Panther Labs logo

Panther Labs

Organization
panther-labs

Write detections, investigate alerts, and query logs from your favorite AI agents

Publisherpanther-labs
Repositorymcp-panther
LanguagePython
Forks
16
Stars
44
Available tools
0
Transport typestdio
Categories
Auth SecurityAnalytics Data
LicenseApache-2.0
Links
GitHubHomepage
  • Connect tools to AI workflows

    Panther Labs exposes MCP capabilities that can be used by compatible AI clients and agents.

  • 0 available tools

    Browse the callable actions below, including names and descriptions when provided by the server.

  • Ready-to-copy setup

    Use the installation snippets to configure this server in your preferred MCP client.

  • Open source signals

    44 stars and 16 forks from the linked repository.

Panther MCP Server

Ruff

Panther's Model Context Protocol (MCP) server provides functionality to:

  1. Write and tune detections from your IDE
  2. Interactively query security logs using natural language
  3. Triage, comment, and resolve one or many alerts

Available Tools

Tool NameDescriptionSample Prompt
add_alert_commentAdd a comment to a Panther alert"Add comment 'Looks pretty bad' to alert abc123"
start_ai_alert_triageStart an AI-powered triage analysis for a Panther alert with intelligent insights and recommendations"Start AI triage for alert abc123" / "Generate a detailed AI analysis of alert def456"
get_ai_alert_triage_summaryRetrieve the latest AI triage summary previously generated for a specific alert"Get the AI triage summary for alert abc123" / "Show me the AI analysis for alert def456"
get_alertGet detailed information about a specific alert"What's the status of alert 8def456?"
get_alert_eventsGet a small sampling of events for a given alert"Show me events associated with alert 8def456"
list_alertsList alerts with comprehensive filtering options (date range, severity, status, etc.)"Show me all high severity alerts from the last 24 hours"
bulk_update_alertsBulk update multiple alerts with status, assignee, and/or comment changes"Update alerts abc123, def456, and ghi789 to resolved status and add comment 'Fixed'"
update_alert_assigneeUpdate the assignee of one or more alerts"Assign alerts abc123 and def456 to John"
update_alert_statusUpdate the status of one or more alerts"Mark alerts abc123 and def456 as resolved"
list_alert_commentsList all comments for a specific alert"Show me all comments for alert abc123"
Tool NameDescriptionSample Prompt
query_data_lakeExecute SQL queries against Panther's data lake with synchronous results"Query AWS CloudTrail logs for failed login attempts in the last day"
get_table_schemaGet schema information for a specific table"Show me the schema for the AWS_CLOUDTRAIL table"
list_databasesList all available data lake databases in Panther"List all available databases"
list_database_tablesList all available tables for a specific database in Panther's data lake"What tables are in the panther_logs database"
get_alert_event_statsAnalyze patterns and relationships across multiple alerts by aggregating their event data into time-based statistics"Show me patterns in events from alerts abc123 and def456"
Tool NameDescriptionSample Prompt
list_scheduled_queriesList all scheduled queries with pagination support"Show me all scheduled queries" / "List the first 25 scheduled queries"
get_scheduled_queryGet detailed information about a specific scheduled query by ID"Get details for scheduled query 'weekly-security-report'"
Tool NameDescriptionSample Prompt
list_log_sourcesList log sources with optional filters (health status, log types, integration type)"Show me all healthy S3 log sources"
get_http_log_sourceGet detailed information about a specific HTTP log source by ID"Show me the configuration for HTTP source 'webhook-collector-123'"
Tool NameDescriptionSample Prompt
list_detectionsList detections from Panther with comprehensive filtering support. Supports multiple detection types and filtering by name, state, severity, tags, log types, resource types, output IDs (destinations), and more. Returns outputIDs for each detection showing configured alert destinations"Show me all enabled HIGH severity rules with tag 'AWS'" / "List disabled policies for S3 resources" / "Find all rules with outputID 'prod-slack'" / "Show me detections that alert to production destinations"
get_detectionGet detailed information about a specific detection including the detection body and tests. Accepts a list with one detection type: ["rules"], ["scheduled_rules"], ["simple_rules"], or ["policies"]"Get details for rule ID abc123" / "Get details for policy ID AWS.S3.Bucket.PublicReadACP"
disable_detectionDisable a detection by setting enabled to false. Supports rules, scheduled_rules, simple_rules, and policies"Disable rule abc123" / "Disable policy AWS.S3.Bucket.PublicReadACP"
Tool NameDescriptionSample Prompt
list_global_helpersList global helper functions with comprehensive filtering options (name search, creator, modifier)"Show me global helpers containing 'aws' in the name"
get_global_helperGet detailed information and complete Python code for a specific global helper"Get the complete code for global helper 'AWSUtilities'"
Tool NameDescriptionSample Prompt
list_data_modelsList data models that control UDM mappings in rules"Show me all data models for log parsing"
get_data_modelGet detailed information about a specific data model"Get the complete details for the 'AWS_CloudTrail' data model"
Tool NameDescriptionSample Prompt
list_log_type_schemasList available log type schemas with optional filters"Show me all AWS-related schemas"
get_log_type_schema_detailsGet detailed information for specific log type schemas"Get full details for AWS.CloudTrail schema"
Tool NameDescriptionSample Prompt
get_rule_alert_metricsGet metrics about alerts grouped by rule"Show top 10 rules by alert count"
get_severity_alert_metricsGet metrics about alerts grouped by severity"Show alert counts by severity for the last week"
get_bytes_processed_metricsGet data ingestion metrics by log type and source"Show me data ingestion volume by log type"
Tool NameDescriptionSample Prompt
list_usersList all Panther user accounts with pagination support"Show me all active Panther users" / "List the first 25 users"
get_userGet detailed information about a specific user"Get details for user ID 'john.doe@company.com'"
get_permissionsGet the current user's permissions"What permissions do I have?"
list_rolesList all roles with filtering options (name search, role IDs, sort direction)"Show me all roles containing 'Admin' in the name"
get_roleGet detailed information about a specific role including permissions"Get complete details for the 'Admin' role"

