> ## Documentation Index
> Fetch the complete documentation index at: https://docs.cotool.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# Pattern-Based Detection with Agents

> Detect threats using behavioral analysis beyond rigid rule-based logic

Not all threats follow predictable patterns. Pattern-based detection uses AI agents to hunt for suspicious behaviors without being constrained by rigid, rule-based logic.

## The Limitations of Traditional Detections

Traditional detections are rule-based: **if X happens, alert**. This works well for known threats but has limitations:

<CardGroup cols={2}>
  <Card title="Rigid Logic" icon="lock">
    Rules only catch exactly what you specify. Attackers easily evade by slight variations.
  </Card>

  <Card title="High Maintenance" icon="wrench">
    Rules require constant tuning as environments and threats evolve.
  </Card>

  <Card title="Context-Blind" icon="eye-slash">
    Rules can't consider broader context like user behavior patterns or organizational norms.
  </Card>

  <Card title="Signature-Dependent" icon="fingerprint">
    Rules need known indicators. Novel attacks slip through.
  </Card>
</CardGroup>

**Pattern-based detection** solves these problems by using AI agents to identify anomalous behaviors rather than matching fixed signatures.

## How Pattern-Based Detection Works

Instead of writing rules, you deploy **scheduled agents** that:

<Steps>
  <Step title="Observe Behavior">
    Agent queries your security tools to observe activity:

    * User login patterns
    * Process execution on endpoints
    * Network communication
    * Cloud resource access
    * Email behaviors
  </Step>

  <Step title="Analyze Context">
    Agent analyzes with full context:

    * Historical baselines for this user/host
    * Peer behavior (similar roles/departments)
    * Threat intelligence
    * Organizational policies
    * Time-of-day and day-of-week patterns
  </Step>

  <Step title="Identify Anomalies">
    Agent detects suspicious patterns:

    * Deviations from normal behavior
    * Unusual combinations of activities
    * Timing anomalies
    * Access to unexpected resources
  </Step>

  <Step title="Create Alerts">
    Agent generates alerts with rich context:

    * What's anomalous and why
    * Supporting evidence
    * Risk assessment
    * Recommended response actions
  </Step>
</Steps>

This approach catches threats that evade traditional signatures.

## Creating a Pattern-Based Detection Agent

<Steps>
  <Step title="Define the Behavior to Monitor">
    Decide what suspicious patterns you want to detect:

    * User behavior anomalies
    * Resource access patterns
    * Configuration drift
    * Communication anomalies
  </Step>

  <Step title="Determine Schedule">
    How often should the agent run?

    * **Hourly**: For active monitoring
    * **Daily**: For broader pattern analysis
    * **Weekly**: For trend analysis and reporting
  </Step>

  <Step title="Create the Agent">
    Navigate to **Agents > Create Agent**

    Configure:

    * **Name**: "User Behavior Anomaly Detection"
    * **Type**: Scheduled (Cron)
    * **Schedule**: "0 \*/6 \* \* \*" (every 6 hours)
    * **Tools**: Grant access to relevant tools (SIEM, EDR, etc.)
  </Step>

  <Step title="Write the System Prompt">
    Write a detailed prompt explaining:

    * What to look for (specific patterns)
    * What context to consider (baselines, peer behavior)
    * What to ignore (known false positives)
    * How to format output (alerts, tickets, reports)

    <Card href="/core-concepts/system-prompts">
      Learn about writing effective system prompts
    </Card>
  </Step>

  <Step title="Add Context Documents">
    Provide reference material:

    * List of known false positives
    * IT asset inventory (to understand normal software)
    * Org chart (to understand peer groups and reporting relationships)
    * Approved maintenance windows
  </Step>

  <Step title="Configure Actions">
    Define what the agent should do when it finds anomalies:

    * Create Jira tickets
    * Send Slack notifications
    * Update a detection dashboard
    * Quarantine/isolate automatically (for high-confidence threats)
  </Step>

  <Step title="Test & Deploy">
    Test the agent manually in Builder before enabling the schedule:

