manage_alerts
Monitor and handle Microsoft 365 security alerts by listing, filtering, and retrieving specific incidents for investigation and response.
Instructions
Manage security alerts from Microsoft Defender and other security products including investigation and remediation.
Input Schema
TableJSON Schema
| Name | Required | Description | Default |
|---|---|---|---|
| action | Yes | Alert management action | |
| alertId | No | ID of the alert (required for get_alert) | |
| filter | No | OData filter string (e.g., 'status eq \'new\'') | |
| top | No | Maximum number of alerts to return |
Implementation Reference
- src/handlers.ts:994-1031 (handler)Main implementation of the manage_alerts tool handler. Uses Microsoft Graph API security/alerts_v2 endpoint to list or get security alerts.export async function handleManageAlerts( graphClient: Client, args: AlertArgs ): Promise<{ content: { type: string; text: string }[] }> { // Uses the newer alerts_v2 endpoint // Requires SecurityAlert.Read.All permission let apiPath = '/security/alerts_v2'; let result: any; switch (args.action) { case 'list_alerts': { const queryOptions: string[] = []; if (args.filter) { queryOptions.push(`$filter=${encodeURIComponent(args.filter)}`); } if (args.top) { queryOptions.push(`$top=${args.top}`); } if (queryOptions.length > 0) { apiPath += `?${queryOptions.join('&')}`; } result = await graphClient.api(apiPath).get(); break; } case 'get_alert': { if (!args.alertId) { throw new McpError(ErrorCode.InvalidParams, 'alertId is required for get_alert'); } apiPath += `/${args.alertId}`; result = await graphClient.api(apiPath).get(); break; } default: throw new McpError(ErrorCode.InvalidParams, `Invalid action: ${args.action}`); } return { content: [{ type: 'text', text: JSON.stringify(result, null, 2) }] }; }
- src/tool-definitions.ts:201-206 (schema)Zod validation schema defining input parameters for the manage_alerts tool, used for MCP tool discovery and input validation.export const alertSchema = z.object({ action: z.enum(['list_alerts', 'get_alert']).describe('Alert management action'), alertId: z.string().optional().describe('ID of the alert (required for get_alert)'), filter: z.string().optional().describe('OData filter string (e.g., \'status eq \\\'new\\\'\')'), top: z.number().optional().describe('Maximum number of alerts to return'), });
- src/server.ts:656-675 (registration)MCP server tool registration for 'manage_alerts', linking the handler function, Zod schema, and metadata annotations.this.server.tool( "manage_alerts", "Manage security alerts from Microsoft Defender and other security products including investigation and remediation.", alertSchema.shape, {"readOnlyHint":false,"destructiveHint":false,"idempotentHint":true}, wrapToolHandler(async (args: AlertArgs) => { // Validate credentials only when tool is executed (lazy loading) this.validateCredentials(); try { return await handleManageAlerts(this.getGraphClient(), args); } catch (error) { if (error instanceof McpError) { throw error; } throw new McpError( ErrorCode.InternalError, `Error executing tool: ${error instanceof Error ? error.message : 'Unknown error'}` ); } }) );
- src/types.ts:200-205 (schema)TypeScript interface definition for AlertArgs, used as parameter type in the handler function.export interface AlertArgs { action: 'list_alerts' | 'get_alert'; alertId?: string; filter?: string; top?: number; }
- src/tool-metadata.ts:103-107 (helper)Tool metadata providing description, title, and annotations (readOnlyHint, destructiveHint, etc.) for the manage_alerts tool.manage_alerts: { description: "Manage security alerts from Microsoft Defender and other security products including investigation and remediation.", title: "Security Alert Manager", annotations: { title: "Security Alert Manager", readOnlyHint: false, destructiveHint: false, idempotentHint: true, openWorldHint: true } },