Elastic Agent Builder built-in tools reference
This page lists all built-in tools available in Elastic Agent Builder. Built-in tools enable core operations for working with Elasticsearch data across platform, observability, and security use cases out-of-the-box.
Built-in tools are read-only: you can't modify or delete them. To check which tools are available in your Elastic deployment, refer to find all available tools.
For an overview of how tools work in Elastic Agent Builder, refer to the Tools overview.
Built-in platform core tools are available across all deployments, while observability and security tools are available in their respective serverless projects (or solution views). Tools use consistent prefixes (platform.core, observability, security) that reflect this scoping.
Built-in agents are pre-configured with relevant tools. For example, the Observability agent includes all observability tools by default. You can assign any available built-in tools to custom agents you create.
Platform core tools provide fundamental capabilities for interacting with Elasticsearch data, executing queries, and working with indices. They are relevant to many use cases.
All built-in agents are assigned these tools by default.
platform.core.execute_esql- Executes an ES|QL query and returns the results in a tabular format.
platform.core.generate_esql- Generates an ES|QL query from a natural language query.
platform.core.get_document_by_id- Retrieves the full content of an Elasticsearch document based on its ID and index name.
platform.core.get_index_mapping- Retrieves mappings for the specified index or indices.
platform.core.index_explorer- Lists relevant indices and corresponding mappings based on a natural language query.
platform.core.list_indices- Lists the indices, aliases, and data streams in the Elasticsearch cluster the current user has access to.
platform.core.search- Searches and analyzes data within your Elasticsearch cluster using full-text relevance searches or structured analytical queries.
platform.core.product_documentation- Searches and retrieves documentation about Elastic products (Kibana, Elasticsearch, Elastic Security, Elastic Observability).
platform.core.integration_knowledge- Searches and retrieves knowledge from Fleet-installed integrations, including information on how to configure and use integrations for data ingestion.
platform.core.cases- Searches and retrieves cases for tracking and managing issues.
platform.core.get_workflow_execution_status- Retrieves the execution status of a workflow.
Observability tools provide specialized capabilities for monitoring applications, infrastructure, and logs.
The built-in Observability agent is assigned these tools by default.
observability.get_alerts- Retrieves Observability alerts within a specified time range, supporting filtering by status (active/recovered) and KQL queries.
observability.get_services- Retrieves information about services being monitored in APM.
observability.get_hosts- Retrieves information about hosts being monitored in infrastructure monitoring.
observability.get_index_info- Retrieves information about Observability indices and their fields. Supports operations for getting an overview of available data sources, listing fields that contain actual data, and retrieving distinct values or ranges for specific fields.
observability.get_trace_metrics- Retrieves metrics and statistics for distributed traces.
observability.get_downstream_dependencies- Identifies downstream dependencies (other services, databases, external APIs) for a specific service to understand service topology and blast radius.
observability.get_log_categories- Retrieves categorized log patterns to identify common log message types.
observability.get_log_change_points- Detects statistically significant changes in log patterns and volumes.
observability.get_metric_change_points- Detects statistically significant changes in metrics across groups (for example, by service, host, or custom fields), identifying spikes, dips, step changes, and trend changes.
observability.get_correlated_logs- Finds logs that are correlated with a specific event or time period.
observability.run_log_rate_analysis- Analyzes log ingestion rates to identify anomalies and trends.
observability.get_anomaly_detection_jobs- Retrieves Machine Learning anomaly detection jobs and their top anomaly records for investigating outliers and abnormal behavior.
Security tools provide specialized capabilities for security monitoring, threat detection, and incident response.
The built-in Threat Hunting Agent is assigned these tools by default.
security.alerts- Searches and analyzes security alerts using full-text or structured queries for finding, counting, aggregating, or summarizing alerts.
security.security_labs_search- Searches Elastic Security Labs research and threat intelligence content.