update_alert_status
Modify the status of multiple Panther alerts by specifying alert IDs and the desired status. Requires 'Manage Alerts' permission to execute. Returns success status, updated alert IDs, and error messages if applicable.
Instructions
Update the status of one or more Panther alerts.
Returns: Dict containing: - success: Boolean indicating if the update was successful - alerts: List of updated alert IDs if successful - message: Error message if unsuccessful
Permissions:{'all_of': ['Manage Alerts']}
Input Schema
TableJSON Schema
| Name | Required | Description | Default |
|---|---|---|---|
| alert_ids | Yes | List of alert IDs to update | |
| status | Yes | New status for the alerts |
Implementation Reference
- Primary handler function decorated with @mcp_tool (registration), implements the tool logic using Panther REST API PATCH /alerts endpoint, includes inline Pydantic schema validation.@mcp_tool( annotations={ "permissions": all_perms(Permission.ALERT_MODIFY), "destructiveHint": True, "idempotentHint": True, } ) async def update_alert_status( alert_ids: Annotated[ list[str], Field(description="List of alert IDs to update"), ], status: Annotated[ str, BeforeValidator(_validate_alert_status), Field( description="New status for the alerts", examples=["OPEN", "TRIAGED", "RESOLVED", "CLOSED"], ), ], ) -> dict[str, Any]: """Update the status of one or more Panther alerts. Returns: Dict containing: - success: Boolean indicating if the update was successful - alerts: List of updated alert IDs if successful - message: Error message if unsuccessful """ logger.info(f"Updating status for alerts {alert_ids} to {status}") try: # Validate status (defensive programming - should also be caught by validator) valid_statuses = {"OPEN", "TRIAGED", "RESOLVED", "CLOSED"} if status not in valid_statuses: raise ValueError( f"Invalid status '{status}'. Must be one of: {', '.join(sorted(valid_statuses))}" ) # Prepare request body body = { "ids": alert_ids, "status": status, } # Execute the REST API call async with get_rest_client() as client: result, status_code = await client.patch( "/alerts", json_data=body, expected_codes=[204, 400, 404] ) if status_code == 404: logger.error(f"One or more alerts not found: {alert_ids}") return { "success": False, "message": f"One or more alerts not found: {alert_ids}", } if status_code == 400: logger.error(f"Bad request when updating alert status: {alert_ids}") return { "success": False, "message": f"Bad request when updating alert status: {alert_ids}", } logger.info(f"Successfully updated {len(alert_ids)} alerts to status {status}") return { "success": True, "alerts": alert_ids, # Return the IDs that were updated } except Exception as e: logger.error(f"Failed to update alert status: {str(e)}") return { "success": False, "message": f"Failed to update alert status: {str(e)}", }
- Pydantic BeforeValidator function used in the tool's status parameter for input schema validation.def _validate_alert_status(v: str) -> str: """Validate alert status is valid.""" valid_statuses = {"OPEN", "TRIAGED", "RESOLVED", "CLOSED"} if v not in valid_statuses: raise ValueError( f"Invalid status '{v}'. Must be one of: {', '.join(sorted(valid_statuses))}" ) return v