Sneha Sachidananda

Get started with Elastic Security from your AI agent

Go from zero to a fully populated Elastic Security environment without leaving your IDE, using open source Agent Skills.

阅读时间:3分钟Product Updates, Enablement, Generative AI
Get started with Elastic Security from your AI agent

Get started with Elastic Security from your AI agent

Elastic Agent Skills are open source packages that give your AI coding agent native Elastic expertise. If you're already using Elastic Agent Builder, you get AI agents that work natively with your security data. Agent Skills are for the other side: bringing that same Elastic Security knowledge to the external AI tools your team already uses, like Cursor, Claude Code, or GitHub Copilot.

If you use an AI coding agent and want to evaluate Elastic Security, or you're a security team that wants to get up and running with Elastic Security fast without navigating setup docs, these are for you. Today we're shipping security skills that take you from zero to a fully populated Elastic Security environment, without leaving your integrated development environment (IDE).

Before you dive in, note that this is a v0.1.0 release. Also, review this documentation for steps to get started and important security considerations.

Step 1: Create a security project

You open your AI coding agent and prompt: Create a Security project on Elastic Cloud.

The create-project skill provisions an Elastic Cloud Serverless Security project via the Elastic Cloud API, handles credentials securely, and hands you back your Elasticsearch and Kibana URLs.

Elastic Cloud Serverless supports regions across Amazon Web Services (AWS), Google Cloud Platform (GCP), and Azure, so you can pick whichever fits your environment.

One prompt. Project ready.

Step 2: Generate sample data

An empty Elastic Security project isn't very convincing. No alerts, no timelines, no process trees. You need data, but you don't always want to enable real sources of data before you've had a chance to explore.

The generate-security-sample-data skill populates your project with realistic, Elastic Common Schema–compliant (ECS-compliant) security events and synthetic alerts across four attack scenarios:

  • Windows ransomware chain: Word macro to PowerShell to ransomware deployment, complete with process trees that light up the Analyzer view.
  • Credential access: LSASS memory dumps and credential harvesting.
  • AWS cloud privilege escalation: IAM policy manipulation and unauthorized access key creation.
  • Okta identity attack: Multifactor authentication (MFA) factor deactivation and suspicious authentication patterns.

These aren't random events. Every alert maps to MITRE ATT&CK techniques. Process trees have proper entity IDs so the Analyzer renders real parent-child relationships. Attack Discovery picks up the correlated threat narratives. You get the experience of a live environment without needing one.

When you're done exploring, ask your AI coding agent to remove the sample data. All sample events, alerts, and cases are cleaned up without affecting the rest of your environment.

Step 3: What's next after sample data

Once your environment is populated, the same AI coding agent can help you work with it. We're also shipping skills for alert triage (fetch and investigate alerts, classify threats, and acknowledge alerts), detection rule management (find noisy rules, add exceptions, and create new coverage), and case management (create and track security operations center [SOC] cases and link alerts to incidents).

Why skills, not just docs?

Elastic's API documentation is public. Your AI agent can already read it. So why do skills matter?

Skills matter because docs describe individual endpoints and encode workflows. There's a real gap between knowing that POST /api/detection_engine/signals/search exists and knowing that you need to fetch the oldest unacknowledged alert, query the process tree and related alerts within a five-minute window of the trigger time, check for an existing case before creating a new one, attach the alert with its rule UUID, and then acknowledge all related alerts on the same host, in that order, with the right field names, across three different APIs.

Skills also encode what not to do: Never display credentials in chat, confirm before creating billable resources, and handle Serverless-specific API quirks. This is the expert knowledge that turns a general-purpose AI agent into one that actually knows Elastic.

准备工作

All skills are open source and work with any supported AI coding agent:

  • Cursor
  • Claude Code
  • GitHub Copilot
  • Windsurf
  • Cline
  • OpenCode
  • Gemini CLI

Open a terminal in your project workspace and run:

Or install specific skills:

Check out the full catalog at github.com/elastic/agent-skills.

分享这篇文章

XFacebookLinkedInReddit