home / mcp / panther mcp server
Write detections, investigate alerts, and query logs from your favorite AI agents
Configuration
View docs{
"mcpServers": {
"panther-labs-mcp-panther": {
"command": "docker",
"args": [
"run",
"-i",
"-e",
"PANTHER_INSTANCE_URL",
"-e",
"PANTHER_API_TOKEN",
"--rm",
"ghcr.io/panther-labs/mcp-panther"
],
"env": {
"MCP_HOST": "0.0.0.0",
"MCP_PORT": "8000",
"LOG_LEVEL": "INFO",
"MCP_TRANSPORT": "streamable-http",
"PANTHER_API_TOKEN": "YOUR-API-KEY",
"PANTHER_INSTANCE_URL": "https://YOUR-PANTHER-INSTANCE.domain"
}
}
}
}You can harness Panther’s Model Context Protocol (MCP) server to write and tune detections from your IDE, query security logs with natural language, and triage or resolve alerts at scale. This server exposes tools to interact with alerts, data lake logs, scheduled queries, detections, and user access, making it easy to automate security workflows and accelerate investigations.
Start by configuring your MCP client to connect to the Panther MCP server. You will typically run the MCP server locally or in a secure workspace and connect your MCP client to the server endpoint. Use the provided tools to list, query, and act on alerts; run data-lake queries for context; and fetch or update detections and policies. If you need interactive triage or AI-assisted analysis, initiate AI triage on a specific alert and retrieve summaries for rapid understanding.
Common workflows include: creating or updating alert comments after an investigation, starting AI-assisted triage to get insights, querying recent or high-severity alerts, and pulling event data from the data lake to correlate with alerts. You can also manage detections and policies by listing, viewing details, or disabling rules if needed. Use the data-models and log-type schemas to ensure your parsers and rules align with your log sources.
Prerequisites: you need Docker for the recommended installation or you can use UVX for a Python-based workflow. You should also have the Panther instance URL and an API token with appropriate permissions.
Option 1: Docker (recommended) Create the MCP server configuration using the Docker command shown below and run it to start the MCP server. The container pulls the Panther MCP Panther image and runs the server with your Panther instance URL and API token.
Environment variables you will typically configure include PANTHER_INSTANCE_URL and PANTHER_API_TOKEN. When running the server, you can choose the transport method (stdio for local development or streamable-http for a persistent web service). For production, pin to a specific image tag to ensure stability.
The server supports multiple transport options. STDIO runs locally via a command and arguments, while streamable-http exposes a persistent HTTP endpoint. If you encounter port conflicts, adjust MCP_PORT or use a different port as described in the troubleshooting guidance.
Apply least-privilege access for Panther API tokens, bind tokens to an IP allow-list or CIDR range, rotate credentials regularly, and run the MCP server in a locked-down environment with read-only mounts when possible. Monitor credential access and use only officially signed MCP server components.
If you see connection or authentication errors, verify that the Panther instance URL and API token are correct and that the MCP server is reachable at the configured endpoint. Check server logs for clues about failed tool actions (such as missing permissions) and confirm the MCP transport and port are correctly configured.
Example tasks include requesting an AI triage summary for a specific alert, listing recent high-severity alerts, or querying the data lake for a failed login pattern within a given time window. When configuring clients, ensure the MCP server endpoint uses the correct protocol (http/https for transport as appropriate) and that the MCP client is refreshed after server restarts.
Add a comment to a Panther alert
Start an AI-powered triage analysis for a Panther alert with intelligent insights and recommendations
Retrieve the latest AI triage summary previously generated for a specific alert
Get detailed information about a specific alert
Get a small sampling of events for a given alert
List alerts with comprehensive filtering options (date range, severity, status, etc.)
Bulk update multiple alerts with status, assignee, and/or comment changes
Update the assignee of one or more alerts
Update the status of one or more alerts
List all comments for a specific alert
Execute SQL queries against Panther's data lake with synchronous results
Get schema information for a specific table
List all available data lake databases in Panther
List all available tables for a specific database in Panther's data lake
Analyze patterns and relationships across multiple alerts by aggregating their event data into time-based statistics
List all scheduled queries with pagination support
Get detailed information about a specific scheduled query by ID
List log sources with optional filters (health status, log types, integration type)
Get detailed information about a specific HTTP log source by ID
List detections from Panther with comprehensive filtering support.
Get detailed information about a specific detection including the detection body and tests
Disable a detection by setting enabled to false.
List global helper functions with comprehensive filtering options
Get detailed information and complete Python code for a specific global helper
List data models that control UDM mappings in rules
Get detailed information about a specific data model
List available log type schemas with optional filters
Get detailed information for specific log type schemas
Get metrics about alerts grouped by rule
Get metrics about alerts grouped by severity
Get data ingestion metrics by log type and source
List all Panther user accounts with pagination support
Get detailed information about a specific user
Get the current user's permissions
List all roles with filtering options
Get detailed information about a specific role including permissions