Cotool’s detection authoring workflow helps you move from an initial idea to a tested, reviewable detection that you can deploy either directly to a platform or through Git-based review.Documentation Index
Fetch the complete documentation index at: https://docs.cotool.ai/llms.txt
Use this file to discover all available pages before exploring further.
Why Detection Authoring in Cotool Is Different
If you use a general AI assistant to write detections, you usually run into one of three problems:1. Syntax issues
The query looks plausible but does not compile or does not match the destination platform
2. Environment mismatch
The rule assumes fields, indexes, or data sources you do not actually have
3. Too much noise
The logic technically works but produces alert volume that is too high to be useful
Two Ways to Start
You can start detection authoring in either of these ways:1. Start from Suggestions
Cotool can generate suggested detections and place them in the Suggestions queue. From there you can:- Review the detection name, description, reasoning, and query
- Dismiss low-value ideas to keep the queue clean
- Restore previously dismissed suggestions
- Open a suggestion in Detection Studio for editing
- Deploy a strong suggestion directly if it is already ready
2. Start from Scratch
If you already know what you want to build, start a new detection authoring session and guide the agent directly in chat. This is useful when:- You have a precise detection concept
- You want to bring your own threat report or sample logs
- You already know the target platform and rough logic
The Current Workflow
Review or create an initial idea
Start from a generated suggestion or describe the detection you want to build.
Open the detection in Detection Studio
Clicking Edit on a suggestion creates a draft and opens it in Detection Studio.If the draft came from a suggestion, Cotool keeps a link back to the source suggestion so you can trace where it came from.
Refine the draft
Update the detection name, description, query, MITRE mapping, and any platform-specific configuration.Draft changes autosave while you work.
Test Detection
Use Test Detection to validate the current draft against recent data.Depending on platform support, the test view can show:
- Query errors
- Sample rows
- Execution time
- Data scanned
- Estimated volume or noisiness
Iterate until the draft is reviewable
Ask Cotool to tighten conditions, add exclusions, change output fields, or adapt the logic to your environment. Re-test after each meaningful change.
What You Can Do in Detection Studio
Detection Studio is the working area for turning a rough proposal into a production-ready rule.Edit the rule itself
You can directly update:- Name
- Description
- Query
- MITRE technique mapping
- Platform-specific config where supported
Keep provenance
If a draft came from a suggestion, the editor keeps a visible link to the source suggestion. This is helpful when a teammate wants to understand where a rule originated or compare the edited draft to the original idea.Copy and share the draft query
You can copy the current query directly from the editor while iterating with teammates or pasting it into other review workflows.Testing Before You Publish
The Test Detection panel is one of the most valuable parts of the workflow. It helps you answer practical questions before a rule goes live:- Does the query execute successfully?
- Are the expected fields present?
- Is the result set empty because the logic is wrong, or because the data is not there?
- Is the rule too noisy for production?
- Does the platform-specific rule configuration validate cleanly?
Test after every major change. A detection that looks correct in chat can still fail because of field names, ingestion gaps, platform constraints, or unexpectedly high volume.
Publish Options
Cotool supports different publishing paths depending on the platform:| Option | Best for |
|---|---|
| Deploy direct to platform | Fast rollout when the rule is ready and your team is comfortable publishing from Cotool |
| Deploy via Git | Teams that want code review, PR visibility, or a detection-as-code workflow |
Direct platform deployment
Use this when you want the detection created in the destination system immediately.Git-based deployment
Use this when detections should go through normal review before they are merged or deployed. Cotool creates a PR-backed path so reviewers can inspect the final rule.Example Workflow
Scenario: suspicious PowerShell activity in Splunk
Generate or select a suggestion
You review a suggestion for suspicious PowerShell execution from the Suggestions page and click Edit.
Open the draft in Detection Studio
Cotool creates a draft linked to the source suggestion and opens it in Detection Studio.
Refine the query
You update the logic to focus on encoded commands and add exclusions for known admin tooling.
Run Test Detection
Cotool executes the query on recent data. The test results show sample rows, execution time, and whether the alert volume looks reasonable.
When to Use Suggestions vs Manual Authoring
| Start with suggestions when… | Start from scratch when… |
|---|---|
| You want AI-generated ideas to review quickly | You already know the exact detection concept |
| You are looking for coverage gaps | You have a specific threat report or detection hypothesis |
| You want a first draft to refine | You want tighter control from the first prompt |
Best Practices
Use suggestions as a starting point, not the finish line
Use suggestions as a starting point, not the finish line
Even a strong suggestion should be tested and reviewed before deployment. The fastest path is often: suggestion -> draft -> test -> publish.
Be explicit about false positives
Be explicit about false positives
Give Cotool concrete exclusions, approved tools, service accounts, or maintenance patterns. Specific exclusions are much safer than broad “reduce noise” requests.
Attach threat context when possible
Attach threat context when possible
Threat reports, sample logs, and example indicators help Cotool produce a rule that is closer to your real environment.
Watch the test results, not just the query text
Watch the test results, not just the query text
A clean-looking query can still be invalid, too noisy, or mismatched to your data. Use the test panel as your source of truth.
Choose the publish path that matches your team process
Choose the publish path that matches your team process
If your team relies on code review, use the Git path. If you are iterating quickly in a supported platform, direct deployment may be the better fit.
Frequently Asked Questions
Can I deploy a suggestion without opening the editor?
Can I deploy a suggestion without opening the editor?
Yes, if a suggestion is already good enough and the platform supports it, you can publish from the Suggestions workflow. Open Detection Studio when you want to refine or validate first.
What happens if the draft came from a suggestion?
What happens if the draft came from a suggestion?
Cotool keeps the link between the draft and the original suggestion, so you can trace the source and see whether you are working from an edited copy.
What if the test query returns no data?
What if the test query returns no data?
Treat that as a signal to investigate. It may mean the query is too narrow, the fields are wrong, or the underlying data is not available in your environment.
Does Cotool publish detections automatically?
Does Cotool publish detections automatically?
Cotool does not deploy rules on its own. You choose when to publish and whether to deploy directly or go through Git-based review.
How do I keep the suggestion queue manageable?
How do I keep the suggestion queue manageable?
Dismiss low-value suggestions and restore them later if priorities change. This keeps the queue focused on rules your team actually wants to work on.