Elastic Agent Builder built-in skills reference

This page lists all built-in skills available in Elastic Agent Builder. Skills give agents domain-specific knowledge and tools for common task types. Built-in skills are read-only: you can't modify or delete them.

Skills are solution-scoped: the set of available built-in skills depends on your deployment type. Platform skills are available across all deployments. Observability, Security, and Elasticsearch skills are available in their respective serverless projects or solution views.

visualization-creation

Creates standalone or reusable Lens visualizations from index and field context. Use when a user asks for a chart, metric, trend, or breakdown visualization, or wants to update an existing one.

graph-creation

Creates graph attachments by transforming relationship data into nodes and edges rendered inline in the conversation. Use for topology, dependency, or entity-link visualizations.

dashboard-management

Composes and updates in-memory Kibana dashboards. Use when a user asks to find, create, or modify a dashboard, add or remove panels, or edit existing panel visualizations.

streams-exploration

Discovers, inspects, and queries Elasticsearch streams. Use when a user wants to list available streams, understand a stream's schema, check data quality or retention, or sample documents from a stream. This is a read-only skill: it cannot create, update, or delete streams or modify stream configuration.

observability.investigation

Answers observability questions and diagnoses issues across APM services and infrastructure. Use when a user asks about service health, error rates, latency, failed transactions, service topology, trace analysis, log patterns, SLO breaches, alert investigations, or general questions about services and their performance.

observability.rca

Performs structured root cause analysis for incidents, outages, errors, and service degradations. Use when a user asks why something is broken, slow, or failing; when an alert has fired; or when they need to trace a cascading failure across services.

entity-analytics

Finds and investigates security entities including hosts, users, services, and generic entities. Analyzes entity risk scores, asset criticality, and historical behavior. Use to discover risky entities or profile a specific entity by ID.

find-security-ml-jobs

Investigates anomalous behavior detected by Machine Learning jobs, including abnormal access patterns, lateral movement, unexpected logins, suspicious domain activity, and large data transfers.

threat-hunting

Runs hypothesis-driven threat hunts using iterative ES|QL exploration. Covers IOC search, anomaly identification, baseline behavioral comparison, and lateral movement tracking.

detection-rule-edit

Creates and edits Elastic Security detection rules. Use when a user asks to build a rule from natural language or edit rule fields such as severity, tags, MITRE ATT&CK mappings, schedule, query, or index patterns.

search.catalog-ecommerce

Guides agents through building catalog and e-commerce search solutions on Elasticsearch.

search.hybrid-search

Guides agents through building hybrid search solutions that combine keyword and semantic search.

search.keyword-search

Guides agents through building keyword and full-text search solutions on Elasticsearch.

search.rag-chatbot

Guides agents through building retrieval-augmented generation chatbot solutions on Elasticsearch.

search.semantic-search

Guides agents through building semantic and vector search solutions on Elasticsearch.

search.vector-database

Guides agents through using Elasticsearch as a vector database.

• Skills in Elastic Agent Builder
• Custom skills
• Skill creation guidelines
• Tools in Elastic Agent Builder
• Built-in tools reference
• Custom agents