Loading

Elastic Agent Builder built-in tools reference

This page lists all built-in tools available in Elastic Agent Builder, grouped by namespace. Built-in tools are read-only: you can't modify or delete them.

Platform tools are available across all deployments. Observability and security tools are scoped to their respective solutions. Tool prefixes (platform.core, platform.streams, platform.sig_events, platform.workflows, observability, security) reflect this scoping.

Some tools are in technical preview or require a license, an advanced setting, or an experimental feature flag before they become available. These requirements are called out in each tool's entry.

Built-in agents are pre-configured with relevant tools. You can also assign any available built-in tool to custom agents you create.

Tip

For an overview of how tools work in Elastic Agent Builder, refer to the Tools overview.

Platform tools are available across all deployments and serverless projects. They use the platform.* namespaces.

Platform core tools provide fundamental capabilities for interacting with Elasticsearch data, executing queries, and working with indices. They are relevant to many use cases.

platform.core.execute_esql
Executes an ES|QL query and returns the results in a tabular format. Custom ES|QL tools execute their queries directly, so this tool is only needed for running arbitrary queries, such as those generated by generate_esql or provided by the user.
platform.core.generate_esql
Generates an ES|QL query from a natural language query.
platform.core.get_document_by_id
Retrieves the full content of an Elasticsearch document based on its ID and index name.
platform.core.get_index_mapping
Retrieves mappings for the specified index or indices.
platform.core.index_explorer
Lists relevant indices and corresponding mappings based on a natural language query.
platform.core.list_indices
Lists the indices, aliases, and data streams in the Elasticsearch cluster the current user has access to.
platform.core.search
Searches Elasticsearch data using natural language, automatically selecting between query DSL and ES|QL based on the query intent.
platform.core.product_documentation
Searches and retrieves documentation about Elastic products. To use this tool, search for GenAI Settings in the global search field and install Elastic documentation from the Documentation section. This takes a few minutes.
platform.core.integration_knowledge
Searches and retrieves knowledge from Fleet-installed integrations, including information on how to configure and use integrations for data ingestion.
platform.core.create_visualization
Creates or updates a visualization configuration based on a natural language description.
platform.core.execute_connector_sub_action

Runs a single sub-action on a saved Kibana connector (for example, sending an email or creating an issue), given a connector ID, sub-action name, and parameters. This lets an agent act on external systems without a dedicated workflow tool for each connector.

Prerequisites: The agentBuilder:experimentalFeatures advanced setting must be turned on.

These platform core tools let agents run and track Elastic Workflows. For the tools that inspect workflow syntax and definitions, refer to Workflows tools.

platform.core.get_workflow_execution_status
Retrieves the status and, if available, the final output of an Elastic Workflows execution from its execution ID.
platform.core.resume_workflow_execution
Resumes an Elastic Workflows execution that is paused at a waitForInput step, providing the reviewer's input to the workflow so it can continue.
platform.core.generate_workflow
Generates or updates an Elastic Workflows definition from a natural language description, delegating to a specialized workflow-authoring agent that knows workflow syntax, step types, and available connectors.
platform.core.execute_workflow
Executes an Elastic Workflows definition, given a saved workflow ID, inline YAML for an ephemeral run, or a workflow YAML attachment.
platform.core.list_workflow_executions
Lists recent Elastic Workflows executions in the current space, most recent first, so you can find an execution ID to pass to get_workflow_execution_status.

Cases tools search and manage cases for tracking and managing issues. Access follows the current user's Cases privileges.

platform.core.cases
Searches and retrieves cases.
platform.core.cases.manage
Creates, updates, deletes, and assigns cases, and manages their tags and custom fields. Supports creating from a template and bulk updates.
platform.core.cases.attachments
Manages case attachments, including adding comments, linking alerts, linking events, and listing existing attachments.
platform.core.cases.observables
Manages case observables such as IP addresses, domains, file hashes, URLs, emails, and registry keys.

