elastic · nastasha-solomon · Mar 17, 2026 · Mar 18, 2026 · Mar 18, 2026 · Mar 18, 2026
@@ -28,8 +28,36 @@

 Agent Builder features a built-in [Threat Hunting agent](/explore-analyze/ai-features/agent-builder/builtin-agents-reference.md#threat-hunting-agent) designed to accelerate security investigations by synthesizing data from sources such as Alerts, Attack Discovery, and Entity Risk Scores. 
 
 By default it includes the [platform core tools](/explore-analyze/ai-features/agent-builder/tools/builtin-tools-reference.md#platform-core-tools) and [security tools](/explore-analyze/ai-features/agent-builder/tools/builtin-tools-reference.md#security-tools). You can [clone the agent](/explore-analyze/ai-features/agent-builder/custom-agents.md#create-a-new-agent) to create a version with access to additional built-in or custom tools. To learn more about the available tools, refer to [](/explore-analyze/ai-features/agent-builder/tools/custom-tools.md).
 
+## Create and refine detection rules in Agent Builder [create-and-refine-detection-rules-in-agent-builder]
+
+```{applies_to}
+stack: ga 9.4
+serverless:
+  security: ga
+```
+
+You can pass a detection rule into the Agent Builder chat so you can ask questions about it, get suggestions for improving rule fields, or request an appropriate investigation guide, without copying and pasting rule content between the UI and the chat. Open Agent Builder with a rule in context from any of these places:
+
+- **AI rule creation**: On the [Detection rules (SIEM)](/solutions/security/detect-and-alert/manage-detection-rules.md) page, choose **Create a rule > AI rule creation**. The flyout opens with an empty rule attachment and a prefilled prompt for an {{esql}} detection rule with the main rule fields. You can edit the prompt before sending the message.
+- **Rule details**: Open a rule from the list, then use **Add to chat** on the rule details page.
+- **Rule form (create or edit)**: While [creating](/solutions/security/detect-and-alert/using-the-rule-ui.md) or [editing](/solutions/security/detect-and-alert/manage-detection-rules.md#edit-single-rule) a rule, use **Add to chat** to send the current rule draft.
+- **Alerts flyout**: Open an alert, expand the rule summary in the flyout, then use **Add to chat**.
+- **Alerts table rule flyout**: From the alerts table, open the rule flyout for an alert and use **Add to chat**.
+
+This flow opens Agent Builder with a security session context and the default agent used in {{elastic-sec}} (the [Elastic AI Agent](/explore-analyze/ai-features/agent-builder/builtin-agents-reference.md#elastic-ai-agent)).
+
+Security skills such as `threat-hunting` and `alert-analysis` activate as needed based on your prompts. When the assistant responds, the rule appears in the chat as a rich attachment that shows the rule type, description, query with syntax highlighting, index patterns, tags, severity and risk score, and schedule. It draws on the attached rule to help with detection intent, query logic, MITRE ATT&CK coverage, timing and scheduling, and rule metadata quality.
+
+:::{note}
+Agent Builder only has access to the fields included in the rule attachment. It does not retrieve [exception lists](/solutions/security/detect-and-alert/add-manage-exceptions.md). Rules reference exceptions by ID only.
+:::
+
+If your role has the [privileges required to manage detection rules](/solutions/security/detect-and-alert/detections-privileges.md), use **Apply to creation** or **Update rule** on that attachment to open the create or edit rule form with the fields filled in. 
+
+If your role does not have access to managing rules, the actions aren't shown. On the **Create rule** or **Edit rule** page, when the Agent Builder flyout is open at the same time, the rule fields in the form and the rule attachment in the chat update together when you edit either side.
+
 ## Use Agent Builder and Workflows together
 
 [Workflows](/explore-analyze/workflows.md) is an automation engine built into the Elastic platform. You can define workflows declaratively in YAML to create deterministic, event-driven automation, without building custom integrations or switching context from your Elastic environment. Combined with Agent Builder, Workflows enable you to:
@@ -55,14 +83,14 @@
 You can create a workflow that:
 
  - Runs periodically, and initiates Attack Discovery when it runs
- - Sends any discovered attacks to the Threat Hunting agent to analyze and create a report 
+ - Sends any discovered attacks to an AI agent to analyze and create a report
  - Sends that report to a third-party incident management platform and sends alerts to your team
 
