list_alerts
Query and filter security alerts in Panther by date, severity, status, log sources, and more to streamline alert investigation and response.
Instructions
List alerts from Panther with comprehensive filtering options
Args:
start_date: Optional start date in ISO 8601 format (e.g. "2024-03-20T00:00:00Z")
end_date: Optional end date in ISO 8601 format (e.g. "2024-03-21T00:00:00Z")
severities: Optional list of severities to filter by (e.g. ["CRITICAL", "HIGH", "MEDIUM", "LOW", "INFO"])
statuses: Optional list of statuses to filter by (e.g. ["OPEN", "TRIAGED", "RESOLVED", "CLOSED"])
cursor: Optional cursor for pagination from a previous query
detection_id: Optional detection ID to filter alerts by. If provided, date range is not required.
event_count_max: Optional maximum number of events that returned alerts must have
event_count_min: Optional minimum number of events that returned alerts must have
log_sources: Optional list of log source IDs to filter alerts by
log_types: Optional list of log type names to filter alerts by
name_contains: Optional string to search for in alert titles
page_size: Number of results per page (default: 25, maximum: 50)
resource_types: Optional list of AWS resource type names to filter alerts by
subtypes: Optional list of alert subtypes. Valid values depend on alert_type:
- When alert_type="ALERT": ["POLICY", "RULE", "SCHEDULED_RULE"]
- When alert_type="DETECTION_ERROR": ["RULE_ERROR", "SCHEDULED_RULE_ERROR"]
- When alert_type="SYSTEM_ERROR": subtypes are not allowed
alert_type: Type of alerts to return (default: "ALERT"). One of:
- "ALERT": Regular detection alerts
- "DETECTION_ERROR": Alerts from detection errors
- "SYSTEM_ERROR": System error alerts
Input Schema
| Name | Required | Description | Default |
|---|---|---|---|
| alert_type | No | ALERT | |
| cursor | No | ||
| detection_id | No | ||
| end_date | No | ||
| event_count_max | No | ||
| event_count_min | No | ||
| log_sources | No | ||
| log_types | No | ||
| name_contains | No | ||
| page_size | No | ||
| resource_types | No | ||
| severities | No | ||
| start_date | No | ||
| statuses | No | ||
| subtypes | No |
Input Schema (JSON Schema)
{
"properties": {
"alert_type": {
"default": "ALERT",
"title": "Alert Type",
"type": "string"
},
"cursor": {
"anyOf": [
{
"type": "string"
},
{
"type": "null"
}
],
"default": null,
"title": "Cursor"
},
"detection_id": {
"anyOf": [
{
"type": "string"
},
{
"type": "null"
}
],
"default": null,
"title": "Detection Id"
},
"end_date": {
"anyOf": [
{
"type": "string"
},
{
"type": "null"
}
],
"default": null,
"title": "End Date"
},
"event_count_max": {
"anyOf": [
{
"type": "integer"
},
{
"type": "null"
}
],
"default": null,
"title": "Event Count Max"
},
"event_count_min": {
"anyOf": [
{
"type": "integer"
},
{
"type": "null"
}
],
"default": null,
"title": "Event Count Min"
},
"log_sources": {
"anyOf": [
{
"items": {
"type": "string"
},
"type": "array"
},
{
"type": "null"
}
],
"default": null,
"title": "Log Sources"
},
"log_types": {
"anyOf": [
{
"items": {
"type": "string"
},
"type": "array"
},
{
"type": "null"
}
],
"default": null,
"title": "Log Types"
},
"name_contains": {
"anyOf": [
{
"type": "string"
},
{
"type": "null"
}
],
"default": null,
"title": "Name Contains"
},
"page_size": {
"default": 25,
"title": "Page Size",
"type": "integer"
},
"resource_types": {
"anyOf": [
{
"items": {
"type": "string"
},
"type": "array"
},
{
"type": "null"
}
],
"default": null,
"title": "Resource Types"
},
"severities": {
"default": [
"CRITICAL",
"HIGH",
"MEDIUM",
"LOW"
],
"items": {
"type": "string"
},
"title": "Severities",
"type": "array"
},
"start_date": {
"anyOf": [
{
"type": "string"
},
{
"type": "null"
}
],
"default": null,
"title": "Start Date"
},
"statuses": {
"default": [
"OPEN",
"TRIAGED",
"RESOLVED",
"CLOSED"
],
"items": {
"type": "string"
},
"title": "Statuses",
"type": "array"
},
"subtypes": {
"anyOf": [
{
"items": {
"type": "string"
},
"type": "array"
},
{
"type": "null"
}
],
"default": null,
"title": "Subtypes"
}
},
"type": "object"
}