New Agent Builder skills model + usecases & TH agent deprecation#5904
Conversation
Vale Linting ResultsSummary: 1 warning, 1 suggestion found
|
| File | Line | Rule | Message |
|---|---|---|---|
| solutions/security/ai/agent-builder/skills-model.md | 29 | Elastic.Latinisms | Latin terms and abbreviations are a common source of confusion. Use 'using' instead of 'via'. |
💡 Suggestions (1)
| File | Line | Rule | Message |
|---|---|---|---|
| solutions/security/ai/agent-builder/agent-builder.md | 50 | Elastic.Clone | Use clone only when referring to cloning a GitHub repository or creating a copy that is linked to the original. Often confused with 'copy' and 'duplicate'. |
The Vale linter checks documentation changes against the Elastic Docs style guide.
To use Vale locally or report issues, refer to Elastic style guide for Vale.
|
We should show how skills compose together in real SOC workflows. This is one of the most compelling parts of the skills story — it shows that users don't need to context-switch between separate agents. Ex: Alert-to-Dashboard flow: User: "What's the context on this critical alert?" → alert-analysis activates |
This is a great example. Happy to add this. Are there any other workflow examples you have in mind? |
|
here is the updated feature difference list - we don't need to incude the 3rd column. 
|
|
Two items I'd like us to track as immediate follow-ups for the built-in skills reference:
The built-in skills reference doesn't show which tools are included in each skill. Users need this to understand what actions the agent can take when a skill is active. For example, does alert-analysis include entity_risk_score_tool? Can threat-hunting call security_labs_search_tool? This mapping should be a simple table in each skill's entry (or a consolidated table on the page). We have draft assignments in ticket #5719 but they need confirmation with engineering before publishing.
Each skill currently gets a single definition-list entry (one line). Ticket #5719 requested each skill section include: overview, included tools, prerequisites, invocation methods, limitations, and related resources. The use cases page (skills-use-cases.md) compensates well for example prompts and workflow context, but three things are genuinely missing and can't be found elsewhere in the docs:
|
@dhru42 I wonder if the docs are the right place for enumerating the tools associated with a skill, which will evolve quite quickly too over time. I wonder if it isn't better to enable users to check for themselves what tools are associated with a skill via API or UI 🤔 could be a section in https://www.elastic.co/docs/explore-analyze/ai-features/agent-builder/skills |
|
|
|
||
| **Enable:** `alert-analysis` (optionally combine with [`entity-analytics`](#entity-risk-investigation) for deeper entity context) | ||
|
|
||
| Use this workflow to triage a specific alert or work through an alert queue. The agent fetches the alert, finds related alerts that share entities, correlates with {{elastic-sec}} Labs threat intelligence, and recommends a disposition (true positive, benign true positive, false positive, or needs more data). For a multi-skill flow that chains this into a tracking dashboard, refer to [Combining skills across workflows](#combining-skills-across-workflows). |
There was a problem hiding this comment.
workflow might be an overloaded term here?
I suggest we do both. If its determined to not be of high value to users (at a later time) we can deprecate it moving forward but we can't assume that its not necessary for folks reading our docs. |
@leemthompo , I agree we shouldn't repeat the full 3-method explanation per skill -- your core "How skills are invoked" section covers that well. But two Security skills have activation patterns that are genuinely non-obvious and worth a brief per-skill note: Detection Rule Edit: This skill is attachment-driven. It activates when a rule attachment is present in the conversation. Users need to know the entry points: starting from the rule creation form, from rule details, or by asking "create a detection rule" directly in chat (which creates the attachment for them). Without this, users won't know how to use it. The other four skills (Threat Hunting, Entity Analytics, Security ML Jobs, Endpoint Troubleshooting) follow the standard pattern and can just link back to your core page or just make mention of it at the top of the security docs skills page and link there. So I'd say: skip per-skill invocation sections for most skills, but add a brief "How to activate" note for the two attachment-driven ones. @approksiu @paulewing let me know if your thoughts as it impacts for your skills. |
|
@benironside For Entity Analytics Skills. We want to call out that it includes Machine Learning Anomaly Detection jobs specific to security. Also the following screenshots: |
|
One more addition from agreement between PMs: For 9.4, consider the following: As calling the EA Skill will also leverage find-security-ml-jobs. |
Elastic Docs AI PR menuCheck the box to run an AI review for this pull request.
Powered by GitHub Agentic Workflows and docs-actions. For more information, reach out to the docs team. |
leemthompo
left a comment
leemthompo
left a comment
There was a problem hiding this comment.
A few nits from me, but writing looks great overall 👍
| description: Understand how the Elastic AI Agent, Security skills, and tools work together in Elastic Agent Builder for Elastic Security. | ||
| --- | ||
|
|
||
| # Elastic AI Agent, skills, and tools in {{elastic-sec}} [elastic-ai-agent-skills-model] |
6 participants
Summary
Fixes #5718, #5719, and #5720.
New pages
solutions/security/ai/agent-builder/skills-model.md— "Agents, skills, and tools" conceptual page for Security. Explains the one-agent-many-skills model in 9.4, with a comparison table (Agent / Skill / Tool), an Enable/manage section, the Threat Hunting Agent → skill relationship, and a short FAQsolutions/security/ai/agent-builder/skills-use-cases.md— "Security use cases for Agent Builder." One section per SOC workflow, each naming the built-in skill(s) to enable and 3 example prompts grounded in what the skill actually does (pulled from the Kibana source)Updated pages
solutions/security/ai/agent-builder/agent-builder.md— added anapplies-switchso 9.3 keeps the Threat Hunting agent content and 9.4 shows the skills-based content, with links to the two new pages.explore-analyze/ai-features/agent-builder/builtin-agents-reference.md— Threat Hunting Agent section markeddeprecated 9.4, with a prominent deprecation warning and a migration-path block pointing to thethreat-huntingskill.explore-analyze/ai-features/agent-builder/builtin-skills-reference.md— added two Security skills that were missing:alert-analysis(GA 9.4+)automatic_troubleshooting(preview 9.4, experimental feature flag)Also added "Supports ES|QL rule type only" to
detection-rule-edit(real constraint from the source).explore-analyze/ai-features/ai-chat-experiences/ai-agent-or-ai-assistant.md— applied your comparison-table updates for 9.4 (viaapplies-switchso 9.3 preserves the old tables):solutions/toc.yml— adds the two new Security pages as children ofagent-builder.md, concepts first then use cases.Attention @dhru42:
Please double check the following:
alert-analysisskill — it's live in the Kibana source but wasn't in the Add Agent Builder skills + dashboards/viz documentation #5868 built-in skills update. Confirm this should ship in 9.4 GA docs and that my description is right.automatic_troubleshootingskill — source registers it behind theautomaticTroubleshootingSkillexperimental flag. Confirm preview + flag-gated framing is right, or whether it should be held out of docs entirely for 9.4.What's not here
Generative AI disclosure