kibana▌

Perform systematic alert triage in Elastic Security SIEM to rapidly classify, prioritize, and investigate security alerts for SOC operations.

Performs proactive threat hunting in Elastic Security SIEM using KQL/EQL queries, detection rules, and Timeline investigation to identify threats that evade automated detection. Use when SOC teams need to hunt for specific ATT&CK techniques, investigate anomalous behaviors, or validate detection coverage gaps using Elasticsearch and Kibana Security.

Create and manage Kibana dashboards and Vega visualizations with ES|QL data sources.

Read stream metadata, settings, queries, significant events, and attachments, and manage stream lifecycle (enable, disable, resync) via the Kibana Streams REST API. Streams are an experimental way to manage data in Kibana — expect API and behavior changes. This skill covers read operations and lifecycle only; create, update, delete, fork, and other mutating operations may be added in a later version.

Create, update, delete, inspect, and chat with Agent Builder agents. Create, update, delete, list, and test custom tools (ES|QL, index search, workflow). If the user provided a name, use $ARGUMENTS as the default agent name.

The Kibana dashboards and visualizations APIs provide a declarative, Git-friendly format for defining dashboards and visualizations. Definitions are minimal, diffable, and suitable for version control and LLM-assisted generation.

Enable and configure audit logging for Kibana via kibana.yml. Kibana audit logs cover application-layer security events that Elasticsearch does not see: saved object CRUD (dashboards, visualizations, index patterns, rules, cases), login/logout, session expiry, space operations, and Kibana-level RBAC enforcement.

Connectors store connection information for Elastic services and third-party systems. Alerting rules use connectors to route actions (notifications) when rule conditions are met. Connectors are managed per Kibana Space and can be shared across all rules within that space.

A rule has three parts: conditions (what to detect), schedule (how often to check), and actions (what happens when conditions are met). When conditions are met, the rule creates alerts, which trigger actions via connectors.