Skip to main content
POST
/
api
/
detection-authoring
/
drafts
cURL
curl -X POST "https://app.cotool.ai/api/detection-authoring/drafts" \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"chatId":"string","proposalId":"string","platform":"panther"}'
{
  "chatId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
  "organizationId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
  "platform": "<string>",
  "name": "<string>",
  "description": "<string>",
  "query": "<string>",
  "mitreTechniqueIds": [
    "<string>"
  ],
  "mitreTechniqueNames": [
    "<string>"
  ],
  "dataSourcesRequired": [
    "<string>"
  ],
  "createdAt": "<string>",
  "updatedAt": "<string>",
  "proposalId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
  "reasoning": "<string>",
  "detectionIntent": {
    "methodLabel": "<string>",
    "rationale": "<string>",
    "keyKnobs": {}
  },
  "platformConfig": {
    "version": 123,
    "platform": "<string>",
    "queries": [
      {
        "name": "<string>",
        "query": "<string>",
        "dataSource": "logs",
        "groupByFields": [
          "<string>"
        ],
        "distinctFields": [
          "<string>"
        ]
      }
    ],
    "cases": [
      {
        "condition": "<string>",
        "name": "<string>"
      }
    ],
    "options": {
      "evaluationWindow": 123,
      "keepAlive": 123,
      "maxSignalDuration": 123,
      "decreaseCriticalityBasedOnEnv": true
    },
    "isEnabled": true
  },
  "prUrl": "<string>",
  "deployedAt": "<string>",
  "sourcePrUrl": "<string>",
  "sourcePublishedAt": "<string>",
  "isUnmodifiedFromSource": true
}

Authorizations

Authorization
string
header
required

API Key authentication for programmatic access. Include your API key in the Authorization header as: Bearer your_api_key_here

Body

application/json
chatId
string<uuid>
required

Chat ID for this draft session

proposalId
string<uuid>

ID of the proposal to create a draft from (omit for blank drafts)

platform
enum<string>

Platform for blank drafts (required when proposalId is omitted)

Available options:
panther,
sublime,
scanner,
datadog,
splunk,
sentinelone,
elastic,
sumologic,
runreveal

Response

Successful response

chatId
string<uuid>
required
organizationId
string<uuid>
required
platform
string
required
name
string
required
description
string
required
query
string
required
mitreTechniqueIds
string[]
required
mitreTechniqueNames
string[]
required
dataSourcesRequired
string[]
required
createdAt
string
required
updatedAt
string
required
proposalId
string<uuid>
reasoning
string
detectionIntent
object
platformConfig
object
prUrl
string<uri>
deployedAt
string
sourceStatus
enum<string>
Available options:
proposed,
validated,
validation_failed,
published,
pr_created,
merged,
rejected,
dismissed
sourcePrUrl
string<uri>
sourcePublishedAt
string
isUnmodifiedFromSource
boolean