Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.cotool.ai/llms.txt

Use this file to discover all available pages before exploring further.

Prerequisites

Before creating an agent, you should:
1

Connect Integrations

Authenticate the tools your agent will use (Jira, Splunk, SentinelOne, etc.)Navigate to Settings > Integrations and connect relevant services
2

Define the Use Case

Be clear about what the agent should do:
  • What problem does it solve?
  • What triggers it?
  • What tools does it need?
  • What output should it produce?
3

(Optional) Prepare Context Docs

If your agent needs reference material (runbooks, policies, FP lists), have those ready in Google Docs or Notion

Creation Methods

You can create agents in three ways:

From Chat (Recommended)

Convert a successful chat session

From Scratch (Advanced)

Build a custom agent with full control

From Template

Start with a pre-built template

Method 1: Create From Scratch

1

Navigate to Agents

Click Agents in the sidebar, then Create Agent
2

Basic Information

Fill in the basics:Name: Short, descriptive name (e.g., “SentinelOne Alert Triage”)Description: What does this agent do? Who uses it?
3

Write System Prompt

This is the core of your agent. Write clear instructions about:
  • The agent’s role
  • What it should do
  • When to use which tools
  • How to format output

Prompt Engineering Guide → Learn how to write effective prompts
4

Select Tools

Choose which tools the agent can use:
  • Browse by category (SIEM, EDR, Ticketing, etc.)
  • Or search by name
  • Grant only what’s needed for the task
Tip: Start with fewer tools, add more as needed
5

Attach Skills (Optional)

Add reusable skills when part of the workflow should stay consistent across multiple agents:
  • Standard investigation procedures
  • Output formats and reporting templates
  • Reusable enrichment or triage playbooks
Cotool will warn you if a selected skill requires tools this agent does not have.

Learn about Skills -> Reusable instructions and resources for agents
6

Add Context Documents (Optional)

Link Google Docs or Notion pages that provide reference information:
  • Runbooks and procedures
  • Known false positive lists
  • Contact directories
  • Policy documents
The agent will have access to these during execution
7

Configure Settings

Planning Mode:
  • never: Agent acts immediately (faster, good for simple tasks)
  • auto: Agent decides if planning is needed
  • always: Agent always creates a plan first (better for complex tasks)
Max Tool Calls: Limit how many tools the agent can call (default: 25)Timeout: Maximum execution time (default: 5 minutes)
8

Save and Test

Click Create Agent. You’ll be taken to the agent detail page.Next, test it using the Builder interface!

Method 2: Create From Template

Templates are pre-built agents for common use cases:
1

Browse Templates

Click Agents > Create Agent > From Template
2

Choose Template

Select from templates
3

Customize

Templates come with:
  • Pre-written system prompt (edit to fit your needs)
  • Recommended tools (add/remove as needed)
  • Example context documents
Customize these for your environment
4

Configure Integrations

Ensure you have the required integrations connected (template will list them)
5

Test & Deploy

Use Builder to test with real data, then set up triggers

Browse Templates → See all available templates

Method 3: Create From Chat

If you’ve had a successful chat session, convert it to an agent:
1

Complete Chat Session

Use the Chat interface to work through your use case
2

Review the Session

Make sure the chat achieved the desired outcome with good tool usage
3

Click 'Create Agent'

In the chat interface, click Create Agent from Chat
4

Auto-Generated Prompt

Cotool analyzes the chat session and generates:
  • System prompt based on your conversation
  • Tool list from what was used
  • Planning mode based on complexity
5

Refine and Save

Review the generated prompt, make adjustments, and save

Learn More → Creating agents from chat sessions

What Happens After Creation?

Once you create an agent:
Use the Builder to:
  • Test with sample inputs
  • Refine the system prompt
  • Verify tool usage
  • Check output format
Don’t skip this step! Testing before deploying prevents issues.

Common Patterns

Pattern: Alert Enrichment Agent

Goal: Automatically enrich security alerts

Tools Needed:
- get_sentinelone_alert
- search_splunk
- virustotal_check_hash
- update_jira_ticket

Trigger: Jira issue created (type=Security Alert)

Prompt Focus:
- Extract indicators from alert
- Search for related activity
- Check threat intelligence
- Summarize findings in ticket

Pattern: Scheduled Report Agent

Goal: Weekly access review report

Tools Needed:
- list_okta_users
- list_aws_iam_roles
- list_google_workspace_groups
- send_slack_message

Trigger: Cron (every Monday 9am)

Prompt Focus:
- Gather user/permission data
- Identify anomalies or stale accounts
- Generate formatted report
- Post to #security-reports

Pattern: On-Demand Research Agent

Goal: Ad-hoc investigations via chat

Tools Needed:
- search_splunk
- list_sentinelone_alerts
- get_okta_user
- virustotal_*

Trigger: Chat (no automatic trigger)

Prompt Focus:
- Help analyst investigate indicators
- Provide context and enrichment
- Suggest next steps
- Generate summary reports

Agent Configuration Options

When creating an agent, you can configure:
Choose which LLM powers your agent:
  • General-purpose hosted model: Strong reasoning, tool use, and instruction following
  • High-speed/cost-optimized hosted model: Good fit for simpler tasks or high volume
  • Custom or self-hosted: Bring your own fine-tuned or on-prem model
  • never: Agent acts immediately (faster, 1-2 tool calls)
  • auto: Agent decides if planning helps (balanced)
  • always: Agent creates detailed plan first (complex multi-step tasks)
Tip: Start with auto, adjust based on results
Grant only necessary tools. Over-granting tools:
  • Increases token usage (all tools described to LLM)
  • Can confuse the agent
  • Creates security risk
Best Practice: Start minimal, add tools as needed
Skills let you attach reusable instructions and supporting files to multiple agents.Use them for:
  • Standard operating procedures
  • Shared report formats
  • Repeatable investigation workflows
Best Practice: Put reusable workflow logic in skills, and keep the main system prompt focused on the agent’s overall role.
Link up to 10 documents per agent. Documents are loaded into context at runtime.Size Limits:
  • 50KB per document (plain text equivalent)
  • Agent has ~200KB total context window
Tip: Keep docs focused and concise
Define how this agent should be evaluated:
  • Accuracy of findings
  • Completeness of investigation
  • Clarity of output
  • Appropriate tool usage
Used for automated scoring and prompt optimization

Tips for Success

Start Small: Create a focused agent that does one thing well. It’s easier to expand scope than to debug an overly complex agent.
Test Extensively: Use Builder to test many scenarios before deploying triggers. This catches issues early.
Monitor Early: Check first 10-20 executions closely. This is when you’ll discover prompt issues or missing tools.
Iterate Quickly: Don’t aim for perfection on first try. Deploy, observe, improve. Agents get better over time.

Troubleshooting Common Issues

Fix: Make tool usage more explicit in system prompt:“Always start by calling get_sentinelone_alert to fetch full alert details”
Fix: Provide a template in the prompt:“Format your response exactly like this: [template]”
Fix:
  • Reduce number of granted tools
  • Set planning mode to never
  • Remove verbose context documents
  • Check if tools themselves are slow (API performance)
Fix:
  • Add decision criteria to prompt
  • Provide examples of good/bad decisions
  • Check if context documents have necessary info
  • Verify tool outputs are correct