Migrate infosec agentic alert triage workflows to Agent Builder skills

[patrykkopycinski]

Summary

Migrates the agentic-alert-triage workflows from elastic/infosec into user-created Agent Builder skills, with framework fixes to unblock @kbn/evals execution.

Migration artifacts

• 14 skill definitions as JSON files ready for import via Agent Builder API:
  • L1 Investigation, L1 Triage, Threshold Context
  • 9 L2 domain skills (AWS, Azure, GCP, Linux, macOS, Windows, Okta, Source IP, Cloud Forensics)
  • L3 Review, Orchestrator
• Feature-flagged workflow YAML with use_orchestrator toggle for gradual rollout
• Import script (import_skills.sh) for automated skill import/update
• Gap RFC documenting missing built-in tools needed for full migration

@kbn/evals framework fixes

Two bugs prevented Playwright workers from executing @kbn/evals test suites:

1. .text file imports crash workers — @kbn/evals evaluators import .text files (LLM prompt templates) that need a require hook. Added dot_text_setup.ts in @kbn/scout (mirroring the existing peggy_setup.ts pattern).

2. NO_COLOR env warning kills workers — Playwright sets FORCE_COLOR while NO_COLOR may also be present. Node emits a warning, and exit_on_warning.js terminates the process. Added to the ignore list.

Eval suite

5 test cases using @kbn/evals with EDOT tracing:

• L1 Investigation produces structured Markdown with verdict
• L1 Triage classifies benign alert correctly
• L1 Triage classifies suspicious alert correctly
• Orchestrator produces full triage report
• Orchestrator handles benign alert with appropriate assessment

Test plan

• @kbn/evals suites no longer crash with .text SyntaxError or NO_COLOR warning
• node scripts/evals run --suite agent-builder --grep triage runs all 5 tests
• Skills can be imported via bash import_skills.sh against a running Kibana with Agent Builder enabled
• Manual smoke test via /api/agent_builder/converse produces expected output

Made with Cursor

Production-Readiness Checklist — Agent Skills Ecosystem

Generated against [Epic] Creation of the Agent Skills Ecosystem for Elastic Security.

Narrative role: Concrete proof the Agent Builder skill contract can carry real SOC workflows. Migrates the internal agentic-alert-triage suite, so it's also the reference for everyone else migrating from bespoke pipelines.

Must-do before this can ship

• Extract the two @kbn/evals framework fixes (.text require hook + NO_COLOR worker crash) into a tiny standalone PR and merge it this week — every eval-using PR in the program depends on it
• Replace import_skills.sh with the #255890 CLI so the same skill can be shipped out-of-band
• Turn the "Gap RFC of missing built-in tools" into child issues (cases.addAlerts, cases.findCases, timeline.create, response_actions, etc.) and link them to this epic
• Expand the eval matrix from 5 cases to the full L1 / L2 (per-domain) / L3 rubric
• Fix the 1 failing CI check
• Each of the 14 skills must pass the "Skill Authoring Standard" validator (feature flag, param-bound queries, scope claim, disclaimer where relevant)

Follow-ups (post-merge)

• Land the use_orchestrator toggle as a Workflows template (out-of-band delivery) instead of YAML in the repo
• Dogfood against live infosec tickets, report the vision's KPIs (time saved, accept rate)

[patrykkopycinski]

/ci

[elasticmachine]

🤖 Jobs for this PR can be triggered through checkboxes. 🚧

ℹ️ To trigger the CI, please tick the checkbox below 👇

• Click to trigger kibana-pull-request for this PR!
• Click to trigger kibana-deploy-project-from-pr for this PR!
• Click to trigger kibana-deploy-cloud-from-pr for this PR!
• Click to trigger kibana-entity-store-performance-from-pr for this PR!
• Click to trigger kibana-storybooks-from-pr for this PR!

[patrykkopycinski]

/ci

[elasticmachine]

💔 Build Failed

• Buildkite Build
• Commit: effbdcd

Failed CI Steps

• Quick Checks
• Checks
• Linting

Metrics [docs]

✅ unchanged

History

• 💔 Build #412292 failed c565481