Panther MCP Server

Official

by panther-labs

Overview Schema Related Servers Score Discussions

Python

Remote

disable_detection

DestructiveIdempotent

Turn off security detection rules or policies in Panther by setting them to disabled status.

Instructions

Disable a Panther detection by setting enabled to false.

Permissions:{'any_of': ['Manage Rules', 'Manage Policies']}

Input Schema

TableJSON Schema

Name	Required	Description	Default
`detection_id`	Yes	The ID of the detection to disable
`detection_type`	No	Type of detection to disable. Valid options: rules, scheduled_rules, simple_rules, or policies.	rules

Output Schema

TableJSON Schema

Name	Required	Description	Default
No arguments

Implementation Reference

src/mcp_panther/panther_mcp_core/tools/detections.py:517-523 (registration)
Registration of the disable_detection tool using the @mcp_tool decorator, specifying required permissions and hints for destructive and idempotent behavior.
```
@mcp_tool(
    annotations={
        "permissions": any_perms(Permission.RULE_MODIFY, Permission.POLICY_MODIFY),
        "destructiveHint": True,
        "idempotentHint": True,
    }
)
```

src/mcp_panther/panther_mcp_core/tools/detections.py:525-539 (schema)

Input schema for the disable_detection tool defined using Annotated types and Pydantic Field descriptions with examples.

    detection_id: Annotated[
        str,
        Field(
            description="The ID of the detection to disable",
            examples=["AWS.Suspicious.S3.Activity", "GCP.K8S.Privileged.Pod.Created"],
        ),
    ],
    detection_type: Annotated[
        str,
        Field(
            description="Type of detection to disable. Valid options: rules, scheduled_rules, simple_rules, or policies.",
            examples=["rules", "scheduled_rules", "simple_rules", "policies"],
        ),
    ] = "rules",
) -> dict[str, Any]:

src/mcp_panther/panther_mcp_core/tools/detections.py:524-590 (handler)

The handler function for disable_detection: validates input, fetches current detection, sets enabled=False, performs PUT update via REST client, handles errors and not-found cases.

async def disable_detection(
    detection_id: Annotated[
        str,
        Field(
            description="The ID of the detection to disable",
            examples=["AWS.Suspicious.S3.Activity", "GCP.K8S.Privileged.Pod.Created"],
        ),
    ],
    detection_type: Annotated[
        str,
        Field(
            description="Type of detection to disable. Valid options: rules, scheduled_rules, simple_rules, or policies.",
            examples=["rules", "scheduled_rules", "simple_rules", "policies"],
        ),
    ] = "rules",
) -> dict[str, Any]:
    """Disable a Panther detection by setting enabled to false."""
    logger.info(f"Disabling {detection_type} with ID: {detection_id}")

    # Validate detection type
    validation_error = validate_detection_types([detection_type])
    if validation_error:
        return validation_error

    # Use centralized field mapping
    field_map = SINGULAR_FIELD_MAP
    endpoint = get_endpoint_for_detection(detection_type, detection_id)

    try:
        async with get_rest_client() as client:
            # First get the current detection to preserve other fields
            current_detection, status = await client.get(
                endpoint, expected_codes=[200, 404]
            )

            if status == 404:
                return {
                    "success": False,
                    "message": f"{detection_type.replace('_', ' ').title()} with ID {detection_id} not found",
                }

            # Disable the detection by setting enabled to False
            # This modifies the API response object which is then sent back in the PUT request
            current_detection["enabled"] = False

            # Skip tests for simple disable operation (mainly for rules)
            params = (
                {"run-tests-first": "false"}
                if detection_type in ["rules", "scheduled_rules", "simple_rules"]
                else {}
            )

            # Make the update request
            result, _ = await client.put(
                endpoint, json_data=current_detection, params=params
            )

        logger.info(f"Successfully disabled {detection_type} with ID: {detection_id}")
        return {"success": True, field_map[detection_type]: result}

    except Exception as e:
        logger.error(f"Failed to disable {detection_type}: {str(e)}")
        return {
            "success": False,
            "message": f"Failed to disable {detection_type}: {str(e)}",
        }

Tool Definition Quality

A4.2/5.0

Behavior4/5

Does the description disclose side effects, auth requirements, rate limits, or destructive behavior?

Annotations indicate idempotentHint=true and destructiveHint=true, which the description does not contradict. The description adds value by specifying the permission requirements, which are not covered by annotations. It could provide more behavioral context (e.g., effects on alerts, rate limits), but with annotations present, the bar is lower, and the permission info is useful.

Agents need to know what a tool does to the world before calling it. Descriptions should go beyond structured annotations to explain consequences.

Conciseness5/5

Is the description appropriately sized, front-loaded, and free of redundancy?

The description is two sentences, front-loaded with the main action and followed by permission details. Every sentence provides essential information without redundancy, making it efficient and well-structured.

Shorter descriptions cost fewer tokens and are easier for agents to parse. Every sentence should earn its place.

Completeness4/5

Given the tool's complexity, does the description cover enough for an agent to succeed on first attempt?

Given the tool's complexity (destructive mutation with permissions), annotations cover idempotency and destructiveness, and an output schema exists, the description is mostly complete. It includes permission requirements but could benefit from more context on outcomes or error handling. However, with output schema handling return values, it's sufficient.

Complex tools with many parameters or behaviors need more documentation. Simple tools need less. This dimension scales expectations accordingly.

Parameters3/5

Does the description clarify parameter syntax, constraints, interactions, or defaults beyond what the schema provides?

Schema description coverage is 100%, with clear descriptions for both parameters (detection_id and detection_type). The description does not add any additional semantic information beyond what the schema provides, such as explaining parameter interactions or edge cases. Baseline is 3 when schema coverage is high.

Input schemas describe structure but not intent. Descriptions should explain non-obvious parameter relationships and valid value ranges.

Purpose5/5

Does the description clearly state what the tool does and how it differs from similar tools?

The description clearly states the specific action ('Disable a Panther detection') and the mechanism ('by setting enabled to false'), making the purpose explicit. It distinguishes this tool from sibling tools like 'get_detection' or 'list_detections' by focusing on modification rather than retrieval.

Agents choose between tools based on descriptions. A clear purpose with a specific verb and resource helps agents select the right tool.

Usage Guidelines4/5

Does the description explain when to use this tool, when not to, or what alternatives exist?

The description includes permission requirements ('Permissions:{"any_of": ["Manage Rules", "Manage Policies"]}'), providing clear context for when to use this tool based on user access. However, it does not explicitly mention when not to use it or name alternatives (e.g., compared to other update tools), which prevents a perfect score.

Agents often have multiple tools that could apply. Explicit usage guidance like "use X instead of Y when Z" prevents misuse.

Install Server

Latest Blog Posts

Tool Definition Quality Score (TDQS)
By punkpeye on April 3, 2026.
mcp
The Hackers Who Tracked My Sleep Cycle
By punkpeye on March 26, 2026.
security
Open Source Has a Bot Problem
By punkpeye on March 19, 2026.
open source

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/panther-labs/mcp-panther'

If you have feedback or need assistance with the MCP directory API, please join our Discord server