> ## Documentation Index
> Fetch the complete documentation index at: https://docs.cotool.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# Restore a dismissed detection rule proposal

> Restore a previously dismissed proposal back to proposed status.



## OpenAPI

````yaml https://app.cotool.ai/api/docs/openapi.json post /api/detection-rules/proposals/{id}/restore
openapi: 3.1.0
info:
  title: Cotool API
  version: 1.0.0
  description: >-
    # Cotool API Documentation


    The Cotool API allows you to interact with the Cotool platform
    programmatically, enabling you to build powerful integrations and automate
    your workflows.


    ## Getting an API Key


    Follow these steps to generate your API key:


    1. **Log in** to the Cotool web interface

    2. **Navigate** to `/settings/api-keys`

    3. **Click** "Generate Key"

    4. **Copy and store** your API key securely ⚠️ *It won't be shown again*


    ## API Key Authentication


    For programmatic access and integrations, use your API key with the
    Authorization header:


    ```http

    Authorization: Bearer your_api_key_here

    ```


    ```bash

    curl -X GET "https://app.cotool.ai/api/endpoint" \
      -H "Authorization: Bearer your_api_key_here" \
      -H "Content-Type: application/json"
    ```
servers:
  - url: https://app.cotool.ai
    description: Production server
security:
  - ApiKeyAuth: []
paths:
  /api/detection-rules/proposals/{id}/restore:
    post:
      tags:
        - Detection Rules
      summary: Restore a dismissed detection rule proposal
      description: Restore a previously dismissed proposal back to proposed status.
      parameters:
        - in: path
          name: id
          schema:
            type: string
            format: uuid
          required: true
      responses:
        '200':
          description: Successful response
          content:
            application/json:
              schema:
                type: object
                properties:
                  proposal:
                    type: object
                    properties:
                      id:
                        type: string
                        format: uuid
                      organizationId:
                        type: string
                        format: uuid
                      name:
                        type: string
                      description:
                        type: string
                      query:
                        type: string
                      siemPlatform:
                        type: string
                      reasoning:
                        type: string
                        description: Why this detection is valuable for this environment
                      mitreTechniqueIds:
                        type: array
                        items:
                          type: string
                      mitreTechniqueNames:
                        type: array
                        items:
                          type: string
                      mitreTacticIds:
                        type: array
                        items:
                          type: string
                      dataSourcesRequired:
                        type: array
                        items:
                          type: string
                      suggestedTuning:
                        type:
                          - object
                          - 'null'
                        properties:
                          exclusions:
                            type: array
                            items:
                              type: string
                            description: >-
                              Common exclusions to reduce noise (service
                              accounts, automated jobs, etc.)
                          thresholds:
                            type: array
                            items:
                              type: string
                            description: Tunable threshold parameters
                          expectedVolume:
                            type: string
                            description: Expected alert volume when well-tuned
                      grade:
                        type:
                          - integer
                          - 'null'
                        minimum: 0
                        maximum: 20
                        description: Quality grade assigned by the agent (0-20)
                      gradeReason:
                        type:
                          - string
                          - 'null'
                        description: Explanation of why this grade was assigned
                      testResultsSummary:
                        type:
                          - string
                          - 'null'
                        description: Summary of test query results from the agent
                      status:
                        type: string
                        enum:
                          - proposed
                          - validated
                          - validation_failed
                          - published
                          - pr_created
                          - merged
                          - rejected
                          - dismissed
                      validationResult:
                        type:
                          - object
                          - 'null'
                        properties:
                          valid:
                            type: boolean
                          error:
                            type: string
                          details:
                            type: object
                            properties:
                              syntaxOk:
                                type: boolean
                              executionOk:
                                type: boolean
                              resultCount:
                                type: number
                              executionTimeMs:
                                type: number
                            required:
                              - syntaxOk
                              - executionOk
                        required:
                          - valid
                          - details
                      volumeCheckResult:
                        type:
                          - object
                          - 'null'
                        properties:
                          checkedAt:
                            type: string
                            format: date-time
                            description: When the volume check was performed
                          rowCount:
                            type: number
                            description: Total matching rows in the sample window
                          bytesScanned:
                            type: number
                            description: Bytes scanned by the query (platform-dependent)
                          executionTimeMs:
                            type: number
                            description: Query execution time in milliseconds
                          timeRangeHours:
                            type: number
                            description: Time range of the sample (typically 1 hour)
                          sampleResults:
                            type: array
                            items:
                              type: object
                              additionalProperties: {}
                            description: Actual sample rows returned (up to 10)
                          querySnapshot:
                            type: string
                            description: The query that was tested (detect if edited since)
                          bestEstimate:
                            type: object
                            properties:
                              count:
                                type: number
                                minimum: 0
                                description: Estimated hit count in the sample window
                              timeRangeHours:
                                type: number
                                minimum: 1
                                description: Time window in hours used for the estimate
                              basis:
                                type: string
                                enum:
                                  - estimated_detection_noisiness
                                  - sample_query_results
                                description: Source category
                              quality:
                                type: string
                                enum:
                                  - authoritative
                                  - sampled
                                  - fallback
                                description: Estimate confidence
                              source:
                                type: string
                                description: Platform-specific source identifier
                            required:
                              - count
                              - timeRangeHours
                              - basis
                              - quality
                            description: >-
                              Single best platform-specific estimate used to
                              display hits/hr
                        required:
                          - checkedAt
                          - rowCount
                          - executionTimeMs
                          - timeRangeHours
                      detectionIntent:
                        type:
                          - object
                          - 'null'
                        properties:
                          methodLabel:
                            type: string
                            description: >-
                              Human-readable method/type label e.g. Threshold,
                              Anomaly Detection
                          rationale:
                            type: string
                            description: Why this method was chosen for this detection
