Skip to content

[Internal]: Elastic Security Migration to Agent Builder & New Agent Capabilities #4204

New issue
New issue
Open
Open
[Internal]: Elastic Security Migration to Agent Builder & New Agent Capabilities#4204
Assignees
benironside
Labels
Team:ExperienceIssues owned by the Experience Docs Team
@dhru42

Description

@dhru42
dhru42
opened on Dec 3, 2025

Description

Priority: High
Target Release: 9.3

In 9.3, Elastic Security is beginning the migration from the legacy "AI Assistant" to the platform-native "Agent Builder" architecture.

We are not fully deprecating the legacy Assistant in 9.3, but introducing Agent Builder as an opt-in/parallel experience. The documentation must clearly differentiate these two experiences and explain the new manual interaction patterns.

Conceptual Shift: Assistant vs. Agents
We need a dedicated section or distinct comparison table explaining the difference between AI Assistant vs. Agent Builder. Note: not all AI Assistant features are currently available in Agent Builder.

Security Sub-Agents

Document the three specific agents shipping in 9.3. Users must understand when to select each one via the new "Agent Switching" UI.

  1. Alerts Agent:
    Purpose: Triage and investigation of security alerts.
    Key Integration: Includes Attack Discovery workflows.
    Use Case: "Analyze this alert," "Show me the attack chain."

  2. Entity Analytics Agent:
    Purpose: Risk scoring and behavior analysis for Users and Hosts.
    Use Case: "Why is this user's risk score high?" "Show me lateral movement for this host."

  3. Defend Insights Agent:
    Purpose: Endpoint security and policy analysis.
    Use Case: TBD (Refine based on final engineering output for 9.3).

Note: In 9.3, routing is manual. The system will NOT automatically route queries. Documentation must emphasize selecting the correct agent.

Context via Attachments

Document the "Attachments" workflow.

Supported Attachment Types (4):
Cases (ex Attach a case).
Alerts (ex Attach specific detection alerts).
Entity (ex Attach a Host or User profile).
[TBD] (@YulNaumenko verifying 4th type—likely File/Hash or ESQL Query. Will confirm by FF).

Explain that attaching an object (ex: an Alert) dynamically gives the Agent the "permission" and "tools" to read and analyze that specific object.

User workflows to document:

  1. Opt-in to Agent Builder - How to toggle into the new experience
  2. Switching Agents - How to use the primitive agent switcher UI to change from "Alerts Agent" to "Entity Agent"
  3. Adding Attachments: How to use the paperclip/attachment UI to add context to a conversation.
  4. Switch back to AI Assistant - how users can switch back to the "legacy" experience.

Resources

Figma: https://www.figma.com/design/uiMIkyvruXC5oIaSagm8hT/-Shared--Opt-in-to-Agent-Builder?node-id=8145-82100&p=f&t=u9IZ5HK71fMrY1yb-0

Epic link: https://github.com/elastic/security-team/issues/14439

Agent Builder: https://docs.google.com/document/d/10ZlcUZhrnxpWc6NDgv1YIXIUxc6AtNVhTpto_yQl9PU/edit?usp=sharing

Which documentation set does this change impact?

Elastic On-Prem and Cloud (all)

Feature differences

detailed in the description

What release is this request related to?

N/A

Serverless release

9.3

Collaboration model

The documentation team

Point of contact.

Main contact: @dhru42 @YulNaumenko @stephmilovic

Stakeholders: @jamesspi

Metadata

Metadata

Assignees

Labels

Team:ExperienceIssues owned by the Experience Docs Team

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions