Panther MCP Server

1# Panther MCP Server
2 
3[![Ruff](https://img.shields.io/endpoint?url=https://raw.githubusercontent.com/astral-sh/ruff/main/assets/badge/v2.json)](https://github.com/astral-sh/ruff)
4 
5Panther's Model Context Protocol (MCP) server provides functionality to:
6 
71. **Write and tune detections from your IDE**
82. **Interactively query security logs using natural language**
93. **Triage, comment, and resolve one or many alerts**
10 
11<a href="https://glama.ai/mcp/servers/@panther-labs/mcp-panther">
12  <img width="380" height="200" src="https://glama.ai/mcp/servers/@panther-labs/mcp-panther/badge" alt="Panther Server MCP server" />
13</a>
14 
15## Available Tools
16 
17<details>
18<summary><strong>Alerts</strong></summary>
19 
20| Tool Name | Description | Sample Prompt |
21|-----------|-------------|---------------|
22| `add_alert_comment` | Add a comment to a Panther alert | "Add comment 'Looks pretty bad' to alert abc123" |
23| `start_ai_alert_triage` | Start an AI-powered triage analysis for a Panther alert with intelligent insights and recommendations | "Start AI triage for alert abc123" / "Generate a detailed AI analysis of alert def456" |
24| `get_ai_alert_triage_summary` | Retrieve the latest AI triage summary previously generated for a specific alert | "Get the AI triage summary for alert abc123" / "Show me the AI analysis for alert def456" |
25| `get_alert` | Get detailed information about a specific alert | "What's the status of alert 8def456?" |
26| `get_alert_events` | Get a small sampling of events for a given alert | "Show me events associated with alert 8def456" |
27| `list_alerts` | List alerts with comprehensive filtering options (date range, severity, status, etc.) | "Show me all high severity alerts from the last 24 hours" |
28| `bulk_update_alerts` | Bulk update multiple alerts with status, assignee, and/or comment changes | "Update alerts abc123, def456, and ghi789 to resolved status and add comment 'Fixed'" |
29| `update_alert_assignee` | Update the assignee of one or more alerts | "Assign alerts abc123 and def456 to John" |
30| `update_alert_status` | Update the status of one or more alerts | "Mark alerts abc123 and def456 as resolved" |
31| `list_alert_comments` | List all comments for a specific alert | "Show me all comments for alert abc123" |
32 
33</details>
34 
35<details>
36<summary><strong>Data Lake</strong></summary>
37 
38| Tool Name | Description | Sample Prompt |
39|-----------|-------------|---------------|
40| `query_data_lake` | Execute SQL queries against Panther's data lake with synchronous results | "Query AWS CloudTrail logs for failed login attempts in the last day" |
41| `get_table_schema` | Get schema information for a specific table | "Show me the schema for the AWS_CLOUDTRAIL table" |
42| `list_databases` | List all available data lake databases in Panther | "List all available databases" |
43| `list_database_tables` | List all available tables for a specific database in Panther's data lake | "What tables are in the panther_logs database" |
44| `get_alert_event_stats` | Analyze patterns and relationships across multiple alerts by aggregating their event data into time-based statistics | "Show me patterns in events from alerts abc123 and def456" |
45 
46</details>
47 
48<details>
49<summary><strong>Scheduled Queries</strong></summary>
50 
51| Tool Name | Description | Sample Prompt |
52|-----------|-------------|---------------|
53| `list_scheduled_queries` | List all scheduled queries with pagination support | "Show me all scheduled queries" / "List the first 25 scheduled queries" |
54| `get_scheduled_query` | Get detailed information about a specific scheduled query by ID | "Get details for scheduled query 'weekly-security-report'" |
55 
56</details>
57 
58<details>
59<summary><strong>Sources</strong></summary>
60 
61| Tool Name | Description | Sample Prompt |
62|-----------|-------------|---------------|
