> ## Documentation Index
> Fetch the complete documentation index at: https://docs.cotool.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# Execute a detection query

> Execute an ad-hoc detection query against a connected SIEM platform. Returns sample results.



## OpenAPI

````yaml https://app.cotool.ai/api/docs/openapi.json post /api/detection-rules/execute-query
openapi: 3.1.0
info:
  title: Cotool API
  version: 1.0.0
  description: >-
    # Cotool API Documentation


    The Cotool API allows you to interact with the Cotool platform
    programmatically, enabling you to build powerful integrations and automate
    your workflows.


    ## Getting an API Key


    Follow these steps to generate your API key:


    1. **Log in** to the Cotool web interface

    2. **Navigate** to `/settings/api-keys`

    3. **Click** "Generate Key"

    4. **Copy and store** your API key securely ⚠️ *It won't be shown again*


    ## API Key Authentication


    For programmatic access and integrations, use your API key with the
    Authorization header:


    ```http

    Authorization: Bearer your_api_key_here

    ```


    ```bash

    curl -X GET "https://app.cotool.ai/api/endpoint" \
      -H "Authorization: Bearer your_api_key_here" \
      -H "Content-Type: application/json"
    ```
servers:
  - url: https://app.cotool.ai
    description: Production server
security:
  - ApiKeyAuth: []
paths:
  /api/detection-rules/execute-query:
    post:
      tags:
        - Detection Rules
      summary: Execute a detection query
      description: >-
        Execute an ad-hoc detection query against a connected SIEM platform.
        Returns sample results.
      requestBody:
        content:
          application/json:
            schema:
              type: object
              properties:
                query:
                  type: string
                  description: The detection query to execute
                platform:
                  type: string
                  minLength: 1
                  description: The SIEM platform/tool type to execute against
                platformConfig:
                  anyOf:
                    - oneOf:
                        - type: object
                          properties:
                            version:
                              type: number
                              const: 1
                            platform:
                              type: string
                              const: datadog
                            queries:
                              type: array
                              items:
                                type: object
                                properties:
                                  name:
                                    type: string
                                  query:
                                    type: string
                                  aggregation:
                                    type: string
                                    enum:
                                      - count
                                      - cardinality
                                      - sum
                                      - max
                                      - new_value
                                      - geo_data
                                      - event_count
                                      - none
                                  dataSource:
                                    type: string
                                    enum:
                                      - logs
                                      - audit
                                      - spans
                                    default: logs
                                  groupByFields:
                                    type: array
                                    items:
                                      type: string
                                  distinctFields:
                                    type: array
                                    items:
                                      type: string
                                required:
                                  - name
                                  - query
                                  - aggregation
                              minItems: 1
                            cases:
                              type: array
                              items:
                                type: object
                                properties:
                                  status:
                                    type: string
                                    enum:
                                      - info
                                      - low
                                      - medium
                                      - high
                                      - critical
                                  condition:
                                    type: string
                                  name:
                                    type: string
                                required:
                                  - status
                                  - condition
                              minItems: 1
                            options:
                              type: object
                              properties:
                                detectionMethod:
                                  type: string
                                  enum:
                                    - threshold
                                    - new_value
                                    - anomaly_detection
                                    - impossible_travel
                                evaluationWindow:
                                  anyOf:
                                    - type: number
                                      const: 0
                                    - type: number
                                      const: 60
                                    - type: number
                                      const: 300
                                    - type: number
                                      const: 600
                                    - type: number
                                      const: 900
                                    - type: number
                                      const: 1800
                                    - type: number
                                      const: 3600
                                    - type: number
                                      const: 7200
                                    - type: number
                                      const: 10800
                                    - type: number
                                      const: 21600
                                    - type: number
                                      const: 43200
                                    - type: number
                                      const: 86400
                                keepAlive:
                                  anyOf:
                                    - type: number
                                      const: 0
                                    - type: number
                                      const: 60
                                    - type: number
                                      const: 300
                                    - type: number
                                      const: 600
                                    - type: number
                                      const: 900
                                    - type: number
                                      const: 1800
                                    - type: number
                                      const: 3600
                                    - type: number
                                      const: 7200
                                    - type: number
                                      const: 10800
                                    - type: number
                                      const: 21600
                                    - type: number
                                      const: 43200
                                    - type: number
                                      const: 86400
                                  description: Seconds signal stays open after last match
                                maxSignalDuration:
                                  anyOf:
                                    - type: number
                                      const: 0
                                    - type: number
                                      const: 60
                                    - type: number
                                      const: 300
                                    - type: number
                                      const: 600
                                    - type: number
                                      const: 900
                                    - type: number
                                      const: 1800
                                    - type: number
                                      const: 3600
                                    - type: number
                                      const: 7200
                                    - type: number
                                      const: 10800
                                    - type: number
                                      const: 21600
                                    - type: number