Panther Configuration

Follow these steps to configure your API credentials and environment.

  1. Create an API token in Panther:

    • Navigate to Settings (gear icon) → API Tokens

    • Create a new token with the following permissions (recommended read-only approach to start):

    • Screenshot of Panther Token permissions Screenshot of Panther Token permissions

  2. Store the generated token securely (e.g., 1Password)

  3. Copy the Panther instance URL from your browser (e.g., https://YOUR-PANTHER-INSTANCE.domain)

    • Note: This must include https://

MCP Server Installation

Choose one of the following installation methods:

Docker (Recommended)

The easiest way to get started is using our pre-built Docker image:

json
{
  "mcpServers": {
    "mcp-panther": {
      "command": "docker",
      "args": [
        "run",
        "-i",
        "-e", "PANTHER_INSTANCE_URL",
        "-e", "PANTHER_API_TOKEN",
        "--rm",
        "ghcr.io/panther-labs/mcp-panther"
      ],
      "env": {
        "PANTHER_INSTANCE_URL": "https://YOUR-PANTHER-INSTANCE.domain",
        "PANTHER_API_TOKEN": "YOUR-API-KEY"
      }
    }
  }
}

Version Pinning: For production stability, pin to a specific version tag:

json
"ghcr.io/panther-labs/mcp-panther:v2.2.0"

Available tags can be found on the GitHub Container Registry.

UVX

For Python users, you can run directly from PyPI using uvx:

  1. Install UV

  2. Configure your MCP client:

json
{
  "mcpServers": {
    "mcp-panther": {
      "command": "uvx",
      "args": ["mcp-panther"],
      "env": {
        "PANTHER_INSTANCE_URL": "https://YOUR-PANTHER-INSTANCE.domain",
        "PANTHER_API_TOKEN": "YOUR-PANTHER-API-TOKEN"
      }
    }
  }
}

Version Pinning: For production stability, pin to a specific version:

json
"args": ["mcp-panther==2.2.0"]

Available versions can be found on PyPI.

MCP Client Setup

Cursor

Follow the instructions here to configure your project or global MCP configuration. It's VERY IMPORTANT that you do not check this file into version control.

Once configured, navigate to Cursor Settings > MCP to view the running server:

Tips:

  • Be specific about where you want to generate new rules by using the @ symbol and then typing a specific directory.
  • For more reliability during tool use, try selecting a specific model, like Claude 3.7 Sonnet.
  • If your MCP Client is failing to find any tools from the Panther MCP Server, try restarting the Client and ensuring the MCP server is running. In Cursor, refresh the MCP Server and start a new chat.

Claude Code

Claude Code is Anthropic's official CLI tool. Add the Panther MCP server using Docker:

bash
claude mcp add-json panther '{
  "command": "docker",
  "args": [
    "run",
    "-i",
    "-e", "PANTHER_INSTANCE_URL",
    "-e", "PANTHER_API_TOKEN",
    "--rm",
    "ghcr.io/panther-labs/mcp-panther"
  ],
  "env": {
    "PANTHER_INSTANCE_URL": "https://YOUR-PANTHER-INSTANCE.domain",
    "PANTHER_API_TOKEN": "YOUR-API-TOKEN"
  }
}'

Alternatively, using UVX:

bash
claude mcp add-json panther '{
  "command": "uvx",
  "args": ["mcp-panther"],
  "env": {
    "PANTHER_INSTANCE_URL": "https://YOUR-PANTHER-INSTANCE.domain",
    "PANTHER_API_TOKEN": "YOUR-API-TOKEN"
  }
}'

After adding, verify the server is configured:

bash
claude mcp list

Claude Desktop

To use with Claude Desktop, manually configure your claude_desktop_config.json:

  1. Open the Claude Desktop settings and navigate to the Developer tab
  2. Click "Edit Config" to open the configuration file
  3. Add the following configuration:
json
{
  "mcpServers": {
    "mcp-panther": {
      "command": "uvx",
      "args": ["mcp-panther"],
      "env": {
        "PANTHER_INSTANCE_URL": "https://YOUR-PANTHER-INSTANCE.domain",
        "PANTHER_API_TOKEN": "YOUR-PANTHER-API-TOKEN"
      }
    }
  }
}
  1. Save the file and restart Claude Desktop

If you run into any issues, try the troubleshooting steps here.

