Panther MCP Server

Instructions

Implementation Reference

• src/mcp_panther/panther_mcp_core/tools/detections.py:517-523 (registration)

  @mcp_tool decorator registers the disable_detection function as an MCP tool with specific permissions and hints.
  @mcp_tool( annotations={ "permissions": any_perms(Permission.RULE_MODIFY, Permission.POLICY_MODIFY), "destructiveHint": True, "idempotentHint": True, } )
• src/mcp_panther/panther_mcp_core/tools/detections.py:524-589 (handler)

  The handler function that implements the logic to disable a Panther detection: validates input, fetches current state, sets enabled=False, and updates via API.
  async def disable_detection( detection_id: Annotated[ str, Field( description="The ID of the detection to disable", examples=["AWS.Suspicious.S3.Activity", "GCP.K8S.Privileged.Pod.Created"], ), ], detection_type: Annotated[ str, Field( description="Type of detection to disable. Valid options: rules, scheduled_rules, simple_rules, or policies.", examples=["rules", "scheduled_rules", "simple_rules", "policies"], ), ] = "rules", ) -> dict[str, Any]: """Disable a Panther detection by setting enabled to false.""" logger.info(f"Disabling {detection_type} with ID: {detection_id}") # Validate detection type validation_error = validate_detection_types([detection_type]) if validation_error: return validation_error # Use centralized field mapping field_map = SINGULAR_FIELD_MAP endpoint = get_endpoint_for_detection(detection_type, detection_id) try: async with get_rest_client() as client: # First get the current detection to preserve other fields current_detection, status = await client.get( endpoint, expected_codes=[200, 404] ) if status == 404: return { "success": False, "message": f"{detection_type.replace('_', ' ').title()} with ID {detection_id} not found", } # Disable the detection by setting enabled to False # This modifies the API response object which is then sent back in the PUT request current_detection["enabled"] = False # Skip tests for simple disable operation (mainly for rules) params = ( {"run-tests-first": "false"} if detection_type in ["rules", "scheduled_rules", "simple_rules"] else {} ) # Make the update request result, _ = await client.put( endpoint, json_data=current_detection, params=params ) logger.info(f"Successfully disabled {detection_type} with ID: {detection_id}") return {"success": True, field_map[detection_type]: result} except Exception as e: logger.error(f"Failed to disable {detection_type}: {str(e)}") return { "success": False, "message": f"Failed to disable {detection_type}: {str(e)}", }
• src/mcp_panther/panther_mcp_core/tools/detections.py:525-539 (schema)

  Pydantic-based input schema for the tool parameters using Annotated and Field for validation, descriptions, and examples.
  detection_id: Annotated[ str, Field( description="The ID of the detection to disable", examples=["AWS.Suspicious.S3.Activity", "GCP.K8S.Privileged.Pod.Created"], ), ], detection_type: Annotated[ str, Field( description="Type of detection to disable. Valid options: rules, scheduled_rules, simple_rules, or policies.", examples=["rules", "scheduled_rules", "simple_rules", "policies"], ), ] = "rules", ) -> dict[str, Any]:
• src/mcp_panther/panther_mcp_core/tools/detections.py:46-62 (helper)

  Helper function used by disable_detection to validate the detection_type input.
  def validate_detection_types(detection_types: list[str]) -> dict[str, Any] | None: """Validate detection types and return error dict if invalid, None if valid.""" if not detection_types: return { "success": False, "message": "At least one detection type must be specified.", } invalid_types = [dt for dt in detection_types if dt not in DETECTION_TYPES] if invalid_types: valid_types = ", ".join(DETECTION_TYPES.keys()) return { "success": False, "message": f"Invalid detection_types {invalid_types}. Valid values are: {valid_types}", } return None