Skip to content

Alerts

Reference for the 10 CryptoComply MCP tools in the Alerts family.

Tools in this group

alert_assign

Read-only: no.

Assign an alert to an organization member, or clear its assignee.

Pass assigned_to_user_id (from member_list) to hand the alert to that member — the alert.assigned_to_me notification fires and a rationale of at least 10 characters is required. Pass null (or omit it) to clear the assignee back to the unassigned pool.

To take an alert yourself, use alert_claim — self-assignment is rejected here so that picking up your own work always runs through claim (which also moves the alert to UNDER_REVIEW).

Two-step write tool. First call without confirm_token returns a dry-run preview + a 60-second token. Second call with the same arguments + confirm_token applies the change. On success: {status: "ok", alert_id, assigned_to_user_id, assigned_to_email} (assigned_to_user_id and assigned_to_email are null when cleared).

Parameters

  • organization_id (int, required) — Organization the alert belongs to.
  • alert_id (int, required) — Alert id (from alert_list.results[].id).
  • assigned_to_user_id (int | None, optional) — User id to assign the alert to (from member_list). Pass null or omit to clear the assignee (unassign). To take it yourself, use alert_claim.
  • rationale (str | None, optional) — Why the alert is being handed to another member. Required when assigning to a member; delivered to the assignee. Not used when clearing.
  • confirm_token (str | None, optional) — Token from a prior dry-run call. Omit on the first call.

alert_bulk_assign

Read-only: no.

Assign multiple alerts to the same member in one call, or clear them all. Pass assigned_to_user_id (from member_list) to hand every alert to that member, or null to clear the assignee on each — back to the unassigned pool.

rationale is required when assigned_to_user_id is a member (at least 10 characters); it is delivered to the assignee and applies to every alert in the batch. Not used when clearing. To take alerts yourself, claim each via alert_claim.

Two-step write tool. Each id is processed individually; per-row failures do not abort the batch.

Returns the bulk-result envelope ({summary, results, truncated}); each results[] row carries status (succeeded/failed) and, on failure, a nested error.

Parameters

  • organization_id (int, required) — Organization the alerts belong to.
  • alert_ids (list, required) — Alert ids to assign.
  • assigned_to_user_id (int | None, optional) — User id (from member_list). Pass null to clear the assignee on every alert.
  • rationale (str | None, optional) — Why the alerts are being handed to another member. Required when assigning to a member; delivered to the assignee. Not used when clearing.
  • confirm_token (str | None, optional) — Token from a prior dry-run call. Omit on the first call.

alert_bulk_close

Read-only: no.

Close multiple alerts in a single call with the same disposition and rationale. Useful for end-of-day triage when a batch of alerts share the same outcome (e.g. all false positives).

Two-step write tool. Per-row failures do not abort the batch.

Assignment required per alert. Each alert is closed only if you are its current assignee. Rows where you are not the assignee land in the results as failed with a nested error. To bulk-claim first, iterate alert_assign over the ids, then retry alert_bulk_close.

Returns the bulk-result envelope ({summary, results, truncated}); each results[] row carries status (succeeded/failed) and, on failure, a nested error.

Parameters

  • organization_id (int, required) — Organization the alerts belong to.
  • alert_ids (list, required) — Alert ids to close.
  • result (Literal, required) — Investigation disposition applied to every alert in the batch.
  • closing_rationale (str, required) — Closing rationale applied to every alert in the batch.
  • confirm_token (str | None, optional) — Token from a prior dry-run call. Omit on the first call.

alert_claim

Read-only: no.

Claim an alert for yourself. Sets assigned_to to the caller and transitions an OPEN alert to UNDER_REVIEW. Requires only alert.update, unlike alert_assign which requires the manager-level alert.assign. This is the standard triage flow for analysts picking up unassigned work.

Take-over. When the alert is already assigned to a different user, pass force=true together with a rationale of at least 10 characters explaining why the take-over is justified. The rationale lands on the audit trail.

Two-step write tool. First call without confirm_token returns a dry-run preview + a 60-second token. Second call with the same arguments + confirm_token applies the change.

On success: {status: "ok", alert_id, claimed_by_user_id}.

Parameters

  • organization_id (int, required) — Organization the alert belongs to.
  • alert_id (int, required) — Alert id (from alert_list.results[].id).
  • force (bool, optional) — Required when the alert is already assigned to another user. Pair with rationale.
  • rationale (str | None, optional) — Take-over justification — required when force=true. Min 10 characters. Ignored on a normal self-claim.
  • confirm_token (str | None, optional) — Token from a prior dry-run call. Omit on the first call.

alert_close

Read-only: no.

Close an alert with a disposition and analyst rationale.

Two-step write tool. First call without confirm_token returns a dry-run preview + a 60-second token. Second call with the same arguments + confirm_token applies the change.

result is one of the AlertResult codes: CL (Cleared), RA (Risk Accepted), ED (EDD Required), OB (Offboarding Required). closing_rationale must be at least 10 characters and is immutable after close.

Assignment required. You must be the alert's current assignee. If the call fails with code: alert.assignee_required, claim the alert via alert_claim (or, if it is currently held by another user and you have alert.assign permission, take it over with alert_assign) and retry this call with the same arguments.

