Panther MCP Server

MCPOfficialOpen SourceApache-2.056.2

by panther-labs • Analytics & Monitoring

An MCP server that exposes Panther security platform capabilities—alerts, data lake queries, detections, sources, metrics, and user/role management—to AI agents and developer tools.

Example Use Cases

1
Retrieve, triage, comment on, or update Panther alerts programmatically (including AI-powered triage summaries).
2
Run synchronous SQL queries against Panther's data lake and inspect table schemas or aggregate alert event data.
3
Manage detections, scheduled queries, log sources, and user/role metadata within a Panther deployment.

Description

Panther MCP Server is an open-source Model Context Protocol (MCP) adapter that lets AI agents and IDE integrations interact with a Panther instance. It provides tools for writing and tuning detections, querying log data via SQL, triaging alerts with AI-assisted analysis, and managing users, roles, and scheduled queries. The server can run locally (stdio) or as an HTTP service and is distributed as a Docker image and a UVX/uvx package for easy integration. It requires a Panther instance URL and API token to operate, enabling secure, policy-scoped access to Panther data and actions.

Capabilities(42 total)

Tools (36)

add_alert_comment

Add a comment to a Panther alert. Comments support Markdown formatting. Returns: Dict containing: - success: Boolean indicating if the comment was added successfully - comment: Created comment information if successful - message: Error message if unsuccessful Permissions:{'all_of': ['Manage Alerts']}

alert_id:string*comment:string*

bulk_update_alerts

Bulk update multiple alerts with status, assignee, and/or comment changes. This tool allows you to efficiently update multiple alerts at once by setting their status, assignee, and adding a comment. At least one of status, assignee_id, or comment must be provided. Returns: Dict containing: - success: Boolean indicating overall success - results: Dict with operation results: - status_updates: List of alert IDs successfully updated with new status - assignee_updates: List of alert IDs successfully updated with new assignee - comments_added: List of alert IDs that successfully received comments - failed_operations: List of failed operations with error details - summary: Dict with counts of successful and failed operations - message: Error message if unsuccessful Permissions:{'all_of': ['Manage Alerts']}

alert_ids:array*status:anyassignee_id:anycomment:any

disable_detection

Disable a Panther detection by setting enabled to false. Permissions:{'any_of': ['Manage Rules', 'Manage Policies']}

detection_id:string*detection_type:string

get_ai_alert_triage_summary

Retrieve the latest AI triage summary for a specific Panther alert. This tool retrieves the most recently generated AI triage analysis for an alert. It fetches the list of AI inference stream IDs associated with the alert, then retrieves the response text for the latest stream. Returns: Dict containing: - success: Boolean indicating if retrieval was successful - summary: The latest AI triage summary containing: - stream_id: The unique stream identifier - response_text: The AI-generated triage summary - finished: Whether the triage generation completed - error: Any error message if present - message: Error message if unsuccessful Permissions:{'all_of': ['Run Panther AI']}

alert_id:string*

get_alert

Get detailed information about a specific Panther alert by ID Permissions:{'all_of': ['Read Alerts']}

alert_id:string*

Prompts (5)

prioritize-open-alerts

Performs detailed actor-based analysis and prioritization in the specified time period (YYYY-MM-DD HH:MM:SSZ format).

start_dateend_date

get-detection-rule-errors

Find detection rule errors between the specified dates (YYYY-MM-DD HH:MM:SSZ format) and perform root cause analysis.

start_dateend_date

get-monthly-log-sources-report

Generates a monthly report on the health of all Panther log sources for a given month and year, and triages any unhealthy sources.

monthyear

get-monthly-detection-quality-report

Generates a comprehensive detection quality report for analyzing alert data a given month and year to identify problematic rules and opportunities for improvement, including alerts, detection errors, and system errors.

monthyear

investigate-actor-activity

Performs an exhaustive investigation of a specific actor’s activity, including both alerted and non-alerted events, and produces a comprehensive final report with confidence assessment.

actor

Resources (1)

get_panther_config

Get the Panther configuration.

URI: config://pantherMIME: text/plain

Quick Actions

View on GitHub

Security

Scanned 2 month(s) ago

Risk Level

MINIMAL

Read-only data retrieval, no side effects

Trust Score

C59/100

8/17 checks passed

Scores are informational only and provided “as is” without warranty. AgentHotspot assumes no liability for actions taken based on these ratings.

Quick Stats

Service TypeMCP

Pricing ModelUnknown

Capabilities36 Tools / 5 Prompts / 1 Resources

Ownerpanther-labs

CategoryAnalytics & Monitoring

DependenciesStandalone

Set Your Username