Agent Builder for Elastic Security

Agent Builder is Elastic's AI platform which includes a natural language chat interface, built-in agents and Elastic tools, and allows creating custom agents and tools for your use case. You can manage and interact with your agents using the Kibana UI or work programmatically.

Agent Builder integrates tightly with Elastic Security, shipping with built-in agents and tools designed for security use cases, and you can create your own custom agents and tools to fit your specific needs. Combine your agents with Elastic Workflows to automatically isolate hosts, create cases, send notification messages to external platforms, and more.

While Agent Builder works with any configured LLM connector, model performance varies. Refer to the LLM performance matrix for Elastic Security to select a model that performs well for your intended use cases.

Agent Builder features a built-in Threat Hunting agent designed to accelerate security investigations by synthesizing data from sources such as Alerts, Attack Discovery, and Entity Risk Scores.

By default it includes the platform core tools and security tools. You can clone the agent to create a version with access to additional built-in or custom tools. To learn more about the available tools, refer to Create and manage custom tools in Elastic Agent Builder.

You can pass a detection rule into the Agent Builder chat so you can ask questions about it, get suggestions for improving rule fields, or request an appropriate investigation guide, without copying and pasting rule content between the UI and the chat. Open Agent Builder with a rule in context from any of these places:

• AI rule creation: On the Detection rules (SIEM) page, choose Create a rule > AI rule creation. The flyout opens with an empty rule attachment and a prefilled prompt for an ES|QL detection rule with the main rule fields. You can edit the prompt before sending the message.
• Rule details: Open a rule from the list, then use Add to chat on the rule details page.
• Rule form (create or edit): While creating or editing a rule, use Add to chat to send the current rule draft.
• Alerts flyout: Open an alert, expand the rule summary in the flyout, then use Add to chat.
• Alerts table rule flyout: From the alerts table, open the rule flyout for an alert and use Add to chat.

This flow opens Agent Builder with a security session context and the default agent used in Elastic Security (the Elastic AI Agent).

Security skills such as threat-hunting and alert-analysis activate as needed based on your prompts. When the assistant responds, the rule appears in the chat as a rich attachment that shows the rule type, description, query with syntax highlighting, index patterns, tags, severity and risk score, and schedule. It draws on the attached rule to help with detection intent, query logic, MITRE ATT&CK coverage, timing and scheduling, and rule metadata quality.

If your role has the privileges required to manage detection rules, use Apply to creation or Update rule on that attachment to open the create or edit rule form with the fields filled in.

If your role does not have access to managing rules, the actions aren't shown. On the Create rule or Edit rule page, when the Agent Builder flyout is open at the same time, the rule fields in the form and the rule attachment in the chat update together when you edit either side.

Workflows is an automation engine built into the Elastic platform. You can define workflows declaratively in YAML to create deterministic, event-driven automation, without building custom integrations or switching context from your Elastic environment. Combined with Agent Builder, Workflows enable you to:

• Reduce alert fatigue by automating responses to reduce manual triage
• Automate routine tasks
• Eliminate the need for external automation tools

Workflows are tightly integrated with Agent Builder functionalities:

• Agents can trigger workflows to take reliable, repeatable actions. For more information, refer to Workflow tools in Elastic Agent Builder.

• Workflows can call agents when a step benefits from reasoning, language understanding, or other LLM capabilities. For more information, refer to Steps.

This section provides conceptual examples of what you can achieve with Agent Builder workflows. For specific examples of workflows, including complete annotated code samples, refer to the elastic/workflows/security GitHub repo.

You can create a workflow that:

• Runs periodically, and initiates Attack Discovery when it runs
• Sends any discovered attacks to an AI agent to analyze and create a report
• Sends that report to a third-party incident management platform and sends alerts to your team

You can create a workflow that:

• Triggers automatically when a rule generates an alert
• Provides the alert data to an AI agent with a pre-defined prompt such as analyze this alert, check whether it's connected to existing attacks, and identify all implicated entities
• Creates a report based on what it finds and sends it to a Slack channel
• Suggests next steps

When conducted manually, alert triage in Elastic Security typically includes multiple steps which consume analyst time:

• Receive alert
• Open alert flyout and review entity details
• Pivot to Risk Score page
• Search Attack Discovery for related attacks
• Manually correlate new alert with its context
• Make a triage decision

With Agent Builder, you can automate this process to speed it up and require less user input. For example, in response to the prompt "Analyze alert abc123. What's the entity risk score for the affected host? Are there any related attack discoveries in the last 24 hours?" an AI agent would take the following actions:

• Fetch alert details (using alerts_tool)
• Retrieve entity risk scores (using entity_risk_score_tool)
• Search Attack Discovery for related attacks (using attack_discovery_search_tool)
• Return an actionable alert summary based on rich context

• AI chat experiences
• Elastic Agent Builder
• Workflows