlation, install **Security Labs** documentation from [**GenAI Settings**](https://docs-v3-preview.elastic.dev/elastic/docs-content/pull/7255/explore-analyze/ai-features/manage-access-to-ai-assistant).
    **How to activate:** In addition to the [standard activation methods](/elastic/docs-content/pull/7255/explore-analyze/ai-features/agent-builder/skills#how-skills-are-invoked), this skill activates automatically when you attach an alert from the alert flyout in Elastic Security, which provides the alert context the skill needs.
  </definition>
  <definition term="entity-analytics Elastic Stack: Generally available since 9.4">
    Finds and investigates security entities including hosts, users, services, and generic entities. Analyzes entity risk scores, asset criticality, and historical behavior, including signals from Security Machine Learning anomaly detection jobs. Use to discover risky entities or profile a specific entity by ID.
    <dropdown title="Assigned tools">
      `security.get_entity`, `security.search_entities`
    </dropdown>
    <applies-to>Elastic Stack: Planned</applies-to> From 9.5, the skill can also list watchlists to discover watchlist names and members (`security.list_watchlists`) and set entity asset criticality (`security.set_asset_criticality`).
    **Prerequisites:** [Entity risk scoring](https://docs-v3-preview.elastic.dev/elastic/docs-content/pull/7255/solutions/security/advanced-entity-analytics/entity-risk-scoring) enabled and the [entity store](https://docs-v3-preview.elastic.dev/elastic/docs-content/pull/7255/solutions/security/advanced-entity-analytics/entity-store) populated.
    **Related skills:** [`find-security-ml-jobs`](#agent-builder-find-security-ml-jobs-skill) for deeper investigation of anomalies surfaced during entity analysis. [`manage-watchlists`](#agent-builder-manage-watchlists-skill) to create and modify watchlists.
  </definition>
  <definition term="entity-analytics-leads Elastic Stack: Planned Elastic Cloud Serverless: Preview">
    Surfaces AI-generated investigation leads for security entities. Use when a user asks to review, list, show, triage, dismiss, or generate investigation leads, or wants to find proactive threat hunting opportunities surfaced from entity data.
    <dropdown title="Assigned tools">
      `security.list_leads`, `security.generate_leads`, `security.dismiss_lead`
    </dropdown>
    **Prerequisites:** The `leadGenerationEnabled` Elastic Security [experimental feature flag](https://docs-v3-preview.elastic.dev/elastic/kibana/tree/main/reference/configuration-reference/security-solution-settings#experimental-features) must be enabled.
  </definition>
  <definition term="manage-watchlists Elastic Stack: Planned Elastic Cloud Serverless: Preview">
    Manages Entity Analytics watchlists. Creates, updates, and deletes watchlists and adds or removes entity membership. Resolves watchlist names to IDs by discovering existing watchlists. All mutating actions require explicit user confirmation before running. For read-only questions about which watchlists exist, the [`entity-analytics`](#agent-builder-entity-analytics-skill) skill also applies.
    <dropdown title="Assigned tools">
      `security.list_watchlists`, `security.create_watchlist`, `security.update_watchlist`, `security.delete_watchlist`, `security.add_entities_to_watchlist`, `security.remove_entities_from_watchlist`
    </dropdown>
    **Prerequisites:** The `entityAnalyticsWatchlistEnabled` Elastic Security [experimental feature flag](https://docs-v3-preview.elastic.dev/elastic/kibana/tree/main/reference/configuration-reference/security-solution-settings#experimental-features) must be enabled.
  </definition>
  <definition term="find-security-ml-jobs Elastic Stack: Generally available since 9.4">
    Investigates atypical behavior detected by Machine Learning jobs, including unusual or first-time access patterns, access outside working hours, privileged accounts with unusual command patterns, logins from unexpected geographic locations, lateral movement, and large or unusual data transfers.
    <dropdown title="Assigned tools">
      `platform.core.execute_esql`, `platform.core.generate_esql`, `security.get_entity`, plus internal tools to discover Security Machine Learning jobs.
    </dropdown>
    **Prerequisites:** Relevant Security Machine Learning jobs installed and running. For guidance, refer to [Machine learning job and rule requirements](https://docs-v3-preview.elastic.dev/elastic/docs-content/pull/7255/solutions/security/advanced-entity-analytics/machine-learning-job-rule-requirements).
  </definition>
  <definition term="threat-hunting Elastic Stack: Generally available since 9.4">
    Runs hypothesis-driven threat hunts using iterative ES|QL exploration. Covers IOC search, anomaly identification, baseline behavioral comparison, lateral movement tracking, and converting hunt findings into actionable intelligence. Use when investigating suspected threats, running proactive hunts, or analyzing suspicious activity patterns.
    <dropdown title="Assigned tools">
      `platform.core.generate_esql`, `platform.core.execute_esql`, `platform.core.search`, `platform.core.list_indices`, `platform.core.get_index_mapping`, `platform.core.cases`
    </dropdown>
  </definition>
  <definition term="detection-rule-edit Elastic Stack: Generally available since 9.4">