Workflows tools help agents author and inspect Elastic Workflows by exposing step, trigger, connector, and example libraries, and by validating and previewing workflow definitions. To run or track a workflow, use the workflow execution tools in the platform core namespace.

platform.workflows.validate_workflow
Validates a workflow YAML definition against all validation rules, including YAML syntax, schema conformance, step-name uniqueness, and Liquid template syntax.
platform.workflows.get_step_definitions
Returns the available workflow step types with their input and configuration parameters and usage examples. Supports filtering by step type, keyword, or category.
platform.workflows.get_trigger_definitions
Returns the available workflow trigger types with their schemas and YAML examples, including manual, scheduled, alert, and event-driven triggers.
platform.workflows.get_connectors
Returns the connector instances configured in the deployment, including their action type and supported step types, so a workflow step can reference the correct connector.
platform.workflows.get_examples
Searches and retrieves example workflow YAML files from a bundled library to illustrate correct syntax patterns.
platform.workflows.workflow_execute_step
Executes a single workflow step against the live environment for testing and field discovery. Steps that write data or call external systems require explicit user confirmation before running.

Streams tools provide capabilities for exploring and managing Streams.

Note

In 9.5, the individual stream read tools were consolidated into inspect_streams and diagnose_stream, and the individual stream write tools were consolidated into update_stream, create_partition, and delete_stream. The tools removed in 9.5 are listed at the end of this section.

platform.streams.inspect_streams
Inspects one or more streams in a single call, returning only the requested aspects: overview, schema, quality, lifecycle, processing, or routing. Supports inspecting all streams at once.
platform.streams.diagnose_stream
Gathers time-windowed health metrics, failure store error samples, and a per-field degraded-field breakdown for a single stream. Use this tool for root cause analysis when data quality issues are detected.
platform.streams.query_documents
Queries or aggregates data from a stream using a natural language description. The tool translates the description into an Elasticsearch query internally. Returns documents in flat dot-notation format or aggregation results, and can query either the primary data store or the failure store.
platform.streams.design_pipeline
Designs changes to a stream's processing pipeline from a natural language instruction, simulates them against sample documents, and returns the proposed pipeline for review. The change is applied only when committed with update_stream.
platform.streams.list_ilm_policies
Lists the index lifecycle management (ILM) policies available on the cluster, including phase definitions and which streams and indices use them. On serverless, ILM is not available.
platform.streams.update_stream
Updates a stream's configuration, including its processing pipeline, description, retention lifecycle, field mappings, and failure store. Requires user confirmation before applying changes.
platform.streams.create_partition
Creates a child stream (partition) under a parent wired stream, using a routing condition to select the documents it receives. Partitioning and wired streams are in technical preview. Requires user confirmation.
platform.streams.delete_stream
Permanently deletes a stream and all of its child streams. This action cannot be undone and requires user confirmation.

The following streams tools were available in 9.4 and were removed in 9.5:

platform.streams.list_streams
Listed all streams the current user had access to. Replaced by inspect_streams with the overview aspect.
platform.streams.get_stream
Returned the full definition of a single stream. Replaced by inspect_streams.
platform.streams.get_schema
Returned the schema of a stream. Replaced by inspect_streams with the schema aspect.
platform.streams.get_data_quality
Returned data quality metrics for a stream. Replaced by inspect_streams with the quality aspect and by diagnose_stream.
platform.streams.get_lifecycle_stats
Returned lifecycle and storage statistics for a stream. Replaced by inspect_streams with the lifecycle aspect.
platform.streams.get_failed_documents
Retrieved documents from a stream's failure store with error details. Replaced by diagnose_stream and by query_documents with the failure store source.

Significant events tools search, create, and manage significant events and Knowledge Indicators for Streams.

