Skip to main content
Glama
panther-labs

Panther MCP Server

Official
by panther-labs
OverviewSchemaRelated ServersScoreDiscussions
Python
Remote

query_data_lake

Read-only

Execute SQL queries on Panther's security data lake to analyze logs, investigate threats, and perform security monitoring with required time filters for optimal performance.

Instructions

Query Panther's security data lake using SQL for log analysis and threat hunting.

REQUIRED: Include time filter with p_event_time (required for performance and partitioning)

Panther Time Filter Macros (Recommended - optimized for performance):

  • p_occurs_since(timeOffset [, tableAlias[, column]]) Examples: p_occurs_since('1 d'), p_occurs_since('6 h'), p_occurs_since('2 weeks'), p_occurs_since(3600) Time formats: '30 s', '15 m', '6 h', '2 d', '1 w' OR '2 weeks', '1 day' OR numeric seconds

  • p_occurs_between(startTime, endTime [, tableAlias[, column]]) Examples: p_occurs_between('2024-01-01', '2024-01-02'), p_occurs_between('2024-03-20T00:00:00Z', '2024-03-20T23:59:59Z')

  • p_occurs_around(timestamp, timeOffset [, tableAlias[, column]]) Example: p_occurs_around('2024-01-15T10:30:00Z', '1 h') # ±1 hour around timestamp

  • p_occurs_after(timestamp [, tableAlias[, column]])

  • p_occurs_before(timestamp [, tableAlias[, column]])

Alternative (manual): WHERE p_event_time >= '2024-01-01' AND p_event_time < '2024-01-02'

Best Practices:

  • Always use time filters (macros preferred over manual p_event_time conditions)

  • Start with summary queries, then drill down to specific timeframes

  • Use p_any_* fields for faster correlation (p_any_ip_addresses, p_any_usernames, p_any_emails)

  • Query specific fields instead of SELECT * for better performance

Pagination:

  • First call: No cursor parameter - returns first page with max_rows results

  • Subsequent calls: Use next_cursor from previous response to get next page

  • Continue until has_next_page is False

Common Examples:

  • Recent failed logins: "SELECT * FROM panther_logs.public.aws_cloudtrail WHERE p_occurs_since('1 d') AND errorcode IS NOT NULL"

  • IP activity summary: "SELECT sourceippaddress, COUNT(*) FROM panther_logs.public.aws_cloudtrail WHERE p_occurs_since('6 h') GROUP BY sourceippaddress"

  • User correlation: "SELECT * FROM panther_logs.public.aws_cloudtrail WHERE p_occurs_since('2 h') AND ARRAY_CONTAINS('user@domain.com'::VARIANT, p_any_emails)"

  • Nested field access: "SELECT p_enrichment:ipinfo_privacy:"context.ip_address" FROM table WHERE p_occurs_since('1 h')"

Query Syntax (Snowflake SQL):

  • Access nested JSON: column:field.subfield

  • Quote special characters: column:"field name" or p_enrichment:"context.ip_address"

  • Array searches: ARRAY_CONTAINS('value'::VARIANT, array_column)

Returns: Dict with query results: - results: List of matching rows (paginated based on cursor parameter) - results_truncated: True if results were truncated (only for non-paginated requests) - total_rows_available: Total rows found (for non-paginated requests) - has_next_page: True if more results are available - next_cursor: Cursor for next page (use in subsequent call) - column_info: Column names and data types - stats: Query performance metrics (execution time, bytes scanned) - success/status/message: Query execution status

Permissions:{'all_of': ['Query Data Lake']}

Input Schema

TableJSON Schema
NameRequiredDescriptionDefault
sqlYesThe SQL query to execute. Must include a p_event_time filter condition after WHERE or AND. The query must be compatible with Snowflake SQL.
database_nameNopanther_logs.public
timeoutNoTimeout in seconds before the SQL query is cancelled. If the query fails due to timeout, the caller should consider a longer timeout.
max_rowsNoMaximum number of result rows to return (prevents context overflow)
cursorNoOptional pagination cursor from previous query to fetch next page of results

Output Schema

TableJSON Schema
NameRequiredDescriptionDefault

No arguments

Tool Definition Quality

A4.5/5.0
Behavior4/5

Does the description disclose side effects, auth requirements, rate limits, or destructive behavior?

The description adds significant behavioral context beyond the readOnlyHint annotation. It explains performance requirements (time filter is 'REQUIRED'), provides detailed pagination behavior, describes query syntax (Snowflake SQL), and outlines return structure. While annotations already indicate it's read-only, the description enriches understanding with practical constraints and operational details that aren't captured in structured fields.

Agents need to know what a tool does to the world before calling it. Descriptions should go beyond structured annotations to explain consequences.

Conciseness3/5

Is the description appropriately sized, front-loaded, and free of redundancy?

The description is comprehensive but lengthy and could be more front-loaded. While all content is valuable (macros, best practices, examples, syntax, returns), it's presented as a dense block. The core purpose is clear in the first sentence, but subsequent sections could be better organized or summarized for quicker scanning by an AI agent.

Shorter descriptions cost fewer tokens and are easier for agents to parse. Every sentence should earn its place.

Completeness5/5

Given the tool's complexity, does the description cover enough for an agent to succeed on first attempt?

Given the tool's complexity (SQL querying with performance constraints, pagination, specific syntax) and the presence of both annotations and output schema, the description is remarkably complete. It covers purpose, usage guidelines, behavioral details, parameter context, examples, and return structure. The output schema means the description doesn't need to explain return values in detail, and it appropriately focuses on operational guidance.

Complex tools with many parameters or behaviors need more documentation. Simple tools need less. This dimension scales expectations accordingly.

Parameters4/5

Does the description clarify parameter syntax, constraints, interactions, or defaults beyond what the schema provides?

With 80% schema description coverage, the baseline is 3, but the description adds substantial value. It provides extensive context about the 'sql' parameter (time filter requirements, Panther macros, best practices, examples, syntax), explains pagination behavior related to the 'cursor' parameter, and offers performance guidance relevant to 'timeout' and 'max_rows'. This goes well beyond what the schema descriptions provide.

Input schemas describe structure but not intent. Descriptions should explain non-obvious parameter relationships and valid value ranges.

Purpose5/5

Does the description clearly state what the tool does and how it differs from similar tools?

The description clearly states the tool's purpose: 'Query Panther's security data lake using SQL for log analysis and threat hunting.' This specifies the verb ('query'), resource ('Panther's security data lake'), and context ('log analysis and threat hunting'), distinguishing it from all sibling tools which focus on alerts, detections, users, and other administrative functions rather than direct data lake querying.

Agents choose between tools based on descriptions. A clear purpose with a specific verb and resource helps agents select the right tool.

Usage Guidelines5/5

Does the description explain when to use this tool, when not to, or what alternatives exist?

The description provides explicit guidance on when to use this tool: for SQL-based log analysis and threat hunting. It also includes detailed 'Best Practices' and 'Common Examples' sections that guide effective usage, such as starting with summary queries and using time filters. While it doesn't name specific alternatives, the context of sibling tools (which are all about managing alerts, detections, users, etc.) makes it clear this is the primary data querying tool.

Agents often have multiple tools that could apply. Explicit usage guidance like "use X instead of Y when Z" prevents misuse.

Install Server

Other Tools

Latest Blog Posts

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/panther-labs/mcp-panther'

If you have feedback or need assistance with the MCP directory API, please join our Discord server