63| `list_log_sources` | List log sources with optional filters (health status, log types, integration type) | "Show me all healthy S3 log sources" |
64| `get_http_log_source` | Get detailed information about a specific HTTP log source by ID | "Show me the configuration for HTTP source 'webhook-collector-123'" |
65 
66</details>
67 
68<details>
69<summary><strong>Detections</strong></summary>
70 
71| Tool Name | Description | Sample Prompt |
72|-----------|-------------|---------------|
73| `list_detections` | List detections from Panther with comprehensive filtering support. Supports multiple detection types and filtering by name, state, severity, tags, log types, resource types, output IDs (destinations), and more. Returns outputIDs for each detection showing configured alert destinations | "Show me all enabled HIGH severity rules with tag 'AWS'" / "List disabled policies for S3 resources" / "Find all rules with outputID 'prod-slack'" / "Show me detections that alert to production destinations" |
74| `get_detection` | Get detailed information about a specific detection including the detection body and tests. Accepts a list with one detection type: ["rules"], ["scheduled_rules"], ["simple_rules"], or ["policies"] | "Get details for rule ID abc123" / "Get details for policy ID AWS.S3.Bucket.PublicReadACP" |
75| `disable_detection` | Disable a detection by setting enabled to false. Supports rules, scheduled_rules, simple_rules, and policies | "Disable rule abc123" / "Disable policy AWS.S3.Bucket.PublicReadACP" |
76 
77</details>
78 
79<details>
80<summary><strong>Global Helpers</strong></summary>
81 
82| Tool Name | Description | Sample Prompt |
83|-----------|-------------|---------------|
84| `list_global_helpers` | List global helper functions with comprehensive filtering options (name search, creator, modifier) | "Show me global helpers containing 'aws' in the name" |
85| `get_global_helper` | Get detailed information and complete Python code for a specific global helper | "Get the complete code for global helper 'AWSUtilities'" |
86 
87</details>
88 
89<details>
90<summary><strong>Data Models</strong></summary>
91 
92| Tool Name | Description | Sample Prompt |
93|-----------|-------------|---------------|
94| `list_data_models` | List data models that control UDM mappings in rules | "Show me all data models for log parsing" |
95| `get_data_model` | Get detailed information about a specific data model | "Get the complete details for the 'AWS_CloudTrail' data model" |
96 
97</details>
98 
99<details>
100<summary><strong>Schemas</strong></summary>
101 
102| Tool Name | Description | Sample Prompt |
103|-----------|-------------|---------------|
104| `list_log_type_schemas` | List available log type schemas with optional filters | "Show me all AWS-related schemas" |
105| `get_log_type_schema_details` | Get detailed information for specific log type schemas | "Get full details for AWS.CloudTrail schema" |
106 
107</details>
108 
109<details>
110<summary><strong>Metrics</strong></summary>
111 
112| Tool Name | Description | Sample Prompt |
113|-----------|-------------|---------------|
114| `get_rule_alert_metrics` | Get metrics about alerts grouped by rule | "Show top 10 rules by alert count" |
115| `get_severity_alert_metrics` | Get metrics about alerts grouped by severity | "Show alert counts by severity for the last week" |
116| `get_bytes_processed_metrics` | Get data ingestion metrics by log type and source | "Show me data ingestion volume by log type" |
117 
118</details>
119 
120<details>
121<summary><strong>Users & Access Management</strong></summary>
122 
123| Tool Name | Description | Sample Prompt |
124|-----------|-------------|---------------|
125| `list_users` | List all Panther user accounts with pagination support | "Show me all active Panther users" / "List the first 25 users" |
126| `get_user` | Get detailed information about a specific user | "Get details for user ID '<john.doe@company.com>'" |
