Panther MCP Server

Official

by panther-labs

Overview Schema Related Servers Score Discussions

Python

Remote

list_alert_comments

Read-only

Retrieve all comments for a specific security alert to review investigation notes and team discussions.

Instructions

Get all comments for a specific Panther alert.

Returns: Dict containing: - success: Boolean indicating if the request was successful - comments: List of comments if successful, each containing: - id: The comment ID - body: The comment text - createdAt: Timestamp when the comment was created - createdBy: Information about the user who created the comment - format: The format of the comment (HTML or PLAIN_TEXT or JSON_SCHEMA) - message: Error message if unsuccessful

Permissions:{'all_of': ['Read Alerts']}

Input Schema

TableJSON Schema

Name	Required	Description	Default
`alert_id`	Yes	The ID of the alert to get comments for
`limit`	No	Maximum number of comments to return

Output Schema

TableJSON Schema

Name	Required	Description	Default
No arguments

Implementation Reference

src/mcp_panther/panther_mcp_core/tools/alerts.py:365-427 (handler)

Full tool implementation including @mcp_tool registration decorator, Pydantic input schema via Annotated Fields (alert_id: str, limit: int=25), and async handler logic. Fetches comments for the specified alert using Panther's REST API GET /alert-comments endpoint with error handling for 400 errors and general exceptions. Returns structured dict with success flag, comments list, and total count.

@mcp_tool(
    annotations={
        "permissions": all_perms(Permission.ALERT_READ),
        "readOnlyHint": True,
    }
)
async def list_alert_comments(
    alert_id: Annotated[
        str,
        Field(min_length=1, description="The ID of the alert to get comments for"),
    ],
    limit: Annotated[
        int,
        Field(description="Maximum number of comments to return", ge=1, le=50),
    ] = 25,
) -> dict[str, Any]:
    """Get all comments for a specific Panther alert.

    Returns:
        Dict containing:
        - success: Boolean indicating if the request was successful
        - comments: List of comments if successful, each containing:
            - id: The comment ID
            - body: The comment text
            - createdAt: Timestamp when the comment was created
            - createdBy: Information about the user who created the comment
            - format: The format of the comment (HTML or PLAIN_TEXT or JSON_SCHEMA)
        - message: Error message if unsuccessful
    """
    logger.info(f"Fetching comments for alert ID: {alert_id}")
    try:
        params = {"alert-id": alert_id, "limit": limit}
        async with get_rest_client() as client:
            result, status = await client.get(
                "/alert-comments",
                params=params,
                expected_codes=[200, 400],
            )

        if status == 400:
            logger.error(f"Bad request when fetching comments for alert ID: {alert_id}")
            return {
                "success": False,
                "message": f"Bad request when fetching comments for alert ID: {alert_id}",
            }

        comments = result.get("results", [])

        logger.info(
            f"Successfully retrieved {len(comments)} comments for alert ID: {alert_id}"
        )

        return {
            "success": True,
            "comments": comments,
            "total_comments": len(comments),
        }
    except Exception as e:
        logger.error(f"Failed to fetch alert comments: {str(e)}")
        return {
            "success": False,
            "message": f"Failed to fetch alert comments: {str(e)}",
        }

src/mcp_panther/panther_mcp_core/tools/alerts.py:365-370 (registration)
MCP tool registration using @mcp_tool decorator from .registry, specifying required ALERT_READ permissions and read-only hint.
```
@mcp_tool(
    annotations={
        "permissions": all_perms(Permission.ALERT_READ),
        "readOnlyHint": True,
    }
)
```

src/mcp_panther/panther_mcp_core/tools/alerts.py:371-380 (schema)

Input schema defined using Pydantic Annotated with Field validators: required alert_id (str, min_length=1), optional limit (int, 1-50, default=25). Output is dict[str, Any].

async def list_alert_comments(
    alert_id: Annotated[
        str,
        Field(min_length=1, description="The ID of the alert to get comments for"),
    ],
    limit: Annotated[
        int,
        Field(description="Maximum number of comments to return", ge=1, le=50),
    ] = 25,
) -> dict[str, Any]:

Tool Definition Quality

A4/5.0

Behavior4/5

Does the description disclose side effects, auth requirements, rate limits, or destructive behavior?

Annotations provide readOnlyHint=true, indicating a safe read operation. The description adds valuable context beyond this: it discloses required permissions ('Read Alerts'), describes the return structure (including success flag, comments list with fields, and error message), and mentions pagination behavior via the 'limit' parameter. This enriches the agent's understanding without contradicting annotations.

Agents need to know what a tool does to the world before calling it. Descriptions should go beyond structured annotations to explain consequences.

Conciseness4/5

Is the description appropriately sized, front-loaded, and free of redundancy?

The description is well-structured and front-loaded with the core purpose, followed by return details and permissions. It avoids redundancy, but the return value documentation is somewhat verbose; a more concise format (e.g., bullet points) could improve readability without losing clarity.

Shorter descriptions cost fewer tokens and are easier for agents to parse. Every sentence should earn its place.

Completeness5/5

Given the tool's complexity, does the description cover enough for an agent to succeed on first attempt?

Given the tool's moderate complexity (2 parameters, read-only operation), the description is complete: it covers purpose, return structure, and permissions. With annotations indicating safety and an output schema implied by the detailed return documentation, no critical gaps exist for agent usage. It effectively supplements structured fields without unnecessary repetition.

Complex tools with many parameters or behaviors need more documentation. Simple tools need less. This dimension scales expectations accordingly.

Parameters3/5

Does the description clarify parameter syntax, constraints, interactions, or defaults beyond what the schema provides?

Schema description coverage is 100%, with clear descriptions for 'alert_id' and 'limit' parameters. The description does not add semantic details beyond the schema (e.g., it doesn't explain comment ordering or default behaviors). Given the high schema coverage, a baseline score of 3 is appropriate, as the description relies on the schema for parameter documentation.

Input schemas describe structure but not intent. Descriptions should explain non-obvious parameter relationships and valid value ranges.

Purpose5/5

Does the description clearly state what the tool does and how it differs from similar tools?

The description clearly states the specific action ('Get all comments') and resource ('for a specific Panther alert'), distinguishing it from siblings like 'add_alert_comment' (which creates comments) and 'get_alert' (which retrieves alert details). It precisely defines the tool's scope without ambiguity.

Agents choose between tools based on descriptions. A clear purpose with a specific verb and resource helps agents select the right tool.

Usage Guidelines3/5

Does the description explain when to use this tool, when not to, or what alternatives exist?

The description implies usage by specifying the target resource ('Panther alert'), but lacks explicit guidance on when to use this tool versus alternatives like 'get_alert' (which might include comments) or 'add_alert_comment' (for creating comments). No exclusions or prerequisites are mentioned, leaving usage context partially inferred.

Agents often have multiple tools that could apply. Explicit usage guidance like "use X instead of Y when Z" prevents misuse.

Install Server

Latest Blog Posts

Tool Definition Quality Score (TDQS)
By punkpeye on April 3, 2026.
mcp
The Hackers Who Tracked My Sleep Cycle
By punkpeye on March 26, 2026.
security
Open Source Has a Bot Problem
By punkpeye on March 19, 2026.
open source

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/panther-labs/mcp-panther'

If you have feedback or need assistance with the MCP directory API, please join our Discord server