Prerequisites: Significant events require an Enterprise license and must be enabled for the deployment through the observability:streamsEnableSignificantEvents advanced setting.

platform.sig_events.ki_search
Searches Knowledge Indicators (both feature-based and query-based) derived from streams data to enrich context for a target stream, service, or group of streams.
platform.sig_events.ki_feature_create
Creates a feature Knowledge Indicator that captures a newly discovered stream behavior pattern. Requires user confirmation.
platform.sig_events.ki_query_create
Creates a query Knowledge Indicator that saves a newly discovered detection query. Requires user confirmation.
platform.sig_events.event_search
Searches significant events across all streams or a specific stream, so the agent can check current event state before creating or updating events.
platform.sig_events.event_create
Creates a significant event for one or more streams. Requires user confirmation.
platform.sig_events.event_status_update
Updates the status of an existing significant event.
platform.streams.sig_events.event_investigation_attach
Records an investigation run against a significant event, keeping the event up to date as an investigation starts and finishes.

Observability tools provide specialized capabilities for monitoring applications, infrastructure, and logs.

observability.get_alerts
Retrieves Observability alerts within a specified time range, supporting filtering by status (active/recovered) and KQL queries.
observability.get_services
Retrieves information about services being monitored in APM.
observability.get_hosts
Retrieves information about hosts being monitored in infrastructure monitoring.
observability.get_index_info
Retrieves information about Observability indices and their fields. Supports operations for getting an overview of available data sources, listing fields that contain actual data, and retrieving distinct values or ranges for specific fields.
observability.get_trace_metrics
Retrieves metrics and statistics for distributed traces.
Supports sorting by latency, failureRate, or throughput, and returning average, p95, or p99 latency.
observability.get_downstream_dependencies
Identifies downstream dependencies (other services, databases, external APIs) for a specific service to understand service topology and blast radius.
observability.get_service_topology
Retrieves the service topology (dependency graph) for a service, including RED metrics (latency, throughput, and error rate) per connection.
observability.get_log_categories
Retrieves categorized log patterns to identify common log message types.
observability.get_log_groups
Returns categorized log messages and exceptions from logs and spans, grouped by type (spanException for APM errors, logException for log exceptions).
observability.get_log_change_points
Detects statistically significant changes in log patterns and volumes.
observability.get_metric_change_points
Detects statistically significant changes in metrics across groups (for example, by service, host, or custom fields), identifying spikes, dips, step changes, and trend changes.
observability.get_correlated_logs
Finds logs that are correlated with a specific event or time period.
observability.get_traces
Retrieves Observability documents (logs, transactions, spans, and errors) for one or more traces, grouped by trace ID.
observability.run_log_rate_analysis
Analyzes log ingestion rates to identify anomalies and trends.
observability.get_anomaly_detection_jobs
Retrieves Machine Learning anomaly detection jobs and their top anomaly records for investigating outliers and atypical behavior.
observability.get_logs
Searches and filters logs, returning a histogram trend, total count, log samples, and message pattern categories in a single query.
observability.get_runtime_metrics
Retrieves runtime metrics for services, including CPU usage, memory consumption, thread counts, and GC duration. Currently supports JVM (Java) metrics.
observability.get_trace_change_points
Detects statistically significant change points in trace latency, throughput, and failure rate across groups (for example, by service, transaction, or host).
observability.get_apm_correlations
Analyzes APM transaction correlations to identify which dimensions are most associated with slow or failed transactions. Use after identifying a high-latency or high-failure service to find which attributes (host, version, cloud region, and so on) are over-represented in slow or failed transactions. Requires a Platinum license.

Security tools provide specialized capabilities for security monitoring, threat detection, and incident response.

security.alerts
Searches and analyzes security alerts using full-text or structured queries for finding, counting, aggregating, or summarizing alerts.
security.attack_discovery_search
Returns any related attack discoveries from the last week, given one or more alert IDs. Requires attack discovery to have been run at least once.
security.security_labs_search
Searches Elastic Security Labs research and threat intelligence content. To use this tool, search for GenAI Settings in the global search field and install Security labs from the Documentation section. This takes a few minutes.
security.create_detection_rule
Creates a security detection rule from a natural language description, including ES|QL query generation, metadata, tags, and scheduling. Currently supports ES|QL rules only. Form changes suggested in chat must be applied manually.
security.run_rule_preview

Runs a security detection rule preview over a time range without saving the rule, then stores the result as a rule preview attachment so you can inspect the alerts the rule would have generated.