    Creates and edits Elastic Security detection rules. Supports ES|QL rule type only. Use when a user asks to build a rule from natural language or edit rule fields such as severity, tags, MITRE ATT&CK mappings, schedule, or query.
    <dropdown title="Assigned tools">
      `security.create_detection_rule`, `security.security_labs_search`, `platform.core.generate_esql`, `platform.core.product_documentation`
    </dropdown>
    **Prerequisites:** To ground rule drafting in threat research, install **Security Labs** documentation from [**GenAI Settings**](https://docs-v3-preview.elastic.dev/elastic/docs-content/pull/7255/explore-analyze/ai-features/manage-access-to-ai-assistant).
    **How to activate:** This skill is attachment-driven and activates when a rule attachment is present in the conversation. You can start a rule attachment from the rule creation form, the rule details page, or by asking the agent to "create a detection rule" in chat. The skill creates the attachment and renders an **Apply to creation** or **Update rule** button so you can save the change to the rule form.
  </definition>
  <definition term="recommend-prebuilt-rules Elastic Stack: Planned Elastic Cloud Serverless: Preview">
    Discovers and recommends Elastic prebuilt detection rules to install on the deployment. Handles install recommendations and browse or coverage questions about the installable catalog, filtered by tag, MITRE technique, rule type, integration, or keyword. This is a read-only skill.
    <dropdown title="Assigned tools">
      Internal tools to find prebuilt rules, read the user data inventory, inspect the installable catalog, and check installed rule MITRE coverage.
    </dropdown>
    **Prerequisites:** The `dexAiSkillRecommendPrebuiltRules` Elastic Security [experimental feature flag](https://docs-v3-preview.elastic.dev/elastic/kibana/tree/main/reference/configuration-reference/security-solution-settings#experimental-features) must be enabled.
  </definition>
  <definition term="find-security-rules Elastic Stack: Planned Elastic Cloud Serverless: Preview">
    Discovers, lists, ranks, and counts Elastic Security detection rules. Filters by tag, MITRE technique, severity, rule type, name, or enabled state. This is a read-only skill.
    <dropdown title="Assigned tools">
      `security.alerts`, plus internal tools to find rules and discover rule tags.
    </dropdown>
    **Prerequisites:** The `dexAiSkillFindRules` Elastic Security [experimental feature flag](https://docs-v3-preview.elastic.dev/elastic/kibana/tree/main/reference/configuration-reference/security-solution-settings#experimental-features) must be enabled.
  </definition>
  <definition term="pci-compliance Elastic Stack: Planned Elastic Cloud Serverless: Preview">
    Runs PCI DSS v4.0.1 compliance assessments with violation detection, confidence scoring, data quality preflight checks, and visual audit reporting. Use when a user asks about PCI compliance, PCI DSS requirements, compliance audits, or cardholder data security.
    <dropdown title="Assigned tools">
      `security.pci_scope_discovery`, `security.pci_compliance`, `security.pci_field_mapper`, `platform.core.generate_esql`, `platform.core.execute_esql`
    </dropdown>
    **Prerequisites:** The `pciComplianceAgentBuilder` Elastic Security [experimental feature flag](https://docs-v3-preview.elastic.dev/elastic/kibana/tree/main/reference/configuration-reference/security-solution-settings#experimental-features) must be enabled.
  </definition>
  <definition term="siem-readiness Elastic Stack: Planned Elastic Cloud Serverless: Preview">
    Assesses SIEM readiness across four dimensions: coverage (data ingested per category), quality (ECS field compatibility), continuity (ingest pipeline health), and retention (data retention compliance). Use when a user asks about SIEM health, readiness, data coverage, pipeline failures, ECS quality, or retention compliance.
    <dropdown title="Assigned tools">
      `security.siem_readiness.get_coverage`, `security.siem_readiness.get_quality`, `security.siem_readiness.get_continuity`, `security.siem_readiness.get_retention`
    </dropdown>
  </definition>
  <definition term="automatic_troubleshooting Elastic Stack: Preview in 9.4 Elastic Cloud Serverless: Generally available">
    Diagnoses [Elastic Defend](https://docs-v3-preview.elastic.dev/elastic/docs-content/pull/7255/solutions/security/configure-elastic-defend) endpoint configuration issues such as endpoints not reporting, policy response failures, agent enrollment problems, or incompatible antivirus software. Queries endpoint data, inspects package configuration, and produces structured findings with specific endpoint IDs and remediation steps.
    <dropdown title="Assigned tools">
      `platform.core.search`, `platform.core.get_document_by_id`, `platform.core.integration_knowledge`
    </dropdown>
    **Prerequisites:** [Elastic Defend](https://docs-v3-preview.elastic.dev/elastic/docs-content/pull/7255/solutions/security/configure-elastic-defend) deployed and reporting.
    <applies-to>Elastic Stack: Preview in 9.4</applies-to> In this version, the `automaticTroubleshootingSkill` [experimental feature flag](https://docs-v3-preview.elastic.dev/elastic/kibana/tree/main/reference/configuration-reference/security-solution-settings#experimental-features) must be enabled for the skill to appear.
  </definition>
</definitions>


