The Panther MCP Server enables interactive security log analysis and alert management through natural language queries and IDE integrations. It provides the following capabilities:
Supports running the MCP server in a Docker container for a secure, sandboxed environment with minimal blast radius.
Provides access to GitHub functionality through global helpers for handling GitHub events.
Provides Python-based functionality for rule creation, data querying, and alert management through PyPI package distribution.
Integrates with the Ruff linter for Python code quality checking, as indicated by the badge in the README.
Panther's Model Context Protocol (MCP) server provides functionality to:
| Tool Name | Description | Sample Prompt |
|---|---|---|
add_alert_comment | Add a comment to a Panther alert | "Add comment 'Looks pretty bad' to alert abc123" |
get_alert_by_id | Get detailed information about a specific alert | "What's the status of alert 8def456?" |
get_alert_events | Get a small sampling of events for a given alert | "Show me events associated with alert 8def456" |
list_alerts | List alerts with comprehensive filtering options (date range, severity, status, etc.) | "Show me all high severity alerts from the last 24 hours" |
update_alert_assignee_by_id | Update the assignee of one or more alerts | "Assign alerts abc123 and def456 to John" |
update_alert_status | Update the status of one or more alerts | "Mark alerts abc123 and def456 as resolved" |
list_alert_comments | List all comments for a specific alert | "Show me all comments for alert abc123" |
| Tool Name | Description | Sample Prompt |
|---|---|---|
execute_data_lake_query | Execute SQL queries against Panther's data lake | "Query AWS CloudTrail logs for failed login attempts in the last day" |
get_data_lake_query_results | Get results from a previously executed data lake query | "Get results for query ID abc123" |
list_data_lake_queries | List previously executed data lake queries with comprehensive filtering options | "Show me all running queries from the last hour" |
cancel_data_lake_query | Cancel a running data lake query to free up resources and prevent system overload | "Cancel query abc123 that's taking too long" |
get_sample_log_events | Get a sample of 10 recent events for a specific log type | "Show me sample events from AWS_CLOUDTRAIL logs" |
get_table_schema | Get schema information for a specific table | "Show me the schema for the AWS_CLOUDTRAIL table" |
list_databases | List all available data lake databases in Panther | "List all available databases" |
list_log_sources | List log sources with optional filters (health status, log types, integration type) | "Show me all healthy S3 log sources" |
list_database_tables | List all available tables for a specific database in Panther's data lake | "What tables are in the panther_logs database" |
summarize_alert_events | Analyze patterns and relationships across multiple alerts by aggregating their event data | "Show me patterns in events from alerts abc123 and def456" |
| Tool Name | Description | Sample Prompt |
|---|---|---|
disable_rule | Disable a rule by setting enabled to false | "Disable rule abc123" |
get_global_helper_by_id | Get detailed information about a specific global helper | "Get details for global helper ID panther_github_helpers" |
get_policy_by_id | Get detailed information about a specific policy | "Get details for policy ID AWS.S3.Bucket.PublicReadACP" |
get_rule_by_id | Get detailed information about a specific rule | "Get details for rule ID abc123" |
get_scheduled_rule_by_id | Get detailed information about a specific scheduled rule | "Get details for scheduled rule abc123" |
get_simple_rule_by_id | Get detailed information about a specific simple rule | "Get details for simple rule abc123" |
list_global_helpers | List all Panther global helpers with optional pagination | "Show me all global helpers for CrowdStrike events" |
list_policies | List all Panther policies with optional pagination | "Show me all policies for AWS resources" |
list_rules | List all Panther rules with optional pagination | "Show me all enabled rules" |
list_scheduled_rules | List all scheduled rules with optional pagination | "List all scheduled rules in Panther" |
list_simple_rules | List all simple rules with optional pagination | "Show me all simple rules in Panther" |
put_rule | Update an existing rule or create a new one | "Update rule abc123 with new severity HIGH" |
list_data_models | List data models that control UDM mappings in rules | "Show me all data models for log parsing" |
get_data_model_by_id | Get detailed information about a specific data model | "Get the complete details for the 'AWS_CloudTrail' data model" |
list_globals | List global helper functions with filtering options | "Show me global helpers containing 'aws' in the name" |
get_global_by_id | Get detailed information and code for a specific global helper | "Get the complete code for global helper 'AWSUtilities'" |
| Tool Name | Description | Sample Prompt |
|---|---|---|
list_log_type_schemas | List available log type schemas with optional filters | "Show me all AWS-related schemas" |
get_panther_log_type_schema | Get detailed information for specific log type schemas | "Get full details for AWS.CloudTrail schema" |
| Tool Name | Description | Sample Prompt |
|---|---|---|
get_rule_alert_metrics | Get metrics about alerts grouped by rule | "Show top 10 rules by alert count" |
get_severity_alert_metrics | Get metrics about alerts grouped by severity | "Show alert counts by severity for the last week" |
get_bytes_processed_per_log_type_and_source | Get data ingestion metrics by log type and source | "Show me data ingestion volume by log type" |
| Tool Name | Description | Sample Prompt |
|---|---|---|
list_panther_users | List all Panther user accounts | "Show me all active Panther users" |
get_user_by_id | Get detailed information about a specific user | "Get details for user ID 'john.doe@company.com'" |
get_permissions | Get the current user's permissions | "What permissions do I have?" |
list_roles | List all roles with filtering options (name search, role IDs, sort direction) | "Show me all roles containing 'Admin' in the name" |
get_role_by_id | Get detailed information about a specific role including permissions | "Get complete details for the 'Admin' role" |
Panther highly recommends the following MCP best practices:
mcp-scan. Utilize the mcp-scan tool by invariantlabs for common vulnerabilities.
https://YOUR-PANTHER-INSTANCE.domain)https://Choose one of the following installation methods:
The easiest way to get started is using our pre-built Docker image:
For Python users, you can run directly from PyPI using uvx:
Follow the instructions here to configure your project or global MCP configuration. It's VERY IMPORTANT that you do not check this file into version control.
Once configured, navigate to Cursor Settings > MCP to view the running server:
Tips:
@ symbol and then typing a specific directory.To use with Claude Desktop, manually configure your claude_desktop_config.json:
If you run into any issues, try the troubleshooting steps here.
Use with Goose, Block's open-source AI agent:
The --compat-mode flag enables compatibility mode for broader MCP client support, especially for clients using older MCP versions that may not support all the latest features.
Check the server logs for detailed error messages: tail -n 20 -F ~/Library/Logs/Claude/mcp*.log. Common issues and solutions are listed below.
{"success": false, "message": "Failed to [action]: Request failed (HTTP 403): {\"error\": \"forbidden\"}"} error, it likely means your API token lacks the particular permission needed by the tool.config://panther resource from your MCP Client.This project is licensed under the Apache License 2.0 - see the LICENSE file for details.
This project exists thanks to all the people who contribute. Special thanks to Tomasz Tchorz and Glenn Edwards from Block, who played a core role in launching MCP-Panther as a joint open-source effort with Panther.
See our CONTRIBUTORS.md for a complete list of contributors.
We welcome contributions to improve MCP-Panther! Here's how you can help:
Please ensure your contributions follow our coding standards and include appropriate tests and documentation.
remote-capable server
The server can be hosted and run remotely because it primarily relies on remote services or has no dependency on the local environment.
Official MCP Server for Panther's security monitoring platform. Write detection rules, investigate alerts, and query security logs using natural language through Claude, Cursor, and other MCP-compatible clients.
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/panther-labs/mcp-panther'
If you have feedback or need assistance with the MCP directory API, please join our Discord server