Open an alert
- Go to Triage > Alerts.
- Search or filter the list.
- Select an alert to open its detail page.
Update the alert record
Analysts can keep the alert record current while triage progresses:- Click the title to rename it.
- Click the description to edit the markdown summary.
- Use the Severity menu to change severity.
- Use the Status menu to move the alert through its lifecycle.
- Add timeline comments in Activity.
Start response-agent triage
Assigning a response agent starts triage immediately.Cotool creates a triage run
Cotool starts a response-agent run with the alert context, recent
activity, source metadata, and alert-triage instructions.
Review the live run
The triage run opens in a side drawer so you can watch reasoning, tool
calls, and final output without leaving the alert.
Only one response agent can actively triage an alert at a time. If a triage
run is still running, wait for it to finish or stop it from the timeline
before reassigning.
What response agents do during alert triage
When a response agent handles an alert, Cotool automatically adds alert-triage instructions to the run. The agent is expected to:- Read the latest alert context and timeline
- Investigate with its available tools
- Improve a generic title or description before changing status
- Add a final summary comment with evidence, conclusion, and gaps
- Update status before completing
- Escalate confirmed malicious or security-relevant alerts for human review
Close or reopen an alert
Close an alert by choosing one of the terminal statuses:- Closed · True Positive
- Closed · False Positive
- Closed · Benign
Permissions
Alert workflows use these permissions:| Permission | Allows |
|---|---|
alert.triage | Comment on alerts and change alert status. |
alert.manage | Start response-agent triage and manage alert routing. |
agent.execute | Run the selected response agent. |
agent.read | Read alerts tied to agents the user can access. |
alert.manage and agent.execute for the response agent.