Skip to main content
PUT
/
api
/
detections
/
{id}
cURL
curl -X PUT "https://app.cotool.ai/api/detections/:id" \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"name":"string","description":"string","detectionCategory":"baseline_anomaly","systemPrompt":"string","detectionQuery":"string","siemType":"string","toolNames":["string"],"toolActionConfigs":null,"skills":[{"skillId":"string","skillVersionId":"string"}],"detectionCadence":"hourly","customCronSchedule":"string","tags":[null]}'
{
  "id": "<string>",
  "organizationId": "<string>",
  "name": "<string>",
  "description": "<string>",
  "createdAt": "<string>",
  "updatedAt": "<string>",
  "deletedAt": "<string>",
  "toolNames": [
    "<string>"
  ],
  "toolActionConfigs": [
    {
      "type": "<string>",
      "allowedChannels": [
        {
          "id": "<string>",
          "name": "<string>"
        }
      ]
    }
  ],
  "inputs": [
    {
      "type": "text",
      "name": "<string>",
      "description": "<string>",
      "required": true
    }
  ],
  "modelAlias": "<unknown>",
  "planningMode": "auto",
  "agentType": "response",
  "isBuiltIn": true,
  "builtInAgentType": "threat-relevancy",
  "cronSchedule": "<string>",
  "enabled": true,
  "contextDocs": [
    {
      "provider": "googleDocs",
      "id": "<string>",
      "name": "<string>",
      "mimeType": "<string>"
    }
  ],
  "tinesStoryImportId": "<string>",
  "triggerSummary": [
    {
      "id": "<string>",
      "source": "jira",
      "name": "<string>",
      "enabled": true
    }
  ],
  "structuredOutputSchema": {
    "type": "string",
    "title": "<string>",
    "description": "<string>",
    "properties": {},
    "items": "<unknown>",
    "required": [
      "<string>"
    ],
    "enum": [
      "<string>"
    ],
    "additionalProperties": true,
    "x-cotool": {
      "presetId": "classification"
    }
  },
  "tags": [
    "<string>"
  ],
  "skills": [
    {
      "skillId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
      "skill": {
        "name": "<string>",
        "description": "<string>",
        "requiredTools": [
          "<string>"
        ]
      },
      "skillVersionId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
      "invocationCount30d": 123
    }
  ],
  "acceptanceCriteria": [
    "<string>"
  ],
  "detectionCategory": "baseline_anomaly",
  "detectionQuery": "<string>",
  "siemType": "<string>",
  "isSuggestion": true,
  "lastDetectionRunAt": "<string>",
  "activeSystemPrompt": {
    "id": "<string>",
    "prompt": "<string>",
    "description": "<string>"
  },
  "runs30d": 123,
  "hits30d": 123,
  "avgEvalScore30d": 123
}

Authorizations

Authorization
string
header
required

API Key authentication for programmatic access. Include your API key in the Authorization header as: Bearer your_api_key_here

Path Parameters

id
string<uuid>
required

Detection UUID

Body

application/json
name
string

New name for the detection

Required string length: 1 - 255
description
string | null

New description

Maximum string length: 1000
detectionCategory
enum<string> | null

New category (set to null for intent-based detections)

Available options:
baseline_anomaly,
first_occurrence,
sequence_pattern,
privilege_escalation,
custom,
null
systemPrompt
string

New system prompt

Minimum string length: 1
detectionQuery
string | null

New SIEM query (set to null for intent-based detections)

Minimum string length: 1
siemType
string | null

New SIEM platform type

toolNames
string[] | null

New tool names

toolActionConfigs
object[]

Optional updated per-tool-action configuration for the detection agent

Configuration for a specific tool action

skills
object[]

Optional updated set of skills attached to the detection agent

detectionCadence
enum<string> | null

New cadence for the detection (standard cadences)

Available options:
hourly,
daily,
weekly,
null
customCronSchedule
string | null

Custom cron expression for detection schedule (takes precedence over detectionCadence if provided). Set to null to clear custom schedule and use detectionCadence. Must not run more frequently than hourly.

tags
string[]

Tags for categorizing the detection agent

A tag label for categorizing agents (normalized to lowercase)

Required string length: 1 - 100

Response

200 - application/json

Successful response

Agent configuration - can be either a built in (system-managed) or custom (user-created) agent

id
string
required

Unique identifier for the agent

organizationId
string
required

Unique identifier of the organization that owns this agent

name
string
required

Human-readable name of the agent

description
string
required

Description of what the agent does and its purpose

createdAt
string
required

Timestamp when the agent was created

updatedAt
string
required

Timestamp when the agent was last updated

deletedAt
string | null
required

Timestamp when the agent was soft-deleted, or null if not deleted

toolNames
string[]
required

Array of tool names that this agent can use during execution

toolActionConfigs
object[]
required

Per-tool-action configuration for this agent

Configuration for a specific tool action

inputs
object[]
required

Array of input configurations defining what inputs the agent expects

modelAlias
any
required

Model alias specifying which LLM model to use for this agent

planningMode
enum<string>
required

Planning behavior mode for the agent

Available options:
auto,
never,
always
agentType
enum<string>
required

Type of agent: response (standard) or detection (security detection)

Available options:
response,
detection
isBuiltIn
boolean
required

Whether this agent is built in to the system (true for built-in (system-managed) agents)

builtInAgentType
enum<string>
required

Type of built-in agent (e.g., threat-validation, threat-hunt)

Available options:
threat-relevancy,
threat-research,
test-agent
cronSchedule
string | null
required

The cron schedule expression from the trigger (e.g., "0 * * * *" for hourly). Use cronToCadence() to derive display cadence.

enabled
boolean
required

Whether the detection schedule is enabled (from cron trigger)

contextDocs
object[]

Optional array of context documents (e.g., Google Docs, Notion pages) to provide to the agent

tinesStoryImportId
string | null

Optional reference to the Tines story import template used to create this agent

triggerSummary
object[]

Optional array of triggers configured for this agent

structuredOutputSchema
object

Optional JSON schema describing the structured output the agent should emit (may include x-cotool metadata for preset UX; metadata is stripped before sending to the LLM)

tags
string[]

Array of tags for categorizing the agent

A tag label for categorizing agents (normalized to lowercase)

Required string length: 1 - 100
skills
object[]

Array of reusable skills attached to this agent

acceptanceCriteria
string[]

Optional list of acceptance criteria evaluated for every run

Maximum array length: 20

A user-configured acceptance criterion that must be satisfied for an agent run

Required string length: 1 - 500
detectionCategory
enum<string> | null

Category of detection (only for detection agents)

Available options:
baseline_anomaly,
first_occurrence,
sequence_pattern,
privilege_escalation,
custom,
null
detectionQuery
string | null

The SIEM query for the detection (only for detection agents)

siemType
string | null

The SIEM platform type (e.g., splunk, elastic) for the detection (only for detection agents)

isSuggestion
boolean

Whether this detection is a suggestion (only for detection agents)

lastDetectionRunAt
string | null

Timestamp of when this detection was last run (only for detection agents)

activeSystemPrompt
object

The currently active system prompt for this detection

runs30d
integer

Total runs in last 30 days

hits30d
integer

Triggered runs in last 30 days

avgEvalScore30d
number | null

Average LLM judge evaluation score (0-100) over last 30 days