Prerequisites: The rulePreviewAttachmentEnabled Elastic Security experimental feature flag must be enabled.

Entity Analytics tools work with security entities and their risk scores, asset criticality, watchlists, and threat hunting leads.

security.entity_risk_score
Retrieves risk scores for entities (users, hosts, and services) to identify high-risk entities in the environment. This tool is only available when the risk score index exists in the current space.
security.get_entity
Retrieves an entity profile (user, host, service, or generic) from the Entity store by entity ID (EUID), including any alerts that contributed to its risk score. Requires the entity risk engine and entity store to be enabled.
security.search_entities
Searches the Entity store for security entities (host, user, service, or generic), with filtering by risk score, asset criticality, entity attributes, and lifecycle timestamps. Use when the entity ID (EUID) is not known, use security.get_entity when it is.
security.set_asset_criticality
Sets or removes the asset criticality level for a security entity and recalculates the entity's risk score.

Watchlist tools manage entity watchlists. Mutating actions require user confirmation before running. A Platinum or higher license is required, and adding or removing entities also requires the entity store to be enabled and populated.

security.list_watchlists
Lists the entity watchlists in the current space, including name, description, risk modifier, and member sources.
security.create_watchlist
Creates a new watchlist in the current space.
security.update_watchlist
Updates an existing watchlist, such as renaming it or changing its description or risk modifier.
security.delete_watchlist
Permanently deletes a watchlist. This action cannot be undone.
security.add_entities_to_watchlist
Adds one or more entities to a watchlist by entity ID (EUID).
security.remove_entities_from_watchlist
Removes one or more entities from a watchlist by entity ID (EUID).

Lead generation tools surface AI-generated threat hunting leads for security entities. An Enterprise license is required.

security.list_leads
Lists AI-generated threat hunting leads for security entities, sorted by priority.
security.generate_leads
Generates new threat hunting leads. The job runs asynchronously and returns immediately.
security.dismiss_lead
Dismisses an AI-generated threat hunting lead by ID, marking it as triaged.

SIEM readiness tools assess SIEM readiness across four dimensions: coverage, quality, continuity, and retention.

security.siem_readiness.get_coverage
Retrieves SIEM data coverage health across the SIEM data categories (endpoint, identity, network, cloud, and application/SaaS), including document counts, detection-rule presence, health status, and findings.
security.siem_readiness.get_quality
Retrieves SIEM data quality health based on ECS compatibility check results, including incompatible field mappings, health status, and findings. Requires a prior Data Quality dashboard run.
security.siem_readiness.get_continuity
Retrieves SIEM ingest pipeline continuity health, including active pipelines, failure rates, silent data streams, and volume drops.
security.siem_readiness.get_retention
Retrieves SIEM data retention health, including data streams and indices with retention configuration, retention days, and compliance status.

PCI compliance tools support PCI DSS v4.0.1 compliance assessments.

Prerequisites: The pciComplianceAgentBuilder Elastic Security experimental feature flag must be enabled.

security.pci_scope_discovery
Discovers PCI-relevant data coverage across indices, including custom-ingested data, and classifies it by scope area.
security.pci_compliance
Runs PCI DSS v4.0.1 compliance checks or reports, returning either per-requirement findings with ES|QL evidence or a visual scorecard.
security.pci_field_mapper
Inspects non-ECS index fields and suggests mappings to ECS fields for PCI queries. Use when scope discovery reports low ECS coverage.

Some built-in skills include inline tools that are only available while that skill is active. Because they are scoped to a skill rather than assignable on their own, they are not listed among the namespaced tools in this reference. For example:

  • The dashboard-management skill includes an inline tool for generating and updating dashboards.
  • The rule-management skill includes the platform.alerting.manage_rule and platform.alerting.manage_action_policy tools for composing and modifying alerting rules and their action policies.
  • The alert-triage skill includes the security.alert-triage tool for prioritizing the alert queue.
Tip

You can also manage tools programmatically. To learn more, refer to Tools API.