Skip to main content
Panther Knowledge Base

Can the alert_context function in Panther return a list of values?


Can the elements in the dictionary returned by alert_context be a list of values rather than just a string?


Yes, this is possible. Instead of returning a single string, you can also return a list of strings.

Below you can see an example using a detection on Okta logs that sends an alert to Slack.

The alert_context function was defined as shown below:

def alert_context(event):
    return {
        "actor": deep_get(event, "actor", "displayName"),
        "id": deep_get(event, "actor", "id"),

The value of the "message" key of the dictionary was set as a list instead of a single value. The alert context that will be delivered is the following:

Alert Context
   "actor": <ACTOR_NAME>,
   "id": "00u5m5crdnTG8zRAq5d7",
   "message": [
       "User logout from Okta",


  • Was this article helpful?