


























Elastic Agent Skills are open source packages that give your AI coding agent native Elastic expertise. If you're already using Elastic Agent Builder, you get AI agents that work natively with your security data. Agent Skills are for the other side: bringing that same Elastic Security knowledge to the external AI tools your team already uses, like Cursor, Claude Code, or GitHub Copilot.
If you use an AI coding agent and want to evaluate Elastic Security, or you're a security team that wants to get up and running with Elastic Security fast without navigating setup docs, these are for you. Today we're shipping security skills that take you from zero to a fully populated Elastic Security environment, without leaving your integrated development environment (IDE).
Before you dive in, note that this is a v0.1.0 release. Also, review this documentation for steps to get started and important security considerations.
You open your AI coding agent and prompt: Create a Security project on Elastic Cloud.
The create-project skill provisions an Elastic Cloud Serverless Security project via the Elastic Cloud API, handles credentials securely, and hands you back your Elasticsearch and Kibana URLs.
Elastic Cloud Serverless supports regions across Amazon Web Services (AWS), Google Cloud Platform (GCP), and Azure, so you can pick whichever fits your environment.
One prompt. Project ready.
An empty Elastic Security project isn't very convincing. No alerts, no timelines, no process trees. You need data, but you don't always want to enable real sources of data before you've had a chance to explore.
The generate-security-sample-data skill populates your project with realistic, Elastic Common Schema–compliant (ECS-compliant) security events and synthetic alerts across four attack scenarios:
These aren't random events. Every alert maps to MITRE ATT&CK techniques. Process trees have proper entity IDs so the Analyzer renders real parent-child relationships. Attack Discovery picks up the correlated threat narratives. You get the experience of a live environment without needing one.
When you're done exploring, ask your AI coding agent to remove the sample data. All sample events, alerts, and cases are cleaned up without affecting the rest of your environment.
Once your environment is populated, the same AI coding agent can help you work with it. We're also shipping skills for alert triage (fetch and investigate alerts, classify threats, and acknowledge alerts), detection rule management (find noisy rules, add exceptions, and create new coverage), and case management (create and track security operations center [SOC] cases and link alerts to incidents).
Elastic's API documentation is public. Your AI agent can already read it. So why do skills matter?
Skills matter because docs describe individual endpoints and encode workflows. There's a real gap between knowing that POST /api/detection_engine/signals/search exists and knowing that you need to fetch the oldest unacknowledged alert, query the process tree and related alerts within a five-minute window of the trigger time, check for an existing case before creating a new one, attach the alert with its rule UUID, and then acknowledge all related alerts on the same host, in that order, with the right field names, across three different APIs.
Skills also encode what not to do: Never display credentials in chat, confirm before creating billable resources, and handle Serverless-specific API quirks. This is the expert knowledge that turns a general-purpose AI agent into one that actually knows Elastic.
All skills are open source and work with any supported AI coding agent:
Open a terminal in your project workspace and run:
Or install specific skills:
Check out the full catalog at github.com/elastic/agent-skills.
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。