                          confidence:
                            type: string
                            enum:
                              - high
                              - medium
                              - low
                            description: Agent confidence in method choice
                          keyKnobs:
                            type: object
                            additionalProperties:
                              anyOf:
                                - type: string
                                - type: number
                                - type: boolean
                            description: >-
                              Key parameters for display e.g.
                              evaluationWindowSeconds, aggregation
                        required:
                          - methodLabel
                      platformConfig:
                        anyOf:
                          - oneOf:
                              - type: object
                                properties:
                                  version:
                                    type: number
                                    const: 1
                                  platform:
                                    type: string
                                    const: datadog
                                  queries:
                                    type: array
                                    items:
                                      type: object
                                      properties:
                                        name:
                                          type: string
                                        query:
                                          type: string
                                        aggregation:
                                          type: string
                                          enum:
                                            - count
                                            - cardinality
                                            - sum
                                            - max
                                            - new_value
                                            - geo_data
                                            - event_count
                                            - none
                                        dataSource:
                                          type: string
                                          enum:
                                            - logs
                                            - audit
                                            - spans
                                          default: logs
                                        groupByFields:
                                          type: array
                                          items:
                                            type: string
                                        distinctFields:
                                          type: array
                                          items:
                                            type: string
                                      required:
                                        - name
                                        - query
                                        - aggregation
                                        - dataSource
                                    minItems: 1
                                  cases:
                                    type: array
                                    items:
                                      type: object
                                      properties:
                                        status:
                                          type: string
                                          enum:
                                            - info
                                            - low
                                            - medium
                                            - high
                                            - critical
                                        condition:
                                          type: string
                                        name:
                                          type: string
                                      required:
                                        - status
                                        - condition
                                    minItems: 1
                                  options:
                                    type: object
                                    properties:
                                      detectionMethod:
                                        type: string
                                        enum:
                                          - threshold
                                          - new_value
                                          - anomaly_detection
                                          - impossible_travel
                                      evaluationWindow:
                                        anyOf:
                                          - type: number
                                            const: 0
                                          - type: number
                                            const: 60
                                          - type: number
                                            const: 300
                                          - type: number
                                            const: 600
                                          - type: number
                                            const: 900
                                          - type: number
                                            const: 1800
                                          - type: number
                                            const: 3600
                                          - type: number
                                            const: 7200
                                          - type: number
                                            const: 10800
                                          - type: number
                                            const: 21600
                                          - type: number
                                            const: 43200
                                          - type: number
                                            const: 86400
                                      keepAlive:
                                        anyOf:
                                          - type: number
                                            const: 0
                                          - type: number
                                            const: 60
                                          - type: number
                                            const: 300
                                          - type: number
                                            const: 600
                                          - type: number
                                            const: 900
                                          - type: number
                                            const: 1800
                                          - type: number
                                            const: 3600
                                          - type: number
                                            const: 7200
                                          - type: number
                                            const: 10800
                                          - type: number
                                            const: 21600
                                          - type: number
                                            const: 43200
                                          - type: number
                                            const: 86400
                                        description: >-
                                          Seconds signal stays open after last
                                          match
                                      maxSignalDuration:
                                        anyOf:
                                          - type: number
                                            const: 0
                                          - type: number
                                            const: 60
                                          - type: number
                                            const: 300
                                          - type: number
                                            const: 600
                                          - type: number
                                            const: 900
                                          - type: number
                                            const: 1800
                                          - type: number
                                            const: 3600
                                          - type: number
                                            const: 7200
                                          - type: number
                                            const: 10800
                                          - type: number
                                            const: 21600
                                          - type: number
                                            const: 43200
                                          - type: number
                                            const: 86400
                                        description: Max seconds a signal stays open
                                      decreaseCriticalityBasedOnEnv:
                                        type: boolean
                                    required:
                                      - detectionMethod
                                      - evaluationWindow
                                      - keepAlive
                                      - maxSignalDuration
                                  isEnabled:
                                    type: boolean
                                    description: >-
                                      Deploy rule in enabled (true) or disabled
                                      (false) state. Defaults to true.