## Elasticsearch skills

<applies-to>
  - Serverless Elasticsearch projects: Generally available
</applies-to>

<definitions>
  <definition term="search.elasticsearch-onboarding Elastic Stack: Generally available since 9.4">
    Guides developers through building a complete search experience on Elasticsearch, from understanding requirements and designing an index mapping to generating and testing API snippets in Dev Tools. Use for end-to-end onboarding rather than a single narrow API answer.
  </definition>
  <definition term="search.elasticsearch-tutorial Elastic Stack: Planned">
    Runs a topic-driven, hands-on Elasticsearch tutorial in the Kibana Dev Console. Use when a user asks you to walk them through, teach, or give a tutorial on an Elasticsearch or Kibana search concept such as mappings, analyzers, bool queries, `semantic_text`, kNN, reciprocal rank fusion (RRF), aggregations, ingest pipelines, or ES|QL. Tutorials use sample data on isolated resources, present each step as a snippet to run in Dev Tools, and end with cleanup and pointers to documentation.
  </definition>
  <definition term="search.keyword-search Elastic Stack: Generally available since 9.4">
    Guides agents through building keyword and full-text search solutions on Elasticsearch. Use for text matching, filters, faceted search, autocomplete, or traditional search functionality.
  </definition>
  <definition term="search.vector-hybrid-search Elastic Stack: Planned">
    Guides agents through building vector search, hybrid search, and using Elasticsearch as a vector database. Covers `semantic_text`, `dense_vector`, embedding strategies, hybrid search that combines BM25 and kNN with reciprocal rank fusion (RRF), reranking, and production optimization. In 9.5, this skill consolidates the former `search.hybrid-search`, `search.semantic-search`, and `search.vector-database` skills.
  </definition>
  <definition term="search.hybrid-search Elastic Stack: Planned for removal, Elastic Stack: Generally available in 9.4">
    Guides agents through building hybrid search solutions that combine keyword and semantic search. In 9.5, this skill is consolidated into [`search.vector-hybrid-search`](#agent-builder-search-vector-hybrid-search-skill).
  </definition>
  <definition term="search.semantic-search Elastic Stack: Planned for removal, Elastic Stack: Generally available in 9.4">
    Guides agents through building semantic and vector search solutions on Elasticsearch. In 9.5, this skill is consolidated into [`search.vector-hybrid-search`](#agent-builder-search-vector-hybrid-search-skill).
  </definition>
  <definition term="search.vector-database Elastic Stack: Planned for removal, Elastic Stack: Generally available in 9.4">
    Guides agents through using Elasticsearch as a vector database. In 9.5, this skill is consolidated into [`search.vector-hybrid-search`](#agent-builder-search-vector-hybrid-search-skill).
  </definition>
  <definition term="search.rag-chatbot Elastic Stack: Generally available since 9.4">
    Guides agents through building retrieval-augmented generation (RAG) chatbots and question-and-answer systems on Elasticsearch. Use when a developer wants to build a chatbot, question-and-answer system, or AI assistant that answers questions from their own data.
  </definition>
  <definition term="search.catalog-ecommerce Elastic Stack: Generally available since 9.4">
    Guides agents through building catalog and e-commerce search solutions on Elasticsearch. Use for product search, faceted navigation, autocomplete, "did you mean" suggestions, or shopping-oriented search experiences.
  </definition>
  <definition term="search.use-case-library Elastic Stack: Generally available since 9.4">
    Presents a library of Elasticsearch use cases when users want to explore what they can build, need help identifying which category their project falls into, or are looking for inspiration. Covers product search, knowledge base search, AI assistants, recommendations, customer support, location-based search, log and event search, and vector database use cases.
  </definition>
</definitions>


## Related pages

- [Skills in Elastic Agent Builder](https://docs-v3-preview.elastic.dev/elastic/docs-content/pull/7255/explore-analyze/ai-features/agent-builder/skills)
- [Custom skills](https://docs-v3-preview.elastic.dev/elastic/docs-content/pull/7255/explore-analyze/ai-features/agent-builder/custom-skills)
- [Skill creation guidelines](https://docs-v3-preview.elastic.dev/elastic/docs-content/pull/7255/explore-analyze/ai-features/agent-builder/skill-creation-guidelines)
- [Tools in Elastic Agent Builder](https://docs-v3-preview.elastic.dev/elastic/docs-content/pull/7255/explore-analyze/ai-features/agent-builder/tools)
- [Built-in tools reference](https://docs-v3-preview.elastic.dev/elastic/docs-content/pull/7255/explore-analyze/ai-features/agent-builder/tools/builtin-tools-reference)
- [Custom agents](https://docs-v3-preview.elastic.dev/elastic/docs-content/pull/7255/explore-analyze/ai-features/agent-builder/custom-agents)