127| `get_permissions` | Get the current user's permissions | "What permissions do I have?" |
128| `list_roles` | List all roles with filtering options (name search, role IDs, sort direction) | "Show me all roles containing 'Admin' in the name" |
129| `get_role` | Get detailed information about a specific role including permissions | "Get complete details for the 'Admin' role" |
130 
131</details>
132 
133## Panther Configuration
134 
135**Follow these steps to configure your API credentials and environment.**
136 
1371. Create an API token in Panther:
138   - Navigate to Settings (gear icon) → API Tokens
139   - Create a new token with the following permissions (recommended read-only approach to start):
140   - <details>
141     <summary><strong>View Required Permissions</strong></summary>
142 
143     ![Screenshot of Panther Token permissions](.github/panther-token-perms-1.png)
144     ![Screenshot of Panther Token permissions](.github/panther-token-perms-2.png)
145 
146     </details>
147 
1482. Store the generated token securely (e.g., 1Password)
149 
1503. Copy the Panther instance URL from your browser (e.g., `https://YOUR-PANTHER-INSTANCE.domain`)
151    - Note: This must include `https://`
152 
153## MCP Server Installation
154 
155**Choose one of the following installation methods:**
156 
157### Docker (Recommended)
158 
159The easiest way to get started is using our pre-built Docker image:
160 
161```json
162{
163  "mcpServers": {
164    "mcp-panther": {
165      "command": "docker",
166      "args": [
167        "run",
168        "-i",
169        "-e", "PANTHER_INSTANCE_URL",
170        "-e", "PANTHER_API_TOKEN",
171        "--rm",
172        "ghcr.io/panther-labs/mcp-panther"
173      ],
174      "env": {
175        "PANTHER_INSTANCE_URL": "https://YOUR-PANTHER-INSTANCE.domain",
176        "PANTHER_API_TOKEN": "YOUR-API-KEY"
177      }
178    }
179  }
180}
181```
182 
183**Version Pinning:** For production stability, pin to a specific version tag:
184 
185```json
186"ghcr.io/panther-labs/mcp-panther:v2.2.0"
187```
188 
189Available tags can be found on the [GitHub Container Registry](https://github.com/panther-labs/mcp-panther/pkgs/container/mcp-panther).
190 
191### UVX
192 
193For Python users, you can run directly from PyPI using uvx:
194 
1951. [Install UV](https://docs.astral.sh/uv/getting-started/installation/)
196 
1972. Configure your MCP client:
198 
199```json
200{
201  "mcpServers": {
202    "mcp-panther": {
203      "command": "uvx",
204      "args": ["mcp-panther"],
205      "env": {
206        "PANTHER_INSTANCE_URL": "https://YOUR-PANTHER-INSTANCE.domain",
207        "PANTHER_API_TOKEN": "YOUR-PANTHER-API-TOKEN"
208      }
209    }
210  }
211}
212```
213 
214**Version Pinning:** For production stability, pin to a specific version:
215 
216```json
217"args": ["mcp-panther==2.2.0"]
218```
219 
220Available versions can be found on [PyPI](https://pypi.org/project/mcp-panther/).
221 
222## MCP Client Setup
223 
224### Cursor
225 
226[Follow the instructions here](https://docs.cursor.com/context/model-context-protocol#configuring-mcp-servers) to configure your project or global MCP configuration. **It's VERY IMPORTANT that you do not check this file into version control.**
227 
228Once configured, navigate to Cursor Settings > MCP to view the running server:
229 
230<img src=".github/panther-mcp-cursor-config.png" width="500" alt="Cursor MCP Configuration Screenshot" />
231 
232**Tips:**
233 
234- Be specific about where you want to generate new rules by using the `@` symbol and then typing a specific directory.
235- For more reliability during tool use, try selecting a specific model, like Claude 3.7 Sonnet.
236- If your MCP Client is failing to find any tools from the Panther MCP Server, try restarting the Client and ensuring the MCP server is running. In Cursor, refresh the MCP Server and start a new chat.
