> ## Documentation Index
> Fetch the complete documentation index at: https://docs.cotool.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# Smart deploy detection to native platform (SSE)

> Uses an AI agent to deploy a detection directly to the SIEM platform with appropriate parameters. Streams progress via SSE. Optionally pass a draft to deploy instead of the original proposal.



## OpenAPI

````yaml https://app.cotool.ai/api/docs/openapi.json post /api/detection-rules/proposals/{id}/smart-deploy
openapi: 3.1.0
info:
  title: Cotool API
  version: 1.0.0
  description: >-
    # Cotool API Documentation


    The Cotool API allows you to interact with the Cotool platform
    programmatically, enabling you to build powerful integrations and automate
    your workflows.


    ## Getting an API Key


    Follow these steps to generate your API key:


    1. **Log in** to the Cotool web interface

    2. **Navigate** to `/settings/api-keys`

    3. **Click** "Generate Key"

    4. **Copy and store** your API key securely ⚠️ *It won't be shown again*


    ## API Key Authentication


    For programmatic access and integrations, use your API key with the
    Authorization header:


    ```http

    Authorization: Bearer your_api_key_here

    ```


    ```bash

    curl -X GET "https://app.cotool.ai/api/endpoint" \
      -H "Authorization: Bearer your_api_key_here" \
      -H "Content-Type: application/json"
    ```
servers:
  - url: https://app.cotool.ai
    description: Production server
security:
  - ApiKeyAuth: []
paths:
  /api/detection-rules/proposals/{id}/smart-deploy:
    post:
      tags:
        - Detection Rules
      summary: Smart deploy detection to native platform (SSE)
      description: >-
        Uses an AI agent to deploy a detection directly to the SIEM platform
        with appropriate parameters. Streams progress via SSE. Optionally pass a
        draft to deploy instead of the original proposal.
      parameters:
        - in: path
          name: id
          schema:
            type: string
            format: uuid
          required: true
      requestBody:
        content:
          application/json:
            schema:
              type: object
              properties:
                draft:
                  type: object
                  properties:
                    chatId:
                      type: string
                      format: uuid
                    proposalId:
                      type: string
                      format: uuid
                    organizationId:
                      type: string
                      format: uuid
                    platform:
                      type: string
                    name:
                      type: string
                    description:
                      type: string
                    query:
                      type: string
                    reasoning:
                      type: string
                    mitreTechniqueIds:
                      type: array
                      items:
                        type: string
                    mitreTechniqueNames:
                      type: array
                      items:
                        type: string
                    dataSourcesRequired:
                      type: array
                      items:
                        type: string
                    detectionIntent:
                      type:
                        - object
                        - 'null'
                      properties:
                        methodLabel:
                          type: string
                          description: >-
                            Human-readable method/type label e.g. Threshold,
                            Anomaly Detection
                        rationale:
                          type: string
                          description: Why this method was chosen for this detection
                        confidence:
                          type: string
                          enum:
                            - high
                            - medium
                            - low
                          description: Agent confidence in method choice
                        keyKnobs:
                          type: object
                          additionalProperties:
                            anyOf:
                              - type: string
                              - type: number
                              - type: boolean
                          description: >-
                            Key parameters for display e.g.
                            evaluationWindowSeconds, aggregation
                      required:
                        - methodLabel
                    platformConfig:
                      anyOf:
                        - oneOf:
                            - type: object
                              properties:
                                version:
                                  type: number
                                  const: 1
                                platform:
                                  type: string
                                  const: datadog
                                queries:
                                  type: array
                                  items:
                                    type: object
                                    properties:
                                      name:
                                        type: string
                                      query:
                                        type: string
                                      aggregation:
                                        type: string
                                        enum:
                                          - count
                                          - cardinality
                                          - sum
                                          - max
                                          - new_value
                                          - geo_data
                                          - event_count
                                          - none
                                      dataSource:
                                        type: string
                                        enum:
                                          - logs
                                          - audit
                                          - spans
                                        default: logs
                                      groupByFields:
                                        type: array
                                        items:
                                          type: string
                                      distinctFields:
                                        type: array
                                        items:
                                          type: string
                                    required:
                                      - name
                                      - query
                                      - aggregation
                                  minItems: 1
                                cases:
                                  type: array
                                  items:
                                    type: object
                                    properties:
                                      status:
                                        type: string
                                        enum:
                                          - info
                                          - low
                                          - medium
                                          - high
                                          - critical
                                      condition:
                                        type: string
                                      name:
                                        type: string
                                    required:
                                      - status
                                      - condition
                                  minItems: 1
                                options:
                                  type: object
                                  properties:
                                    detectionMethod:
                                      type: string
                                      enum:
                                        - threshold
                                        - new_value
                                        - anomaly_detection
                                        - impossible_travel
                                    evaluationWindow:
                                      anyOf:
                                        - type: number
                                          const: 0
                                        - type: number
                                          const: 60
                                        - type: number
