disable_detection
Turn off security detection rules or policies in Panther by setting them to disabled status.
Instructions
Disable a Panther detection by setting enabled to false.
Permissions:{'any_of': ['Manage Rules', 'Manage Policies']}
Input Schema
TableJSON Schema
| Name | Required | Description | Default |
|---|---|---|---|
| detection_id | Yes | The ID of the detection to disable | |
| detection_type | No | Type of detection to disable. Valid options: rules, scheduled_rules, simple_rules, or policies. | rules |
Implementation Reference
- src/mcp_panther/panther_mcp_core/tools/detections.py:517-523 (registration)Registration of the disable_detection tool using the @mcp_tool decorator, specifying required permissions and hints for destructive and idempotent behavior.@mcp_tool( annotations={ "permissions": any_perms(Permission.RULE_MODIFY, Permission.POLICY_MODIFY), "destructiveHint": True, "idempotentHint": True, } )
- Input schema for the disable_detection tool defined using Annotated types and Pydantic Field descriptions with examples.detection_id: Annotated[ str, Field( description="The ID of the detection to disable", examples=["AWS.Suspicious.S3.Activity", "GCP.K8S.Privileged.Pod.Created"], ), ], detection_type: Annotated[ str, Field( description="Type of detection to disable. Valid options: rules, scheduled_rules, simple_rules, or policies.", examples=["rules", "scheduled_rules", "simple_rules", "policies"], ), ] = "rules", ) -> dict[str, Any]:
- The handler function for disable_detection: validates input, fetches current detection, sets enabled=False, performs PUT update via REST client, handles errors and not-found cases.async def disable_detection( detection_id: Annotated[ str, Field( description="The ID of the detection to disable", examples=["AWS.Suspicious.S3.Activity", "GCP.K8S.Privileged.Pod.Created"], ), ], detection_type: Annotated[ str, Field( description="Type of detection to disable. Valid options: rules, scheduled_rules, simple_rules, or policies.", examples=["rules", "scheduled_rules", "simple_rules", "policies"], ), ] = "rules", ) -> dict[str, Any]: """Disable a Panther detection by setting enabled to false.""" logger.info(f"Disabling {detection_type} with ID: {detection_id}") # Validate detection type validation_error = validate_detection_types([detection_type]) if validation_error: return validation_error # Use centralized field mapping field_map = SINGULAR_FIELD_MAP endpoint = get_endpoint_for_detection(detection_type, detection_id) try: async with get_rest_client() as client: # First get the current detection to preserve other fields current_detection, status = await client.get( endpoint, expected_codes=[200, 404] ) if status == 404: return { "success": False, "message": f"{detection_type.replace('_', ' ').title()} with ID {detection_id} not found", } # Disable the detection by setting enabled to False # This modifies the API response object which is then sent back in the PUT request current_detection["enabled"] = False # Skip tests for simple disable operation (mainly for rules) params = ( {"run-tests-first": "false"} if detection_type in ["rules", "scheduled_rules", "simple_rules"] else {} ) # Make the update request result, _ = await client.put( endpoint, json_data=current_detection, params=params ) logger.info(f"Successfully disabled {detection_type} with ID: {detection_id}") return {"success": True, field_map[detection_type]: result} except Exception as e: logger.error(f"Failed to disable {detection_type}: {str(e)}") return { "success": False, "message": f"Failed to disable {detection_type}: {str(e)}", }