 ### Example 2: Triage an alert with a workflow
 You can create a workflow that:
 
 - Triggers automatically when a rule generates an alert
-- Provides the alert data to the Threat Hunting agent with a pre-defined prompt such as `analyze this alert, check whether it's connected to existing attacks, and identify all implicated entities`
+- Provides the alert data to an AI agent with a pre-defined prompt such as `analyze this alert, check whether it's connected to existing attacks, and identify all implicated entities`
 - Creates a report based on what it finds and sends it to a Slack channel
 - Suggests next steps
 
@@ -76,7 +104,7 @@
 - Manually correlate new alert with its context
 - Make a triage decision
 
-With Agent Builder, you can automate this process to speed it up and require less user input. For example, in response to the prompt `"Analyze alert abc123. What's the entity risk score for the affected host? Are there any related attack discoveries in the last 24 hours?"` Agent Builder (using the Threat Hunting agent and its assigned tools) would take the following actions:
+With Agent Builder, you can automate this process to speed it up and require less user input. For example, in response to the prompt `"Analyze alert abc123. What's the entity risk score for the affected host? Are there any related attack discoveries in the last 24 hours?"` an AI agent would take the following actions:
 
 - Fetch alert details (using `alerts_tool`)
 - Retrieve entity risk scores (using `entity_risk_score_tool`)

@@ -67,6 +67,11 @@ Edit rule settings to modify detection logic, notifications, schedules, and othe
 3. The **Edit rule settings** view opens, where you can modify the [rule's settings](/solutions/security/detect-and-alert/using-the-rule-ui.md). To [snooze](/solutions/security/detect-and-alert/manage-detection-rules.md#snooze-rule-actions) rule actions, go to the **Actions** tab and click the bell icon {icon}`bell`.
 4. Click **Save changes**.
 
+:::{note}
+:applies_to: {"stack": "ga 9.4", "serverless": "ga"}
+From the rule details page or the **Edit rule settings** view, you can use **Add to chat** to pass the rule to an AI Agent for analysis and suggestions. Refer to [Create and refine detection rules in Agent Builder](/solutions/security/ai/agent-builder/agent-builder.md#create-and-refine-detection-rules-in-agent-builder).
+:::
+
 ### Bulk edit rule settings [bulk-edit-rules]
 
 Use bulk editing to update settings on multiple rules simultaneously. Rules that can't be modified are automatically skipped, for example, if you try to apply a tag to rules that already have that tag, or apply an index pattern to rules that use data views.

@@ -29,6 +29,18 @@ When reviewing the rule preview results, look for:
 If the rule uses [alert suppression](/solutions/security/detect-and-alert/alert-suppression.md), use the rule preview to visualize how suppression affects the alert output. This helps you confirm that suppression is grouping events as expected before the rule goes live.
 ::::
 
+## Validate using AI [validate-using-ai]
+
+Elastic's AI chat experiences can review your rule's logic and suggest improvements. You can use AI to check whether a query is too broad, identify likely false positive patterns, verify MITRE ATT&CK alignment, or evaluate scheduling and suppression settings.
+
+With [AI Assistant](/solutions/security/ai/ai-assistant.md), you can describe a rule or paste its query into a chat and ask validation-related questions such as:
+
+- "Does this query match more broadly than intended? What legitimate activity could it catch?"
+- "What MITRE ATT&CK techniques does this rule cover, and are there gaps?"
+- "Is a 5-minute scheduling interval appropriate for this data source, or would a longer interval reduce noise without missing threats?"
+
+{applies_to}`stack: ga 9.4` {applies_to}`serverless: ga` With [Agent Builder](/explore-analyze/ai-features/ai-chat-experiences/ai-agent-or-ai-assistant.md), refer to [Create and refine detection rules in Agent Builder](/solutions/security/ai/agent-builder/agent-builder.md#create-and-refine-detection-rules-in-agent-builder) to attach a detection rule and provide the full rule definition as context. This removes the need to copy and paste and gives the agent access to all rule fields when answering your questions.
+
 ## Run manual tests [manual-test-run]
 
 For rules that are already enabled, you can [manually run](/solutions/security/detect-and-alert/manage-detection-rules.md#manually-run-rules) them over a specific time range to test behavior against real data. Unlike preview, manual runs create actual alerts and trigger rule actions.