Skip to main content
Alert routing controls where new alerts go after Cotool creates them. Use it to automatically start response-agent triage for detection alerts and to understand which triggers are creating alert work.

Open routing

Go to Triage > Sources & Routing. The page shows:
  • Alert volume from the last 30 days
  • Alert sources
  • Open unassigned detection alerts
  • Response agents that can handle alerts
  • A flow diagram from sources to response agents
  • The default route for detection-created alerts

Detection alert routing

Detection-created alerts follow this order:
  1. Use the detection’s override if one exists.
  2. Otherwise use the organization default response agent.
  3. If the effective setting is unassigned, create the alert and leave it open.
When a response agent is configured, Cotool creates the alert and immediately starts a triage run for that agent.

Set the organization default

  1. Go to Triage > Sources & Routing.
  2. Find Default detection route.
  3. Choose a response agent, or choose Unassigned to keep new detection alerts open.
Detections without their own override inherit this default.

Override one detection

  1. Open the detection agent.
  2. Go to its configuration page.
  3. Find Alert Routing.
  4. Choose one of:
    • Inherit organization default
    • Leave alerts unassigned
    • A specific response agent
  5. Click Save Routing.
Use Leave alerts unassigned for detections that should create reviewable alerts but should not automatically start agent triage.

Trigger-created alerts

Response-agent triggers can create alerts when Create alert on trigger is enabled. Default behavior by trigger type:
TriggerDefault
EmailCreate alerts
WebhookCreate alerts
JiraCreate alerts
Jira AutomationCreate alerts
LinearCreate alerts
BugcrowdCreate alerts
SlackDo not create alerts
ScheduleDo not create alerts
You can change the toggle when creating or editing the trigger. Trigger-created alerts are assigned to the response agent that owns the trigger, and Cotool starts that agent’s triage run from the alert. Cotool stores the original trigger payload with the alert. The alert detail page shows the payload in Alert Payload when it is available.

Routing outcomes

SourceIf routing is configuredIf routing is not configured
Cotool detectionAlert is created and response-agent triage starts.Alert is created open and unassigned.
Response-agent triggerAlert is created for the trigger’s response agent when the toggle is on.No alert is created when the toggle is off.

Keep routing healthy

Review Sources & Routing when:
  • New detection alerts are piling up as open and unassigned
  • A response agent is deleted or disabled
  • A detection should be handled by a different response agent than the organization default
  • A trigger is producing too many or too few alerts