                                      const: 43200
                                    - type: number
                                      const: 86400
                                  description: Max seconds a signal stays open
                                decreaseCriticalityBasedOnEnv:
                                  type: boolean
                              required:
                                - detectionMethod
                                - evaluationWindow
                                - keepAlive
                                - maxSignalDuration
                            isEnabled:
                              type: boolean
                              description: >-
                                Deploy rule in enabled (true) or disabled
                                (false) state. Defaults to true.
                          required:
                            - version
                            - platform
                            - queries
                            - cases
                            - options
                    - type: object
                      additionalProperties: {}
                      description: >-
                        Legacy or unknown shape; parse with safeParse when
                        reading
                    - type: 'null'
                  description: >-
                    Optional platform config used for enhanced platform-native
                    testing (e.g., Datadog rule validate/test/preview).
                timeRangeHours:
                  type: number
                  minimum: 1
                  maximum: 168
                  description: 'Time range in hours (1-168, default: 24)'
                maxRows:
                  type: number
                  minimum: 1
                  maximum: 100
                  description: 'Max rows to return (1-100, default: 10)'
              required:
                - query
                - platform
      responses:
        '200':
          description: Successful response
          content:
            application/json:
              schema:
                type: object
                properties:
                  success:
                    type: boolean
                  rows:
                    type: number
                    description: >-
                      Total matching rows in the test time window (may exceed
                      returned sample size)
                  bytesScanned:
                    type: number
                  executionTimeMs:
                    type: number
                  results:
                    type: array
                    items:
                      type: object
                      additionalProperties: {}
                  error:
                    type: string
                  datadogRulePreview:
                    type: object
                    properties:
                      validation:
                        type: object
                        properties:
                          valid:
                            type: boolean
                          error:
                            type: string
                        required:
                          - valid
                      historicalPreview:
                        type: object
                        properties:
                          fidelity:
                            type: string
                            enum:
                              - full
                              - partial
                              - query_only
                          lookbackHours:
                            type: integer
                            minimum: 1
                          estimatedSignals:
                            type: integer
                            minimum: 0
                          windowsEvaluated:
                            type: integer
                            minimum: 0
                          windowsTriggered:
                            type: integer
                            minimum: 0
                          severityBreakdown:
                            type: object
                            additionalProperties:
                              type: integer
                              minimum: 0
                          topGroups:
                            type: array
                            items:
                              type: object
                              properties:
                                group:
                                  type: object
                                  additionalProperties:
                                    type: string
                                estimatedSignals:
                                  type: integer
                                  minimum: 0
                              required:
                                - group
                                - estimatedSignals
                          notes:
                            type: array
                            items:
                              type: string
                        required:
                          - fidelity
                          - lookbackHours
                  bestEstimate:
                    type: object
                    properties:
                      count:
                        type: number
                        minimum: 0
                        description: Estimated hit count in the sample window
                      timeRangeHours:
                        type: number
                        minimum: 1
                        description: Time window in hours used for the estimate
                      basis:
                        type: string
                        enum:
                          - estimated_detection_noisiness
                          - sample_query_results
                        description: Source category
                      quality:
                        type: string
                        enum:
                          - authoritative
                          - sampled
                          - fallback
                        description: Estimate confidence
                      source:
                        type: string
                        description: Platform-specific source identifier
                    required:
                      - count
                      - timeRangeHours
                      - basis
                      - quality
                    description: >-
                      Single best platform-specific estimate used to display
                      hits/hr
                required:
                  - success
                  - rows
                  - executionTimeMs
                  - results
        '400':
          description: Bad request — input validation failed or the request was malformed
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ValidationError'
        '401':
          description: Unauthorized — missing or invalid API key / session
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/Error'
        '403':
          description: Forbidden — the authenticated user lacks the required permissions
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/PermissionError'
        '500':
          description: Internal server error
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/Error'
      x-codeSamples:
        - lang: shell
          label: cURL
          source: >-
            curl -X POST
            "https://app.cotool.ai/api/detection-rules/execute-query" \
              -H "Authorization: Bearer YOUR_API_KEY" \
              -H "Content-Type: application/json" \
              -d '{"query":"string","platform":"string","platformConfig":{"version":1,"platform":"datadog","queries":[{"name":"string","query":"string","aggregation":"count","dataSource":null,"groupByFields":["string"],"distinctFields":["string"]}],"cases":[{"status":"info","condition":"string","name":"string"}],"options":{"detectionMethod":"threshold","evaluationWindow":0,"keepAlive":0,"maxSignalDuration":0,"decreaseCriticalityBasedOnEnv":true},"isEnabled":true},"timeRangeHours":0,"maxRows":0}'
components:
  schemas:
    ValidationError:
      type: object
      properties:
        error:
          type: string
          description: Error message describing what went wrong
        issues:
          type: array
          description: >-
            Detailed validation issues, present when request or response schema
            validation fails
          items:
            type: object
            additionalProperties: true
      required:
        - error
    Error:
      type: object
      properties:
        error:
          type: string
          description: Error message describing what went wrong
      required:
        - error
    PermissionError:
      type: object
      properties:
        error:
          type: string
          description: Error message describing what went wrong
        missingPerms:
          type: array
          description: Permissions the authenticated user is missing for this operation
          items:
            type: string
      required:
        - error
  securitySchemes:
    ApiKeyAuth:
      type: http
      scheme: bearer
      bearerFormat: API Key
      description: >-
        API Key authentication for programmatic access. Include your API key in
        the Authorization header as: `Bearer your_api_key_here`

````