update_alert_status

Modify the status of security alerts in Panther's monitoring platform to track investigation progress and resolution.

Instructions

Update the status of one or more Panther alerts.

Returns: Dict containing: - success: Boolean indicating if the update was successful - alerts: List of updated alert IDs if successful - message: Error message if unsuccessful

Permissions:{'all_of': ['Manage Alerts']}

Input Schema

TableJSON Schema

Name	Required	Description	Default
`alert_ids`	Yes	List of alert IDs to update
`status`	Yes	New status for the alerts

Implementation Reference

src/mcp_panther/panther_mcp_core/tools/alerts.py:430-507 (handler)

The complete tool implementation including @mcp_tool registration decorator, Pydantic input schema with validation, and handler logic that performs a PATCH request to the Panther REST API to update the status of specified alerts.

@mcp_tool(
    annotations={
        "permissions": all_perms(Permission.ALERT_MODIFY),
        "destructiveHint": True,
        "idempotentHint": True,
    }
)
async def update_alert_status(
    alert_ids: Annotated[
        list[str],
        Field(description="List of alert IDs to update"),
    ],
    status: Annotated[
        str,
        BeforeValidator(_validate_alert_status),
        Field(
            description="New status for the alerts",
            examples=["OPEN", "TRIAGED", "RESOLVED", "CLOSED"],
        ),
    ],
) -> dict[str, Any]:
    """Update the status of one or more Panther alerts.

    Returns:
        Dict containing:
        - success: Boolean indicating if the update was successful
        - alerts: List of updated alert IDs if successful
        - message: Error message if unsuccessful
    """
    logger.info(f"Updating status for alerts {alert_ids} to {status}")

    try:
        # Validate status (defensive programming - should also be caught by validator)
        valid_statuses = {"OPEN", "TRIAGED", "RESOLVED", "CLOSED"}
        if status not in valid_statuses:
            raise ValueError(
                f"Invalid status '{status}'. Must be one of: {', '.join(sorted(valid_statuses))}"
            )
        # Prepare request body
        body = {
            "ids": alert_ids,
            "status": status,
        }

        # Execute the REST API call
        async with get_rest_client() as client:
            result, status_code = await client.patch(
                "/alerts", json_data=body, expected_codes=[204, 400, 404]
            )

        if status_code == 404:
            logger.error(f"One or more alerts not found: {alert_ids}")
            return {
                "success": False,
                "message": f"One or more alerts not found: {alert_ids}",
            }

        if status_code == 400:
            logger.error(f"Bad request when updating alert status: {alert_ids}")
            return {
                "success": False,
                "message": f"Bad request when updating alert status: {alert_ids}",
            }

        logger.info(f"Successfully updated {len(alert_ids)} alerts to status {status}")

        return {
            "success": True,
            "alerts": alert_ids,  # Return the IDs that were updated
        }

    except Exception as e:
        logger.error(f"Failed to update alert status: {str(e)}")
        return {
            "success": False,
            "message": f"Failed to update alert status: {str(e)}",
        }

Panther MCP Server