list_detections

Retrieve and filter detections from Panther by type, severity, state, or tags. Supports pagination and substring searches for efficient rule and policy management in security monitoring.

Instructions

List detections from your Panther instance with support for multiple detection types and filtering.

Permissions:{'all_of': ['View Rules', 'View Policies']}

Input Schema

Name	Required	Description	Default
`compliance_status`	No	Filter by compliance status (applies to policies only) - 'PASS', 'FAIL', or 'ERROR'
`created_by`	No	Filter by creator user ID or actor ID
`cursor`	No	Optional cursor for pagination from a previous query (only supported for single detection type)
`detection_types`	No	One or more detection types - rules, scheduled_rules, simple_rules, or policies.
`last_modified_by`	No	Filter by last modifier user ID or actor ID
`limit`	No	Maximum number of results to return per detection type
`log_type`	No	A list of log types to filter by (applies to rules and simple-rules only).
`name_contains`	No	Substring search by name (case-insensitive)
`resource_type`	No	Filter by resource types (applies to policies only) - list of resource type names
`severity`	No	Filter by severity levels - INFO, LOW, MEDIUM, HIGH, or CRITICAL.
`state`	No	Filter by state - 'enabled' or 'disabled'	enabled
`tag`	No	A case-insensitive list of tags to filter by.

Input Schema (JSON Schema)

{
  "properties": {
    "compliance_status": {
      "anyOf": [
        {
          "type": "string"
        },
        {
          "type": "null"
        }
      ],
      "default": null,
      "description": "Filter by compliance status (applies to policies only) - 'PASS', 'FAIL', or 'ERROR'",
      "title": "Compliance Status"
    },
    "created_by": {
      "anyOf": [
        {
          "type": "string"
        },
        {
          "type": "null"
        }
      ],
      "default": null,
      "description": "Filter by creator user ID or actor ID",
      "title": "Created By"
    },
    "cursor": {
      "anyOf": [
        {
          "type": "string"
        },
        {
          "type": "null"
        }
      ],
      "default": null,
      "description": "Optional cursor for pagination from a previous query (only supported for single detection type)",
      "title": "Cursor"
    },
    "detection_types": {
      "default": [
        "rules"
      ],
      "description": "One or more detection types - rules, scheduled_rules, simple_rules, or policies.",
      "examples": [
        [
          "rules",
          "simple_rules",
          "scheduled_rules"
        ],
        [
          "policies"
        ]
      ],
      "items": {
        "type": "string"
      },
      "title": "Detection Types",
      "type": "array"
    },
    "last_modified_by": {
      "anyOf": [
        {
          "type": "string"
        },
        {
          "type": "null"
        }
      ],
      "default": null,
      "description": "Filter by last modifier user ID or actor ID",
      "title": "Last Modified By"
    },
    "limit": {
      "default": 100,
      "description": "Maximum number of results to return per detection type",
      "maximum": 1000,
      "minimum": 1,
      "title": "Limit",
      "type": "integer"
    },
    "log_type": {
      "default": [],
      "description": "A list of log types to filter by (applies to rules and simple-rules only).",
      "examples": [
        [
          "AWS.CloudTrail",
          "GCP.AuditLog"
        ]
      ],
      "items": {
        "type": "string"
      },
      "title": "Log Type",
      "type": "array"
    },
    "name_contains": {
      "anyOf": [
        {
          "type": "string"
        },
        {
          "type": "null"
        }
      ],
      "default": null,
      "description": "Substring search by name (case-insensitive)",
      "title": "Name Contains"
    },
    "resource_type": {
      "default": [],
      "description": "Filter by resource types (applies to policies only) - list of resource type names",
      "examples": [
        [
          "AWS.S3.Bucket",
          "AWS.EC2.SecurityGroup"
        ]
      ],
      "items": {
        "type": "string"
      },
      "title": "Resource Type",
      "type": "array"
    },
    "severity": {
      "default": [
        "MEDIUM",
        "HIGH",
        "CRITICAL"
      ],
      "description": "Filter by severity levels - INFO, LOW, MEDIUM, HIGH, or CRITICAL.",
      "examples": [
        [
          "MEDIUM",
          "HIGH",
          "CRITICAL"
        ],
        [
          "INFO",
          "LOW"
        ]
      ],
      "items": {
        "type": "string"
      },
      "title": "Severity",
      "type": "array"
    },
    "state": {
      "default": "enabled",
      "description": "Filter by state - 'enabled' or 'disabled'",
      "title": "State",
      "type": "string"
    },
    "tag": {
      "default": [],
      "description": "A case-insensitive list of tags to filter by.",
      "examples": [
        [
          "Initial Access",
          "Persistence"
        ]
      ],
      "items": {
        "type": "string"
      },
      "title": "Tag",
      "type": "array"
    }
  },
  "type": "object"
}

Panther MCP Server

list_detections

Instructions

Input Schema

Input Schema (JSON Schema)

Other Tools from Panther MCP Server

Related Tools

MCP directory API