> ## Documentation Index
> Fetch the complete documentation index at: https://docs.cotool.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# Working Alerts

> Investigate alerts, start response-agent triage, and record dispositions

Use the alert detail page to move an alert from detection or intake through investigation and closure.

## Open an alert

1. Go to **Triage > Alerts**.
2. Search or filter the list.
3. Select an alert to open its detail page.

The detail page shows the alert title, description, payload, source metadata, severity, status, assignee, and activity timeline.

## Update the alert record

Analysts can keep the alert record current while triage progresses:

* Click the title to rename it.
* Click the description to edit the markdown summary.
* Use the **Severity** menu to change severity.
* Use the **Status** menu to move the alert through its lifecycle.
* Add timeline comments in **Activity**.

Every change is recorded in the alert activity timeline.

## Start response-agent triage

Assigning a response agent starts triage immediately.

<Steps>
  <Step title="Choose an assignee">
    In the alert sidebar, open **Assignee** and select a response agent.
  </Step>

  <Step title="Cotool creates a triage run">
    Cotool starts a response-agent run with the alert context, recent
    activity, source metadata, and alert-triage instructions.
  </Step>

  <Step title="Review the live run">
    The triage run opens in a side drawer so you can watch reasoning, tool
    calls, and final output without leaving the alert.
  </Step>

  <Step title="Continue if needed">
    If the run asks for input or you want a follow-up, continue the
    conversation from the drawer.
  </Step>
</Steps>

<Note>
  Only one response agent can actively triage an alert at a time. If a triage
  run is still running, wait for it to finish or stop it from the timeline
  before reassigning.
</Note>

## What response agents do during alert triage

When a response agent handles an alert, Cotool automatically adds alert-triage instructions to the run. The agent is expected to:

* Read the latest alert context and timeline
* Investigate with its available tools
* Improve a generic title or description before changing status
* Add a final summary comment with evidence, conclusion, and gaps
* Update status before completing
* Escalate confirmed malicious or security-relevant alerts for human review

Response agents get native alert tools for reading the alert, adding comments, updating status, and updating title or description. They should not create a second alert for the same work.

## Close or reopen an alert

Close an alert by choosing one of the terminal statuses:

* **Closed · True Positive**
* **Closed · False Positive**
* **Closed · Benign**

Reopen a closed alert by setting it back to **Open** or **In Progress**. The previous disposition remains visible in the activity timeline.

## Permissions

Alert workflows use these permissions:

| Permission      | Allows                                                |
| --------------- | ----------------------------------------------------- |
| `alert.triage`  | Comment on alerts and change alert status.            |
| `alert.manage`  | Start response-agent triage and manage alert routing. |
| `agent.execute` | Run the selected response agent.                      |
| `agent.read`    | Read alerts tied to agents the user can access.       |

Starting triage requires both `alert.manage` and `agent.execute` for the response agent.