list_alert_comments
Retrieve all comments for a specific security alert to review investigation notes and team discussions.
Instructions
Get all comments for a specific Panther alert.
Returns: Dict containing: - success: Boolean indicating if the request was successful - comments: List of comments if successful, each containing: - id: The comment ID - body: The comment text - createdAt: Timestamp when the comment was created - createdBy: Information about the user who created the comment - format: The format of the comment (HTML or PLAIN_TEXT or JSON_SCHEMA) - message: Error message if unsuccessful
Permissions:{'all_of': ['Read Alerts']}
Input Schema
TableJSON Schema
| Name | Required | Description | Default |
|---|---|---|---|
| alert_id | Yes | The ID of the alert to get comments for | |
| limit | No | Maximum number of comments to return |
Implementation Reference
- Full tool implementation including @mcp_tool registration decorator, Pydantic input schema via Annotated Fields (alert_id: str, limit: int=25), and async handler logic. Fetches comments for the specified alert using Panther's REST API GET /alert-comments endpoint with error handling for 400 errors and general exceptions. Returns structured dict with success flag, comments list, and total count.
@mcp_tool( annotations={ "permissions": all_perms(Permission.ALERT_READ), "readOnlyHint": True, } ) async def list_alert_comments( alert_id: Annotated[ str, Field(min_length=1, description="The ID of the alert to get comments for"), ], limit: Annotated[ int, Field(description="Maximum number of comments to return", ge=1, le=50), ] = 25, ) -> dict[str, Any]: """Get all comments for a specific Panther alert. Returns: Dict containing: - success: Boolean indicating if the request was successful - comments: List of comments if successful, each containing: - id: The comment ID - body: The comment text - createdAt: Timestamp when the comment was created - createdBy: Information about the user who created the comment - format: The format of the comment (HTML or PLAIN_TEXT or JSON_SCHEMA) - message: Error message if unsuccessful """ logger.info(f"Fetching comments for alert ID: {alert_id}") try: params = {"alert-id": alert_id, "limit": limit} async with get_rest_client() as client: result, status = await client.get( "/alert-comments", params=params, expected_codes=[200, 400], ) if status == 400: logger.error(f"Bad request when fetching comments for alert ID: {alert_id}") return { "success": False, "message": f"Bad request when fetching comments for alert ID: {alert_id}", } comments = result.get("results", []) logger.info( f"Successfully retrieved {len(comments)} comments for alert ID: {alert_id}" ) return { "success": True, "comments": comments, "total_comments": len(comments), } except Exception as e: logger.error(f"Failed to fetch alert comments: {str(e)}") return { "success": False, "message": f"Failed to fetch alert comments: {str(e)}", } - src/mcp_panther/panther_mcp_core/tools/alerts.py:365-370 (registration)MCP tool registration using @mcp_tool decorator from .registry, specifying required ALERT_READ permissions and read-only hint.
@mcp_tool( annotations={ "permissions": all_perms(Permission.ALERT_READ), "readOnlyHint": True, } ) - Input schema defined using Pydantic Annotated with Field validators: required alert_id (str, min_length=1), optional limit (int, 1-50, default=25). Output is dict[str, Any].
async def list_alert_comments( alert_id: Annotated[ str, Field(min_length=1, description="The ID of the alert to get comments for"), ], limit: Annotated[ int, Field(description="Maximum number of comments to return", ge=1, le=50), ] = 25, ) -> dict[str, Any]: