Prerequisites
Before creating an agent, you should:Connect Integrations
Authenticate the tools your agent will use (Jira, Splunk, SentinelOne, etc.)Navigate to Settings > Integrations and connect relevant services
Define the Use Case
Be clear about what the agent should do:
- What problem does it solve?
- What triggers it?
- What tools does it need?
- What output should it produce?
Creation Methods
You can create agents in three ways:From Chat (Recommended)
Convert a successful chat session
From Scratch (Advanced)
Build a custom agent with full control
From Template
Start with a pre-built template
Prefer to manage agents as code? You can also define response agents as YAML in your own GitHub repo and let Cotool sync them in. See Response Agents as Code.
Method 1: Create From Scratch
Basic Information
Fill in the basics:Name: Short, descriptive name (e.g., “SentinelOne Alert Triage”)Description: What does this agent do? Who uses it?
Write System Prompt
This is the core of your agent. Write clear instructions about:
- The agent’s role
- What it should do
- When to use which tools
- How to format output
Prompt Engineering Guide → Learn how to write effective prompts
Select Tools
Choose which tools the agent can use:
- Browse by category (SIEM, EDR, Ticketing, etc.)
- Or search by name
- Grant only what’s needed for the task
Attach Skills (Optional)
Add reusable skills when part of the workflow should stay consistent across multiple agents:
- Standard investigation procedures
- Output formats and reporting templates
- Reusable enrichment or triage playbooks
Learn about Skills -> Reusable instructions and resources for agents
Add Context Documents (Optional)
Link Google Docs or Notion pages that provide reference information:
- Runbooks and procedures
- Known false positive lists
- Contact directories
- Policy documents
Configure Settings
Planning Mode:
never: Agent acts immediately (faster, good for simple tasks)auto: Agent decides if planning is neededalways: Agent always creates a plan first (better for complex tasks)
Method 2: Create From Template
Templates are pre-built agents for common use cases:Customize
Templates come with:
- Pre-written system prompt (edit to fit your needs)
- Recommended tools (add/remove as needed)
- Example context documents
Configure Integrations
Ensure you have the required integrations connected (template will list them)
Browse Use Cases → See common agent patterns
Method 3: Create From Chat
If you’ve had a successful chat session, convert it to an agent:Auto-Generated Prompt
Cotool analyzes the chat session and generates:
- System prompt based on your conversation
- Tool list from what was used
- Planning mode based on complexity
Learn More → Creating agents from chat sessions
What Happens After Creation?
Once you create an agent:- Test in Builder
- Set Up Triggers
- Monitor Performance
- Iterate & Improve
Use the Builder to:
- Test with sample inputs
- Refine the system prompt
- Verify tool usage
- Check output format
Common Patterns
Pattern: Alert Enrichment Agent
Pattern: Scheduled Report Agent
Pattern: On-Demand Research Agent
Agent Configuration Options
When creating an agent, you can configure:Model Selection
Model Selection
Choose which LLM powers your agent:
- General-purpose hosted model: Strong reasoning, tool use, and instruction following
- High-speed/cost-optimized hosted model: Good fit for simpler tasks or high volume
- Custom or self-hosted: Bring your own fine-tuned or on-prem model
Planning Mode
Planning Mode
- never: Agent acts immediately (faster, 1-2 tool calls)
- auto: Agent decides if planning helps (balanced)
- always: Agent creates detailed plan first (complex multi-step tasks)
auto, adjust based on resultsTool Access
Tool Access
Grant only necessary tools. Over-granting tools:
- Increases token usage (all tools described to LLM)
- Can confuse the agent
- Creates security risk
Skills
Skills
Skills let you attach reusable instructions and supporting files to multiple agents.Use them for:
- Standard operating procedures
- Shared report formats
- Repeatable investigation workflows
Context Documents
Context Documents
Link up to 10 documents per agent. Documents are loaded into context at runtime.Size Limits:
- 50KB per document (plain text equivalent)
- Agent has ~200KB total context window
Evaluation Criteria
Evaluation Criteria
Define how this agent should be evaluated:
- Accuracy of findings
- Completeness of investigation
- Clarity of output
- Appropriate tool usage
Tips for Success
Start Small: Create a focused agent that does one thing well. It’s easier to expand scope than to debug an overly complex agent.
Test Extensively: Use Builder to test many scenarios before deploying triggers. This catches issues early.
Monitor Early: Check first 10-20 executions closely. This is when you’ll discover prompt issues or missing tools.
Iterate Quickly: Don’t aim for perfection on first try. Deploy, observe, improve. Agents get better over time.
Troubleshooting Common Issues
Agent doesn't use the right tools
Agent doesn't use the right tools
Fix: Make tool usage more explicit in system prompt:“Always start by calling
get_sentinelone_alert to fetch full alert details”Output format is inconsistent
Output format is inconsistent
Fix: Provide a template in the prompt:“Format your response exactly like this: [template]”
Agent is too slow
Agent is too slow
Fix:
- Reduce number of granted tools
- Set planning mode to
never - Remove verbose context documents
- Check if tools themselves are slow (API performance)
Agent makes wrong decisions
Agent makes wrong decisions
Fix:
- Add decision criteria to prompt
- Provide examples of good/bad decisions
- Check if context documents have necessary info
- Verify tool outputs are correct