237 
238### Claude Code
239 
240[Claude Code](https://code.claude.com/docs) is Anthropic's official CLI tool. Add the Panther MCP server using Docker:
241 
242```bash
243claude mcp add-json panther '{
244  "command": "docker",
245  "args": [
246    "run",
247    "-i",
248    "-e", "PANTHER_INSTANCE_URL",
249    "-e", "PANTHER_API_TOKEN",
250    "--rm",
251    "ghcr.io/panther-labs/mcp-panther"
252  ],
253  "env": {
254    "PANTHER_INSTANCE_URL": "https://YOUR-PANTHER-INSTANCE.domain",
255    "PANTHER_API_TOKEN": "YOUR-API-TOKEN"
256  }
257}'
258```
259 
260Alternatively, using UVX:
261 
262```bash
263claude mcp add-json panther '{
264  "command": "uvx",
265  "args": ["mcp-panther"],
266  "env": {
267    "PANTHER_INSTANCE_URL": "https://YOUR-PANTHER-INSTANCE.domain",
268    "PANTHER_API_TOKEN": "YOUR-API-TOKEN"
269  }
270}'
271```
272 
273After adding, verify the server is configured:
274 
275```bash
276claude mcp list
277```
278 
279### Claude Desktop
280 
281To use with Claude Desktop, manually configure your `claude_desktop_config.json`:
282 
2831. Open the Claude Desktop settings and navigate to the Developer tab
2842. Click "Edit Config" to open the configuration file
2853. Add the following configuration:
286 
287```json
288{
289  "mcpServers": {
290    "mcp-panther": {
291      "command": "uvx",
292      "args": ["mcp-panther"],
293      "env": {
294        "PANTHER_INSTANCE_URL": "https://YOUR-PANTHER-INSTANCE.domain",
295        "PANTHER_API_TOKEN": "YOUR-PANTHER-API-TOKEN"
296      }
297    }
298  }
299}
300```
301 
3024. Save the file and restart Claude Desktop
303 
304If you run into any issues, [try the troubleshooting steps here](https://modelcontextprotocol.io/quickstart/user#troubleshooting).
305 
306### Goose CLI
307 
308Use with [Goose CLI](https://block.github.io/goose/docs/getting-started/installation/), Block's open-source AI agent:
309 
310```bash
311# Start Goose with the MCP server
312goose session --with-extension "uvx mcp-panther"
313```
314 
315### Goose Desktop
316 
317Use with [Goose Desktop](https://block.github.io/goose/docs/getting-started/installation/), Block's open-source AI agent:
318 
319From 'Extensions' -> 'Add custom extension' provide your configuration information.
320 
321<img src=".github/panther-mcp-goose-desktop-config.png" width="500" />
322 
323## Running the Server
324 
325The MCP Panther server supports multiple transport protocols:
326 
327### STDIO (Default)
328 
329For local development and MCP client integration:
330 
331```bash
332uv run python -m mcp_panther.server
333```
334 
335### Streamable HTTP
336 
337For running as a persistent web service, use the HTTP transport. This is ideal for:
338- Long-running server deployments
339- Multiple clients connecting to the same server
340- Testing and debugging with continuous log monitoring
341 
342#### Using Docker Run (Detached)
343 
344```bash
345docker run -d \
346  --name panther-mcp-server \
347  -p 8000:8000 \
348  -e PANTHER_INSTANCE_URL=https://YOUR-PANTHER-INSTANCE.domain \
349  -e PANTHER_API_TOKEN=YOUR-API-TOKEN \
350  -e MCP_TRANSPORT=streamable-http \
351  -e MCP_HOST=0.0.0.0 \
352  -e MCP_PORT=8000 \
353  -e LOG_LEVEL=INFO \
354  --restart unless-stopped \
355  ghcr.io/panther-labs/mcp-panther:latest
356```
357 
358#### Using Docker Compose (Recommended)
359 
360Create a `docker-compose.yml` file:
361 
362```yaml
363services:
364  panther-mcp:
365    image: ghcr.io/panther-labs/mcp-panther:latest
366    container_name: panther-mcp-server
367    ports:
368      - "8000:8000"
369    environment:
370      - PANTHER_INSTANCE_URL=https://YOUR-PANTHER-INSTANCE.domain
371      - PANTHER_API_TOKEN=YOUR-API-TOKEN
372      - MCP_TRANSPORT=streamable-http
373      - MCP_HOST=0.0.0.0
374      - MCP_PORT=8000
375      - LOG_LEVEL=INFO
376    restart: unless-stopped
377```
378 
379Start the server:
380 
381```bash
382# Start in detached mode
383docker-compose up -d
384 
385# View logs
386docker-compose logs -f
387 
388# Stop the server
389docker-compose down
390```
391 
392#### Connecting Claude Code to HTTP Server
393 
394**Important:** The server runs on HTTP (not HTTPS). Configure Claude Code with the `http://` URL:
395 
396```bash
397# Add the HTTP endpoint (note: http:// not https://)