                                          const: 300
                                        - type: number
                                          const: 600
                                        - type: number
                                          const: 900
                                        - type: number
                                          const: 1800
                                        - type: number
                                          const: 3600
                                        - type: number
                                          const: 7200
                                        - type: number
                                          const: 10800
                                        - type: number
                                          const: 21600
                                        - type: number
                                          const: 43200
                                        - type: number
                                          const: 86400
                                    keepAlive:
                                      anyOf:
                                        - type: number
                                          const: 0
                                        - type: number
                                          const: 60
                                        - type: number
                                          const: 300
                                        - type: number
                                          const: 600
                                        - type: number
                                          const: 900
                                        - type: number
                                          const: 1800
                                        - type: number
                                          const: 3600
                                        - type: number
                                          const: 7200
                                        - type: number
                                          const: 10800
                                        - type: number
                                          const: 21600
                                        - type: number
                                          const: 43200
                                        - type: number
                                          const: 86400
                                      description: >-
                                        Seconds signal stays open after last
                                        match
                                    maxSignalDuration:
                                      anyOf:
                                        - type: number
                                          const: 0
                                        - type: number
                                          const: 60
                                        - type: number
                                          const: 300
                                        - type: number
                                          const: 600
                                        - type: number
                                          const: 900
                                        - type: number
                                          const: 1800
                                        - type: number
                                          const: 3600
                                        - type: number
                                          const: 7200
                                        - type: number
                                          const: 10800
                                        - type: number
                                          const: 21600
                                        - type: number
                                          const: 43200
                                        - type: number
                                          const: 86400
                                      description: Max seconds a signal stays open
                                    decreaseCriticalityBasedOnEnv:
                                      type: boolean
                                  required:
                                    - detectionMethod
                                    - evaluationWindow
                                    - keepAlive
                                    - maxSignalDuration
                                isEnabled:
                                  type: boolean
                                  description: >-
                                    Deploy rule in enabled (true) or disabled
                                    (false) state. Defaults to true.
                              required:
                                - version
                                - platform
                                - queries
                                - cases
                                - options
                        - type: object
                          additionalProperties: {}
                          description: >-
                            Legacy or unknown shape; parse with safeParse when
                            reading
                        - type: 'null'
                    createdAt:
                      type: string
                    updatedAt:
                      type: string
                  required:
                    - chatId
                    - organizationId
                    - platform
                    - name
                    - description
                    - query
                    - mitreTechniqueIds
                    - mitreTechniqueNames
                    - dataSourcesRequired
                    - createdAt
                    - updatedAt
                  description: Optional draft to deploy instead of the original proposal
      responses:
        '200':
          description: Successful response - no content
        '400':
          description: Bad request — input validation failed or the request was malformed
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ValidationError'
        '401':
          description: Unauthorized — missing or invalid API key / session
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/Error'
        '403':
          description: Forbidden — the authenticated user lacks the required permissions
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/PermissionError'
        '500':
          description: Internal server error
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/Error'
      x-codeSamples:
        - lang: shell
          label: cURL
          source: >-
            curl -X POST
            "https://app.cotool.ai/api/detection-rules/proposals/:id/smart-deploy"
            \
              -H "Authorization: Bearer YOUR_API_KEY" \
              -H "Content-Type: application/json" \
              -d '{"draft":{"chatId":"string","proposalId":"string","organizationId":"string","platform":"string","name":"string","description":"string","query":"string","reasoning":"string","mitreTechniqueIds":["string"],"mitreTechniqueNames":["string"],"dataSourcesRequired":["string"],"detectionIntent":{"methodLabel":"string","rationale":"string","confidence":"high","keyKnobs":null},"platformConfig":{"version":1,"platform":"datadog","queries":[{"name":"string","query":"string","aggregation":"count","dataSource":null,"groupByFields":["string"],"distinctFields":["string"]}],"cases":[{"status":"info","condition":"string","name":"string"}],"options":{"detectionMethod":"threshold","evaluationWindow":0,"keepAlive":0,"maxSignalDuration":0,"decreaseCriticalityBasedOnEnv":true},"isEnabled":true},"createdAt":"string","updatedAt":"string"}}'
components:
  schemas:
    ValidationError:
      type: object
      properties:
        error:
          type: string
          description: Error message describing what went wrong
        issues:
          type: array
          description: >-
            Detailed validation issues, present when request or response schema
            validation fails
          items:
            type: object
            additionalProperties: true
      required:
        - error
    Error:
      type: object
      properties:
        error:
          type: string
          description: Error message describing what went wrong
      required:
        - error
    PermissionError:
      type: object
      properties:
        error:
          type: string
          description: Error message describing what went wrong
        missingPerms:
          type: array
          description: Permissions the authenticated user is missing for this operation
          items:
            type: string
      required:
        - error
  securitySchemes:
    ApiKeyAuth:
      type: http
      scheme: bearer
      bearerFormat: API Key
      description: >-
        API Key authentication for programmatic access. Include your API key in
        the Authorization header as: `Bearer your_api_key_here`

````