Skip to main content
POST
/
api
/
detection-rules
/
execute-query
cURL
curl -X POST "https://app.cotool.ai/api/detection-rules/execute-query" \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"query":"string","platform":"string","platformConfig":{"version":1,"platform":"datadog","queries":[{"name":"string","query":"string","aggregation":"count","dataSource":null,"groupByFields":["string"],"distinctFields":["string"]}],"cases":[{"status":"info","condition":"string","name":"string"}],"options":{"detectionMethod":"threshold","evaluationWindow":0,"keepAlive":0,"maxSignalDuration":0,"decreaseCriticalityBasedOnEnv":true},"isEnabled":true},"timeRangeHours":0,"maxRows":0}'
{
  "success": true,
  "rows": 123,
  "executionTimeMs": 123,
  "results": [
    {}
  ],
  "bytesScanned": 123,
  "error": "<string>",
  "datadogRulePreview": {
    "validation": {
      "valid": true,
      "error": "<string>"
    },
    "historicalPreview": {
      "fidelity": "full",
      "lookbackHours": 2,
      "estimatedSignals": 1,
      "windowsEvaluated": 1,
      "windowsTriggered": 1,
      "severityBreakdown": {},
      "topGroups": [
        {
          "group": {},
          "estimatedSignals": 1
        }
      ],
      "notes": [
        "<string>"
      ]
    }
  },
  "bestEstimate": {
    "count": 1,
    "timeRangeHours": 2,
    "basis": "estimated_detection_noisiness",
    "quality": "authoritative",
    "source": "<string>"
  }
}

Documentation Index

Fetch the complete documentation index at: https://docs.cotool.ai/llms.txt

Use this file to discover all available pages before exploring further.

Authorizations

Authorization
string
header
required

API Key authentication for programmatic access. Include your API key in the Authorization header as: Bearer your_api_key_here

Body

application/json
query
string
required

The detection query to execute

platform
string
required

The SIEM platform/tool type to execute against

Minimum string length: 1
platformConfig
object

Optional platform config used for enhanced platform-native testing (e.g., Datadog rule validate/test/preview).

timeRangeHours
number

Time range in hours (1-168, default: 24)

Required range: 1 <= x <= 168
maxRows
number

Max rows to return (1-100, default: 10)

Required range: 1 <= x <= 100

Response

200 - application/json

Successful response

success
boolean
required
rows
number
required

Total matching rows in the test time window (may exceed returned sample size)

executionTimeMs
number
required
results
object[]
required
bytesScanned
number
error
string
datadogRulePreview
object
bestEstimate
object

Single best platform-specific estimate used to display hits/hr