MCP.so
Sign In

Panther MCP Server

@panther-labs

About Panther MCP Server

Write detections, investigate alerts, and query logs from your favorite AI agents

Basic information

Category

Other

License

Apache-2.0

Runtime

python

Transports

stdio

Publisher

panther-labs

Config

Add this server to your MCP-compatible client using the configuration below.

{
  "mcpServers": {
    "mcp-panther": {
      "command": "docker",
      "args": [
        "run",
        "-i",
        "-e",
        "PANTHER_INSTANCE_URL",
        "-e",
        "PANTHER_API_TOKEN",
        "--rm",
        "ghcr.io/panther-labs/mcp-panther"
      ],
      "env": {
        "PANTHER_INSTANCE_URL": "https://YOUR-PANTHER-INSTANCE.domain",
        "PANTHER_API_TOKEN": "YOUR-API-KEY"
      }
    }
  }
}

Tools

36

Add a comment to a Panther alert

Start an AI-powered triage analysis for a Panther alert with intelligent insights and recommendations

Retrieve the latest AI triage summary previously generated for a specific alert

Get detailed information about a specific alert

Get a small sampling of events for a given alert

List alerts with comprehensive filtering options (date range, severity, status, etc.)

Bulk update multiple alerts with status, assignee, and/or comment changes

Update the assignee of one or more alerts

Update the status of one or more alerts

List all comments for a specific alert

Execute SQL queries against Panther's data lake with synchronous results

Get schema information for a specific table

List all available data lake databases in Panther

List all available tables for a specific database in Panther's data lake

Analyze patterns and relationships across multiple alerts by aggregating their event data into time-based statistics

List all scheduled queries with pagination support

Get detailed information about a specific scheduled query by ID

List log sources with optional filters (health status, log types, integration type)

Get detailed information about a specific HTTP log source by ID

List detections from Panther with comprehensive filtering support. Supports multiple detection types and filtering by name, state, severity, tags, log types, resource types, output IDs (destinations), and more. Returns outputIDs for each detection showing configured alert destinations

Get detailed information about a specific detection including the detection body and tests. Accepts a list with one detection type: ["rules"], ["scheduled_rules"], ["simple_rules"], or ["policies"]

Disable a detection by setting enabled to false. Supports rules, scheduled_rules, simple_rules, and policies

List global helper functions with comprehensive filtering options (name search, creator, modifier)

Get detailed information and complete Python code for a specific global helper

List data models that control UDM mappings in rules

Get detailed information about a specific data model

List available log type schemas with optional filters

Get detailed information for specific log type schemas

Get metrics about alerts grouped by rule

Get metrics about alerts grouped by severity

Get data ingestion metrics by log type and source

List all Panther user accounts with pagination support

Get detailed information about a specific user

Get the current user's permissions

List all roles with filtering options (name search, role IDs, sort direction)

Get detailed information about a specific role including permissions

Overview

What is Panther MCP Server?

Panther MCP Server is an MCP integration for the Panther security platform. It allows you to write and tune detections from your IDE, interactively query security logs using natural language, and triage, comment, and resolve one or many alerts.

How to use Panther MCP Server?

Install via Docker (recommended) or uvx. Set the PANTHER_INSTANCE_URL and PANTHER_API_TOKEN environment variables with your Panther instance URL and a generated API token. Then connect an MCP client such as Cursor, Claude Code, or Claude Desktop.

Key features of Panther MCP Server

  • Write and tune detections directly from your IDE.
  • Query security logs using natural language via the Data Lake.
  • AI-powered alert triage with intelligent insights and summaries.
  • Bulk update alerts, assignees, and statuses.
  • Manage detection rules, global helpers, data models, and schemas.

Use cases of Panther MCP Server

  • Security engineers writing and testing detection rules from their editor.
  • Incident responders querying logs and triaging alerts by natural language.
  • SOC teams managing alerts in bulk—adding comments, assigning, and resolving.
  • Platform operators monitoring data ingestion volumes and alert metrics.
  • Security analysts inspecting schema, data models, and detection configurations.

FAQ from Panther MCP Server

What tools are available in Panther MCP Server?

Tools are organized into categories: Alerts, Data Lake, Scheduled Queries, Sources, Detections, Global Helpers, Data Models, Schemas, Metrics, and Users & Access Management. Each includes specific functions like list_detections, query_data_lake, add_alert_comment, and get_ai_alert_triage_summary.

How do I install and configure the server?

You can run the server via Docker (ghcr.io/panther-labs/mcp-panther) or via uvx from PyPI. Both methods require the environment variables PANTHER_INSTANCE_URL and PANTHER_API_TOKEN.

What permissions does the API token need?

Create an API token in Panther (Settings → API Tokens). The README recommends starting with read-only permissions and shows screenshots of the required permission selections.

Can I pin to a specific version?

Yes. For production stability, pin to a specific version tag for Docker (e.g., v2.2.0) or a version specifier for uvx (e.g., mcp-panther==2.2.0).

Which MCP clients are supported?

Setup instructions are provided for Cursor, Claude Code (Anthropic's CLI), and Claude Desktop.

Comments

More Other MCP servers