> ## Documentation Index
> Fetch the complete documentation index at: https://docs.cotool.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# Detections Overview

> Comprehensive detection management across your security stack

Cotool provides a unified platform for managing, authoring, and deploying detections across your entire security stack—from endpoints to email to SIEMs.

## Key Features

<CardGroup cols={3}>
  <Card title="Unified MITRE Coverage Map" href="/detections/mitre-mapping" icon="map">
    Visualize detection coverage across all tools in one consolidated view
  </Card>

  <Card title="AI Detection Authoring" href="/detections/detection-authoring" icon="wand-magic-sparkles">
    Iteratively craft production-ready detections with AI assistance
  </Card>

  <Card title="Pattern-Based Detection" href="/detections/pattern-based-detection" icon="magnifying-glass-chart">
    Deploy agents that detect anomalies without rigid rule-based logic
  </Card>
</CardGroup>

## Detection Alerts

Verified Cotool detection hits create first-class alerts. Alerts track the lifecycle after detection: assignment to a response agent, triage activity, comments, escalation, and final disposition.

Detection-created alerts can automatically start response-agent triage:

1. Set the organization default route in **Triage > Sources & Routing**.
2. Optionally override routing on an individual detection agent.
3. Choose **Leave alerts unassigned** for detections that should create alerts without automatic triage.

<Card title="Alert Routing" href="/alerts/routing" icon="route">
  Configure how detection-created alerts reach response agents
</Card>

## How It Works

<Steps>
  <Step title="Ingest Existing Detections">
    Cotool automatically discovers and classifies detections from:

    * **SIEM platforms**
    * **Endpoint tools**
    * **Email security tools**
    * **Detection-as-Code pipelines**
  </Step>

  <Step title="Map to MITRE ATT&CK">
    AI analyzes each detection's name, description, and query logic to map it to relevant MITRE ATT\&CK techniques, creating a unified view of coverage across your stack
  </Step>

  <Step title="Visualize Coverage">
    See which techniques are covered, by which tools, with confidence scores for each mapping
  </Step>

  <Step title="Author New Detections">
    Use the AI detection authoring interface to iteratively craft detections:

    * Explore platform capabilities with tools
    * Draft detection logic that compiles
    * Test queries before deployment
    * Refine based on feedback
  </Step>
</Steps>

<Card title="Detection Authoring Guide" href="/detections/detection-authoring">
  Learn more about AI-powered detection authoring
</Card>

## Pattern-Based Detection with Agents

Not all threats follow rigid patterns. Cotool allows you to deploy scheduled agents that hunt for suspicious patterns without being bound to rule-based logic.

**Example**: Deploy a weekly agent that:

* Reviews user login patterns
* Identifies anomalous behavior
* Creates alerts for investigation

This approach catches threats that evade traditional signatures.

<Card title="Pattern-Based Detection" href="/detections/pattern-based-detection">
  Learn about behavioral detection with agents
</Card>

## Getting Started

<Steps>
  <Step title="Connect Your Security Tools">
    Navigate to **Settings > Integrations** and authenticate your detection platforms
  </Step>

  <Step title="View Your Detection Map">
    The MITRE classification job will automatically run weekly to map your detections to MITRE ATT\&CK techniques
  </Step>

  <Step title="Author Detections">
    Use the detection authoring interface to collaboratively craft new rule-based detections with AI assistance
  </Step>

  <Step title="Define Pattern-Based Detection Agents">
    Define pattern-based agents that hunt for suspicious activity without being bound to rule-based logic
  </Step>
</Steps>
