Elastic Agent Builder built-in tools reference
Observability tools provide specialized capabilities for monitoring applications, infrastructure, and logs.
Note
The built-in Observability agent is assigned these tools by default.
observability.get_alerts- Retrieves Observability alerts within a specified time range, supporting filtering by status (active/recovered) and KQL queries.
observability.get_services- Retrieves information about services being monitored in APM.
observability.get_hosts- Retrieves information about hosts being monitored in infrastructure monitoring.
observability.get_index_info- Retrieves information about Observability indices and their fields. Supports operations for getting an overview of available data sources, listing fields that contain actual data, and retrieving distinct values or ranges for specific fields.
observability.get_trace_metrics- Retrieves metrics and statistics for distributed traces.
observability.get_downstream_dependencies- Identifies downstream dependencies (other services, databases, external APIs) for a specific service to understand service topology and blast radius.
observability.get_log_categories- Retrieves categorized log patterns to identify common log message types.
observability.get_log_change_points- Detects statistically significant changes in log patterns and volumes.
observability.get_metric_change_points- Detects statistically significant changes in metrics across groups (for example, by service, host, or custom fields), identifying spikes, dips, step changes, and trend changes.
observability.get_correlated_logs- Finds logs that are correlated with a specific event or time period.
observability.run_log_rate_analysis- Analyzes log ingestion rates to identify anomalies and trends.
observability.get_anomaly_detection_jobs- Retrieves Machine Learning anomaly detection jobs and their top anomaly records for investigating outliers and abnormal behavior.
Security tools provide specialized capabilities for security monitoring, threat detection, and incident response.
Note
The built-in Threat Hunting Agent is assigned these tools by default.
security.alerts- Searches and analyzes security alerts using full-text or structured queries for finding, counting, aggregating, or summarizing alerts.