manage_alerts
Manage security alerts from Microsoft Defender and other products to investigate and remediate threats in Microsoft 365 environments.
Instructions
Manage security alerts from Microsoft Defender and other security products including investigation and remediation.
Input Schema
TableJSON Schema
| Name | Required | Description | Default |
|---|---|---|---|
| action | Yes | Alert management action | |
| alertId | No | ID of the alert (required for get_alert) | |
| filter | No | OData filter string (e.g., 'status eq \'new\'') | |
| top | No | Maximum number of alerts to return |
Implementation Reference
- src/handlers.ts:994-1031 (handler)The core handler function that implements the manage_alerts tool logic. It uses Microsoft Graph API's /security/alerts_v2 endpoint to list or get security alerts based on the action parameter.export async function handleManageAlerts( graphClient: Client, args: AlertArgs ): Promise<{ content: { type: string; text: string }[] }> { // Uses the newer alerts_v2 endpoint // Requires SecurityAlert.Read.All permission let apiPath = '/security/alerts_v2'; let result: any; switch (args.action) { case 'list_alerts': { const queryOptions: string[] = []; if (args.filter) { queryOptions.push(`$filter=${encodeURIComponent(args.filter)}`); } if (args.top) { queryOptions.push(`$top=${args.top}`); } if (queryOptions.length > 0) { apiPath += `?${queryOptions.join('&')}`; } result = await graphClient.api(apiPath).get(); break; } case 'get_alert': { if (!args.alertId) { throw new McpError(ErrorCode.InvalidParams, 'alertId is required for get_alert'); } apiPath += `/${args.alertId}`; result = await graphClient.api(apiPath).get(); break; } default: throw new McpError(ErrorCode.InvalidParams, `Invalid action: ${args.action}`); } return { content: [{ type: 'text', text: JSON.stringify(result, null, 2) }] }; }
- src/types.ts:200-205 (schema)TypeScript interface defining the input parameters for the manage_alerts tool handler.export interface AlertArgs { action: 'list_alerts' | 'get_alert'; alertId?: string; filter?: string; top?: number; }
- src/server.ts:656-675 (registration)MCP server tool registration for 'manage_alerts', linking the handler function, input schema, and metadata annotations.this.server.tool( "manage_alerts", "Manage security alerts from Microsoft Defender and other security products including investigation and remediation.", alertSchema.shape, {"readOnlyHint":false,"destructiveHint":false,"idempotentHint":true}, wrapToolHandler(async (args: AlertArgs) => { // Validate credentials only when tool is executed (lazy loading) this.validateCredentials(); try { return await handleManageAlerts(this.getGraphClient(), args); } catch (error) { if (error instanceof McpError) { throw error; } throw new McpError( ErrorCode.InternalError, `Error executing tool: ${error instanceof Error ? error.message : 'Unknown error'}` ); } }) );
- src/tool-metadata.ts:103-106 (schema)Tool metadata providing description, title, and annotations used during MCP tool registration.manage_alerts: { description: "Manage security alerts from Microsoft Defender and other security products including investigation and remediation.", title: "Security Alert Manager", annotations: { title: "Security Alert Manager", readOnlyHint: false, destructiveHint: false, idempotentHint: true, openWorldHint: true }
- src/index.ts:341-341 (registration)Tool listed in HTTP capabilities endpoint response for client discovery.'manage_alerts'