398claude mcp add-json panther-http '{
399  "url": "http://localhost:8000/mcp"
400}'
401 
402# Verify configuration
403claude mcp list
404```
405 
406#### Testing the Connection
407 
408```bash
409# Test the HTTP endpoint
410curl http://localhost:8000/mcp
411 
412# View server logs
413docker logs -f panther-mcp-server
414# Or with docker-compose:
415docker-compose logs -f
416```
417 
418You can also test using the FastMCP client:
419 
420```python
421import asyncio
422from fastmcp import Client
423 
424async def test_connection():
425    async with Client("http://localhost:8000/mcp") as client:
426        tools = await client.list_tools()
427        print(f"Available tools: {len(tools)}")
428 
429asyncio.run(test_connection())
430```
431 
432#### Troubleshooting Streamable HTTP
433 
434**Port Already in Use**
435 
436If you see `Bind for 0.0.0.0:8000 failed: port is already allocated`:
437 
438```bash
439# Check what's using the port
440lsof -i :8000
441 
442# Stop conflicting containers
443docker ps | grep panther
444docker stop <container-id>
445 
446# Or use a different port via MCP_PORT environment variable:
447-e MCP_PORT=8080
448# Then connect to: http://localhost:8080/mcp
449```
450 
451**Invalid HTTP Request Warnings**
452 
453If you see `WARNING: Invalid HTTP request received` in the logs, this usually means:
454- Claude Code is trying to connect via HTTPS instead of HTTP
455- Check your configuration uses `http://` not `https://`
456- Verify with: `claude mcp list`
457 
458### Environment Variables
459 
460- `MCP_TRANSPORT`: Set transport type (`stdio` or `streamable-http`)
461- `MCP_PORT`: Port for HTTP transport (default: 3000)
462- `MCP_HOST`: Host for HTTP transport (default: 127.0.0.1)
463- `MCP_LOG_FILE`: Log file path (optional)
464 
465## Security Best Practices
466 
467We highly recommends the following MCP security best practices:
468 
469- **Apply strict least-privilege to Panther API tokens.** Scope tokens to the minimal permissions required and bind them to an IP allow-list or CIDR range so they're useless if exfiltrated. Rotate credentials on a preferred interval (e.g., every 30d).
470- **Host the MCP server in a locked-down sandbox (e.g., Docker) with read-only mounts.** This confines any compromise to a minimal blast radius.
471- **Monitor credential access to Panther and monitor for anomalies.** Write a Panther rule!
472- **Run only trusted, officially signed MCP servers.** Verify digital signatures or checksums before running, audit the tool code, and avoid community tools from unofficial publishers.
473 
474## Troubleshooting
475 
476Check the server logs for detailed error messages: `tail -n 20 -F ~/Library/Logs/Claude/mcp*.log`. Common issues and solutions are listed below.
477 
478### Running tools
479 
480- If you get a `{"success": false, "message": "Failed to [action]: Request failed (HTTP 403): {\"error\": \"forbidden\"}"}` error, it likely means your API token lacks the particular permission needed by the tool.
481- Ensure your Panther Instance URL is correctly set. You can view this in the `config://panther` resource from your MCP Client.
482 
483## Contributing
484 
485We welcome contributions to improve MCP-Panther! Here's how you can help:
486 
4871. **Report Issues**: Open an issue for any bugs or feature requests
4882. **Submit Pull Requests**: Fork the repository and submit PRs for bug fixes or new features
4893. **Improve Documentation**: Help us make the documentation clearer and more comprehensive
4904. **Share Use Cases**: Let us know how you're using MCP-Panther and what could make it better
491 
492Please ensure your contributions follow our coding standards and include appropriate tests and documentation.
493 
494## Contributors
495 
496This project exists thanks to all the people who contribute. Special thanks to [Tomasz Tchorz](https://github.com/tomasz-sq) and [Glenn Edwards](https://github.com/glenn-sq) from [Block](https://block.xyz), who played a core role in launching MCP-Panther as a joint open-source effort with Panther.
497 
498See our [CONTRIBUTORS.md](.github/CONTRIBUTORS.md) for a complete list of contributors.
499 
500## License
501 
502This project is licensed under the Apache License 2.0 - see the LICENSE file for details.
503