On success: {status: "ok", alert_id, result}.

Parameters

  • organization_id (int, required) — Organization the alert belongs to.
  • alert_id (int, required) — Alert id (from alert_list.results[].id).
  • result (Literal, required) — Investigation disposition (AlertResult code).
  • closing_rationale (str, required) — Analyst's reasoning for the chosen result.
  • confirm_token (str | None, optional) — Token from a prior dry-run call. Omit on the first call.

alert_escalate

Read-only: no.

Escalate an alert to another organization member with a written reason.

Two-step write tool. Transfers assigned_to to the recipient, stamps escalated_by / escalated_to / escalated_at, and fires the alert.escalated notification.

escalation_reason must be at least 10 characters. escalated_to_user_id must be a member of the alert's organization and different from the caller.

Assignment required. You must be the alert's current assignee. If the call fails with code: alert.assignee_required, claim the alert via alert_claim (or, if it is currently held by another user and you have alert.assign permission, take it over with alert_assign) and retry this call with the same arguments.

On success: {status: "ok", alert_id, escalated_to_user_id}.

Parameters

  • organization_id (int, required) — Organization the alert belongs to.
  • alert_id (int, required) — Alert id (from alert_list.results[].id).
  • escalated_to_user_id (int, required) — Recipient user id (from member_list). Must differ from the caller.
  • escalation_reason (str, required) — Why the alert is being escalated. Visible to the recipient.
  • confirm_token (str | None, optional) — Token from a prior dry-run call. Omit on the first call.

alert_evidence_retrieve

Read-only: yes.

Get the underlying evidence that triggered an alert. The payload shape depends on alert type:

  • watchlist: list of ProfileInquiry hits (inquired_name, result_name, record_type, resolution, created_at).
  • blockchain_address: previous and current BlockchainAddressInquiry (risk, total_exposure_usd, http_code, created_at).
  • negative_news: only news_found_count is available — per-article evidence is not stored.

Use after alert_retrieve when the analyst wants to drill into the specific hits / risk diff that caused the alert.

Parameters

  • organization_id (int, required) — Organization the alert belongs to.
  • alert_id (int, required) — Alert id.

alert_list

Read-only: yes.

List alerts for an organization across all subtypes (watchlist hits, blockchain-address risk changes, negative-news). Use when the user asks about alerts, items needing review, or what's on their plate today. Combine status=open with assigned_to_me=true to triage your queue.

Returns {count, limit, offset, has_more, results: [AlertSummary]} where each row is {id, type, name, status, assigned_to_user_id, profile_id, blockchain_address_id, created_at, updated_at} — exactly one of profile_id / blockchain_address_id is populated per the alert's type.

Parameters

  • organization_id (int, required) — Organization to list alerts for.
  • status (Optional, optional) — Filter by alert status: open, closed, escalated, or under_review.
  • alert_type (Optional, optional) — Filter by alert subtype.
  • profile_id (int | None, optional) — Filter by associated profile id.
  • assigned_to_user_id (int | None, optional) — Filter by the user the alert is assigned to.
  • assigned_to_me (bool | None, optional) — True = restrict to alerts assigned to the caller.
  • unassigned (bool | None, optional) — True = only alerts with no assignee (assigned_to IS NULL). False = only alerts with an assignee. Omit for both. Standard triage filter.
  • opened_more_than_days_ago (int | None, optional) — Restrict to alerts created strictly more than N days ago. Used for SLA hygiene queries like 'show me alerts open more than 7 days'.
  • name_contains (str | None, optional) — Case-insensitive substring match on the alert name.
  • updated_after (datetime.datetime | None, optional) — Only include alerts modified at or after this UTC timestamp.
  • created_after (datetime.datetime | None, optional) — Only include alerts created at or after this UTC timestamp.
  • created_before (datetime.datetime | None, optional) — Only include alerts created before this UTC timestamp.
  • sort_by (Literal, optional) — Sort order. Prefix with '-' for descending (e.g. '-created_at' for newest first).
  • limit (int, optional) — Max results (1-100).
  • offset (int, optional) — Results to skip for pagination.

Read-only: yes.

List other open or closed alerts that share this alert's subject — same profile for watchlist/negative-news, same blockchain address for blockchain-address alerts. The alert itself is always excluded. Use before closing or escalating to check whether the subject already has history elsewhere on the same workflow.

Returns {count, limit, offset, has_more, results: [AlertSummary]}.

Parameters

  • organization_id (int, required) — Organization the alert belongs to.
  • alert_id (int, required) — Alert id (from alert_list.results[].id).
  • limit (int, optional) — Max results (1-100).
  • offset (int, optional) — Results to skip for pagination.

alert_retrieve

Read-only: yes.

Get full details of one alert including subtype-specific evidence.

Returns an AlertDetail whose payload is a discriminated union: WatchlistPayload (profile match + hit counts by resolution), BlockchainAddressPayload (prev→current risk with inquiry refs), or NegativeNewsPayload (profile + news_found_count). The top-level type field tells you which payload variant to expect.

Parameters

  • organization_id (int, required) — Organization the alert belongs to.
  • alert_id (int, required) — Alert id (from alert_list.results[].id).