    * Run against recent data
    * Verify it identifies known suspicious patterns
    * Check that it doesn't over-alert
    * Review output format and quality
  </Step>

  <Step title="Monitor & Tune">
    After deployment:

    * Review agent findings daily for the first week
    * Provide feedback on true positives vs. false positives
    * Add new false positive filters to context docs
    * Adjust schedule if needed (more/less frequent)
  </Step>
</Steps>

<Card title="Creating Agents" href="/agents/creating-agents">
  Detailed guide on agent creation
</Card>

## Combining Rule-Based and Pattern-Based Detection

The most effective detection strategy **combines both approaches**:

<Tabs>
  <Tab title="Rule-Based Detection">
    **Best for:**

    * Known threat techniques
    * High-confidence indicators
    * Real-time alerting
    * Compliance requirements

    **Examples:**

    * Detect PsExec execution
    * Alert on failed login thresholds
    * Monitor for specific malware signatures
  </Tab>

  <Tab title="Pattern-Based Detection">
    **Best for:**

    * Novel threats
    * Behavioral anomalies
    * Context-dependent threats
    * Low-and-slow attacks

    **Examples:**

    * Unusual user behavior patterns
    * Anomalous resource access
    * Sophisticated payloads that evade rule-based detections
  </Tab>
</Tabs>

**Layered Defense Strategy:**

```
Layer 1: Rule-Based Detections
├── Known threats (high confidence)
├── Real-time alerting
└── Immediate response

Layer 2: Pattern-Based Detection Agents
├── Behavioral anomalies
├── Scheduled analysis (hourly, daily)
└── Catches what rules miss

Layer 3: Human Analysis
├── Review agent findings
├── Deep-dive investigations
└── Tune both rule-based and pattern-based detections
```

<Note>
  **Best Practice**: Use rule-based detections for known threats requiring immediate response. Use pattern-based agents to hunt for novel threats and behavioral anomalies that evade signatures.
</Note>

## Tips for Effective Pattern-Based Detection

<Note>
  **Start Broad, Then Focus**: Begin with wide behavioral monitoring. As you identify common patterns, refine the agent to focus on high-value anomalies.
</Note>

<Note>
  **Provide Context Documents**: Give the agent reference material like org charts, asset inventories, and known FP lists to improve accuracy.
</Note>

<Note>
  **Review Findings Regularly**: Especially in the first few weeks, review agent findings to understand what patterns it's identifying.
</Note>

<Note>
  **Combine with Rules**: Use pattern-based detection to supplement, not replace, traditional detections.
</Note>

## Frequently Asked Questions

<AccordionGroup>
  <Accordion title="Won't this generate too many alerts?">
    You control alert volume by:

    * Specifying confidence thresholds in the prompt
    * Defining what constitutes "suspicious" clearly
    * Providing exclusion lists for known benign patterns
    * Choosing output destinations (tickets vs. notifications)

    Start conservative and broaden based on results.
  </Accordion>

  <Accordion title="How is this different from UEBA tools?">
    UEBA tools use statistical models and machine learning to detect anomalies. Pattern-based detection agents use LLMs to understand **context and reasoning**.

    Benefits of agent-based approach:

    * Explains **why** something is suspicious (not just a statistical outlier)
    * Adapts to new threat patterns without retraining models
    * Incorporates organizational context (roles, policies)
    * You control the logic via prompts (no black box)
  </Accordion>

  <Accordion title="Can I use this for compliance monitoring?">
    Yes! Deploy agents to monitor for:

    * Policy violations (unauthorized access)
    * Compliance drift (configuration changes)
    * Audit requirements (privileged user monitoring)

    Agents generate audit trails and reports automatically.
  </Accordion>

  <Accordion title="How do I measure success?">
    Track these metrics:

    * **Detection Rate**: Threats caught by the agent vs. missed
    * **False Positive Rate**: Benign alerts vs. genuine findings
    * **Time to Detect**: How quickly agent identifies suspicious activity
    * **Investigation Time**: How long it takes analysts to act on agent findings

    Use [evaluations](/improving-agents/evaluations) to measure and improve agent performance.
  </Accordion>
</AccordionGroup>