                                required:
                                  - version
                                  - platform
                                  - queries
                                  - cases
                                  - options
                          - type: object
                            additionalProperties: {}
                            description: >-
                              Legacy or unknown shape; parse with safeParse when
                              reading
                          - type: 'null'
                      prUrl:
                        type:
                          - string
                          - 'null'
                      prMergedAt:
                        type:
                          - string
                          - 'null'
                        format: date-time
                      publishMethod:
                        type:
                          - string
                          - 'null'
                        enum:
                          - api
                          - pr
                          - null
                        description: How the detection was published (api or pr)
                      publishedAt:
                        type:
                          - string
                          - 'null'
                        format: date-time
                      publishedRuleId:
                        type:
                          - string
                          - 'null'
                        description: ID of the rule in the SIEM platform after API publish
                      jobRunId:
                        type:
                          - string
                          - 'null'
                        format: uuid
                      dismissedReason:
                        type:
                          - string
                          - 'null'
                      dismissedBy:
                        type:
                          - string
                          - 'null'
                        format: uuid
                      dismissedAt:
                        type:
                          - string
                          - 'null'
                        format: date-time
                      publishingStartedAt:
                        type:
                          - string
                          - 'null'
                        format: date-time
                        description: When Push to Git was initiated (null = not publishing)
                      createdAt:
                        type: string
                        format: date-time
                      updatedAt:
                        type: string
                        format: date-time
                    required:
                      - id
                      - organizationId
                      - name
                      - description
                      - query
                      - siemPlatform
                      - reasoning
                      - mitreTechniqueIds
                      - mitreTechniqueNames
                      - mitreTacticIds
                      - dataSourcesRequired
                      - suggestedTuning
                      - status
                      - validationResult
                      - volumeCheckResult
                      - prUrl
                      - prMergedAt
                      - publishMethod
                      - publishedAt
                      - publishedRuleId
                      - jobRunId
                      - dismissedReason
                      - dismissedBy
                      - dismissedAt
                      - publishingStartedAt
                      - createdAt
                      - updatedAt
                required:
                  - proposal
        '400':
          description: Bad request — input validation failed or the request was malformed
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ValidationError'
        '401':
          description: Unauthorized — missing or invalid API key / session
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/Error'
        '403':
          description: Forbidden — the authenticated user lacks the required permissions
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/PermissionError'
        '500':
          description: Internal server error
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/Error'
      x-codeSamples:
        - lang: shell
          label: cURL
          source: >-
            curl -X POST
            "https://app.cotool.ai/api/detection-rules/proposals/:id/restore" \
              -H "Authorization: Bearer YOUR_API_KEY" \
              -H "Content-Type: application/json"
components:
  schemas:
    ValidationError:
      type: object
      properties:
        error:
          type: string
          description: Error message describing what went wrong
        issues:
          type: array
          description: >-
            Detailed validation issues, present when request or response schema
            validation fails
          items:
            type: object
            additionalProperties: true
      required:
        - error
    Error:
      type: object
      properties:
        error:
          type: string
          description: Error message describing what went wrong
      required:
        - error
    PermissionError:
      type: object
      properties:
        error:
          type: string
          description: Error message describing what went wrong
        missingPerms:
          type: array
          description: Permissions the authenticated user is missing for this operation
          items:
            type: string
      required:
        - error
  securitySchemes:
    ApiKeyAuth:
      type: http
      scheme: bearer
      bearerFormat: API Key
      description: >-
        API Key authentication for programmatic access. Include your API key in
        the Authorization header as: `Bearer your_api_key_here`

````