elastic
diff --git a/‎x-pack/solutions/security/plugins/security_solution/server/agent_builder/skills/automatic_troubleshooting/index.test.ts‎
Lines changed: 2 additions & 2 deletions b/‎x-pack/solutions/security/plugins/security_solution/server/agent_builder/skills/automatic_troubleshooting/index.test.ts‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎x-pack/solutions/security/plugins/security_solution/server/agent_builder/skills/automatic_troubleshooting/index.ts‎
Lines changed: 10 additions & 2 deletions b/‎x-pack/solutions/security/plugins/security_solution/server/agent_builder/skills/automatic_troubleshooting/index.ts‎
Lines changed: 10 additions & 2 deletions
@@ -69,13 +69,13 @@ describe('createAutomaticTroubleshootingSkill', () => {
   });
 
   describe('getInlineTools', () => {
-    it('returns three inline tools', () => {
+    it('returns four inline tools', () => {
       const skill = createAutomaticTroubleshootingSkill(mockEndpointAppContextService);
 
       const inlineTools = skill.getInlineTools?.();
 
       expect(inlineTools).toBeDefined();
-      expect(inlineTools).toHaveLength(3);
+      expect(inlineTools).toHaveLength(4);
     });
 
     it('includes get_package_configurations tool', async () => {
 
@@ -14,6 +14,7 @@ import {
   getPackageConfigurationsTool,
   generateInsightTool,
   checkEndpointPackageFreshnessTool,
+  getEndpointArtifactsTool,
 } from './tools';
 import { AVAILABLE_INDICES } from './data_sources';
 import { STALE_ENDPOINT_PACKAGE_MESSAGE } from '../../../../common/endpoint/utils/is_endpoint_package_stale';
@@ -29,6 +30,7 @@ export const GENERATE_INSIGHT_TOOL_ID = toolName('generate_insight');
 export const CHECK_ENDPOINT_PACKAGE_FRESHNESS_TOOL_ID = toolName(
   'check_endpoint_package_freshness'
 );
+export const GET_ENDPOINT_ARTIFACTS_TOOL_ID = toolName('get_endpoint_artifacts');
 
 export const createAutomaticTroubleshootingSkill = (
   endpointAppContextService: EndpointAppContextService
@@ -50,6 +52,9 @@ You MUST use this skill when the user mentions ANY of these:
 - Endpoint protection not applying or not updating
 - Elastic Defend package configuration questions
 - Endpoint isolation, response action, or policy sync issues
+- Endpoint exceptions, trusted apps, trusted devices, event filters, blocklists, or host isolation exceptions not working as expected
+- Security alerts or events still appearing despite a configured endpoint exception or allowlist
+- Unexpected allow or block behavior on endpoints
 
 ## Available Indices
 
@@ -62,13 +67,14 @@ Reference './available_indices' for the list of indices available for troublesho
 - **${platformCoreTools.search}** - Query raw data from available indices for troubleshooting evidence
 - **${platformCoreTools.getDocumentById}** - Retrieve full document content by ID from query results
 - **${GET_PACKAGE_CONFIGURATIONS_TOOL_ID}** - Inspect Elastic Defend package configuration details
+- **${GET_ENDPOINT_ARTIFACTS_TOOL_ID}** - Query endpoint artifacts (endpoint exceptions, trusted apps, trusted devices, event filters, host isolation exceptions, blocklists)
 - **${GENERATE_INSIGHT_TOOL_ID}** - Persist structured troubleshooting findings (mandatory final step)
 
 ## Troubleshooting Approach
 
 1. **Check package freshness** - Call ${CHECK_ENDPOINT_PACKAGE_FRESHNESS_TOOL_ID} first. If \`stale: true\`, output this exact line before anything else, substituting the version values: "⚠️ ${STALE_ENDPOINT_PACKAGE_MESSAGE}" Do not add to or rephrase this line. Then continue the investigation. If the check fails or the package is fresh, proceed without comment.
 2. **Gather context** - Use ${platformCoreTools.integrationKnowledge} to retrieve relevant Elastic Defend knowledge that informs the analysis approach.
-3. **Investigate data** - Use ${platformCoreTools.search} to query relevant indices for evidence of errors, warnings, misconfigurations, or incompatibilities. Use ${platformCoreTools.getDocumentById} to retrieve full documents when needed. Use ${GET_PACKAGE_CONFIGURATIONS_TOOL_ID} to inspect Elastic Defend package configuration if relevant.
+3. **Investigate data** - Use ${platformCoreTools.search} to query relevant indices for evidence of errors, warnings, misconfigurations, or incompatibilities. Use ${platformCoreTools.getDocumentById} to retrieve full documents when needed. Use ${GET_PACKAGE_CONFIGURATIONS_TOOL_ID} to inspect Elastic Defend package configuration if relevant. When the issue involves unexpected allow/block/filtering behavior, isolation failures, or missing alerts, use ${GET_ENDPOINT_ARTIFACTS_TOOL_ID} to check if endpoint artifacts could be the cause. Call without artifactType first to see what artifact types exist, then query specific types for details. Use the policyId filter to narrow results to the affected endpoint's policy. Note: endpoint_exceptions can affect both the endpoint agent AND detection engine alerts depending on per-policy opt-in configuration — consider this when investigating missing alerts.
 4. **Iterate** - Continue querying and gathering context until the root cause or relevant findings are understood.
 5. **Persist findings** - Call ${GENERATE_INSIGHT_TOOL_ID} with a clear problem description, actionable remediation steps, affected endpoint IDs, and relevant raw documents.
 
@@ -101,7 +107,8 @@ Reference './available_indices' for the list of indices available for troublesho
     id: ID,
     name: NAME,
     basePath: BASE_PATH,
-    description: 'Troubleshoot Elastic Defend endpoint configuration issues',
+    description:
+      'Troubleshoot Elastic Defend endpoint configuration issues — policies, endpoint exceptions, trusted apps, blocklists, etc.',
     content: systemInstructions,
     referencedContent: [
       {
@@ -119,6 +126,7 @@ Reference './available_indices' for the list of indices available for troublesho
       return [
         checkEndpointPackageFreshnessTool(endpointAppContextService),
         getPackageConfigurationsTool(endpointAppContextService),
+        getEndpointArtifactsTool(endpointAppContextService),
         generateInsightTool(),
       ];
     },