Skip to main content
POST
/
api
/
detections
/
{id}
/
accept
cURL
curl -X POST "https://app.cotool.ai/api/detections/:id/accept" \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -H "Content-Type: application/json"
{
  "id": "<string>",
  "organizationId": "<string>",
  "name": "<string>",
  "description": "<string>",
  "createdAt": "<string>",
  "updatedAt": "<string>",
  "deletedAt": "<string>",
  "toolNames": [
    "<string>"
  ],
  "toolActionConfigs": [
    {
      "type": "<string>",
      "allowedChannels": [
        {
          "id": "<string>",
          "name": "<string>"
        }
      ]
    }
  ],
  "inputs": [
    {
      "type": "text",
      "name": "<string>",
      "description": "<string>",
      "required": true
    }
  ],
  "modelAlias": "<unknown>",
  "planningMode": "auto",
  "agentType": "response",
  "origin": "user",
  "isBuiltIn": true,
  "builtInAgentType": "threat-relevancy",
  "cronSchedule": "<string>",
  "enabled": true,
  "cliNames": [
    "<string>"
  ],
  "contextDocs": [
    {
      "provider": "googleDocs",
      "id": "<string>",
      "name": "<string>",
      "mimeType": "<string>"
    }
  ],
  "tinesStoryImportId": "<string>",
  "triggerSummary": [
    {
      "id": "<string>",
      "source": "jira",
      "name": "<string>",
      "enabled": true
    }
  ],
  "structuredOutputSchema": {
    "type": "string",
    "title": "<string>",
    "description": "<string>",
    "properties": {},
    "items": "<unknown>",
    "required": [
      "<string>"
    ],
    "enum": [
      "<string>"
    ],
    "additionalProperties": true,
    "x-cotool": {
      "presetId": "classification"
    }
  },
  "tags": [
    "<string>"
  ],
  "skills": [
    {
      "skillId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
      "skill": {
        "name": "<string>",
        "description": "<string>",
        "requiredTools": [
          "<string>"
        ]
      },
      "skillVersionId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
      "invocationCount30d": 123
    }
  ],
  "acceptanceCriteria": [
    "<string>"
  ],
  "detectionCategory": "baseline_anomaly",
  "detectionQuery": "<string>",
  "siemType": "<string>",
  "isSuggestion": true,
  "lastDetectionRunAt": "<string>",
  "activeSystemPrompt": {
    "id": "<string>",
    "prompt": "<string>",
    "description": "<string>"
  },
  "runs30d": 123,
  "runningRuns30d": 123,
  "hits30d": 123,
  "avgEvalScore30d": 123,
  "threatModelSnippet": "<string>",
  "threatModelVersion": {
    "id": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
    "version": 123,
    "isCurrent": true
  }
}

Documentation Index

Fetch the complete documentation index at: https://docs.cotool.ai/llms.txt

Use this file to discover all available pages before exploring further.

Authorizations

Authorization
string
header
required

API Key authentication for programmatic access. Include your API key in the Authorization header as: Bearer your_api_key_here

Path Parameters

id
string<uuid>
required

Detection UUID

Response

200 - application/json

Successful response

Agent configuration - can be either a built in (system-managed) or custom (user-created) agent

id
string
required

Unique identifier for the agent

organizationId
string
required

Unique identifier of the organization that owns this agent

name
string
required

Human-readable name of the agent

description
string
required

Description of what the agent does and its purpose

createdAt
string
required

Timestamp when the agent was created

updatedAt
string
required

Timestamp when the agent was last updated

deletedAt
string | null
required

Timestamp when the agent was soft-deleted, or null if not deleted

toolNames
string[]
required

Array of tool names that this agent can use during execution

toolActionConfigs
object[]
required

Per-tool-action configuration for this agent

Configuration for a specific tool action

inputs
object[]
required

Array of input configurations defining what inputs the agent expects

modelAlias
any
required

Model alias specifying which LLM model to use for this agent

planningMode
enum<string>
required

Planning behavior mode for the agent

Available options:
auto,
never,
always
agentType
enum<string>
required

Type of agent: response (standard) or detection (security detection)

Available options:
response,
detection
origin
enum<string>
required

Who created this agent: user or orchestrator

Available options:
user,
orchestrator
isBuiltIn
boolean
required

Whether this agent is built in to the system (true for built-in (system-managed) agents)

builtInAgentType
enum<string>
required

Type of built-in agent (e.g., threat-validation, threat-hunt)

Available options:
threat-relevancy,
threat-research,
test-agent
cronSchedule
string | null
required

The cron schedule expression from the trigger (e.g., "0 * * * *" for hourly). Use cronToCadence() to derive display cadence.

enabled
boolean
required

Whether the detection schedule is enabled (from cron trigger)

cliNames
string[]

Optional array of CLI integration ids that this agent can use during execution

contextDocs
object[]

Optional array of context documents (e.g., Google Docs, Notion pages) to provide to the agent

tinesStoryImportId
string | null

Optional reference to the Tines story import template used to create this agent

triggerSummary
object[]

Optional array of triggers configured for this agent

structuredOutputSchema
object

Optional JSON schema describing the structured output the agent should emit (may include x-cotool metadata for preset UX; metadata is stripped before sending to the LLM)

tags
string[]

Array of tags for categorizing the agent

A tag label for categorizing agents (normalized to lowercase)

Required string length: 1 - 100
skills
object[]

Array of reusable skills attached to this agent

acceptanceCriteria
string[]

Optional list of acceptance criteria evaluated for every run

Maximum array length: 20

A user-configured acceptance criterion that must be satisfied for an agent run

Required string length: 1 - 500
detectionCategory
enum<string> | null

Category of detection (only for detection agents)

Available options:
baseline_anomaly,
first_occurrence,
sequence_pattern,
privilege_escalation,
custom,
null
detectionQuery
string | null

The SIEM query for the detection (only for detection agents)

siemType
string | null

The SIEM platform type (e.g., splunk, elastic) for the detection (only for detection agents)

isSuggestion
boolean

Whether this detection is a suggestion (only for detection agents)

lastDetectionRunAt
string | null

Timestamp of when this detection was last run (only for detection agents)

activeSystemPrompt
object

The currently active system prompt for this detection

runs30d
integer

Total runs in last 30 days

runningRuns30d
integer

Total active runs in last 30 days

hits30d
integer

Recorded detection hits in last 30 days

avgEvalScore30d
number | null

Average LLM judge evaluation score (0-100) over last 30 days

threatModelSnippet
string | null

Verbatim quote from the threat model version this agent was grounded in. Powers the "Why this agent?" drawer. Null for user-created agents.

threatModelVersion
object

Threat model version this orchestrator agent was built against. Null for user-created agents.