Goose CLI

Use with Goose CLI, Block's open-source AI agent:

bash
# Start Goose with the MCP server
goose session --with-extension "uvx mcp-panther"

Goose Desktop

Use with Goose Desktop, Block's open-source AI agent:

From 'Extensions' -> 'Add custom extension' provide your configuration information.

Running the Server

The MCP Panther server supports multiple transport protocols:

STDIO (Default)

For local development and MCP client integration:

bash
uv run python -m mcp_panther.server

Streamable HTTP

For running as a persistent web service, use the HTTP transport. This is ideal for:

  • Long-running server deployments
  • Multiple clients connecting to the same server
  • Testing and debugging with continuous log monitoring

Using Docker Run (Detached)

bash
docker run -d \
  --name panther-mcp-server \
  -p 8000:8000 \
  -e PANTHER_INSTANCE_URL=https://YOUR-PANTHER-INSTANCE.domain \
  -e PANTHER_API_TOKEN=YOUR-API-TOKEN \
  -e MCP_TRANSPORT=streamable-http \
  -e MCP_HOST=0.0.0.0 \
  -e MCP_PORT=8000 \
  -e LOG_LEVEL=INFO \
  --restart unless-stopped \
  ghcr.io/panther-labs/mcp-panther:latest

Using Docker Compose (Recommended)

Create a docker-compose.yml file:

yaml
services:
  panther-mcp:
    image: ghcr.io/panther-labs/mcp-panther:latest
    container_name: panther-mcp-server
    ports:
      - "8000:8000"
    environment:
      - PANTHER_INSTANCE_URL=https://YOUR-PANTHER-INSTANCE.domain
      - PANTHER_API_TOKEN=YOUR-API-TOKEN
      - MCP_TRANSPORT=streamable-http
      - MCP_HOST=0.0.0.0
      - MCP_PORT=8000
      - LOG_LEVEL=INFO
    restart: unless-stopped

Start the server:

bash
# Start in detached mode
docker-compose up -d

# View logs
docker-compose logs -f

# Stop the server
docker-compose down

Connecting Claude Code to HTTP Server

Important: The server runs on HTTP (not HTTPS). Configure Claude Code with the http:// URL:

bash
# Add the HTTP endpoint (note: http:// not https://)
claude mcp add-json panther-http '{
  "url": "http://localhost:8000/mcp"
}'

# Verify configuration
claude mcp list

Testing the Connection

bash
# Test the HTTP endpoint
curl http://localhost:8000/mcp

# View server logs
docker logs -f panther-mcp-server
# Or with docker-compose:
docker-compose logs -f

You can also test using the FastMCP client:

python
import asyncio
from fastmcp import Client

async def test_connection():
    async with Client("http://localhost:8000/mcp") as client:
        tools = await client.list_tools()
        print(f"Available tools: {len(tools)}")

asyncio.run(test_connection())

Troubleshooting Streamable HTTP

Port Already in Use

If you see Bind for 0.0.0.0:8000 failed: port is already allocated:

bash
# Check what's using the port
lsof -i :8000

# Stop conflicting containers
docker ps | grep panther
docker stop <container-id>

# Or use a different port via MCP_PORT environment variable:
-e MCP_PORT=8080
# Then connect to: http://localhost:8080/mcp

Invalid HTTP Request Warnings

If you see WARNING: Invalid HTTP request received in the logs, this usually means:

  • Claude Code is trying to connect via HTTPS instead of HTTP
  • Check your configuration uses http:// not https://
  • Verify with: claude mcp list

Environment Variables

  • MCP_TRANSPORT: Set transport type (stdio or streamable-http)
  • MCP_PORT: Port for HTTP transport (default: 3000)
  • MCP_HOST: Host for HTTP transport (default: 127.0.0.1)
  • MCP_LOG_FILE: Log file path (optional)

Security Best Practices

We highly recommends the following MCP security best practices:

  • Apply strict least-privilege to Panther API tokens. Scope tokens to the minimal permissions required and bind them to an IP allow-list or CIDR range so they're useless if exfiltrated. Rotate credentials on a preferred interval (e.g., every 30d).
  • Host the MCP server in a locked-down sandbox (e.g., Docker) with read-only mounts. This confines any compromise to a minimal blast radius.
  • Monitor credential access to Panther and monitor for anomalies. Write a Panther rule!
  • Run only trusted, officially signed MCP servers. Verify digital signatures or checksums before running, audit the tool code, and avoid community tools from unofficial publishers.

Troubleshooting

Check the server logs for detailed error messages: tail -n 20 -F ~/Library/Logs/Claude/mcp*.log. Common issues and solutions are listed below.

Running tools

  • If you get a {"success": false, "message": "Failed to [action]: Request failed (HTTP 403): {\"error\": \"forbidden\"}"} error, it likely means your API token lacks the particular permission needed by the tool.
  • Ensure your Panther Instance URL is correctly set. You can view this in the config://panther resource from your MCP Client.

Contributing

We welcome contributions to improve MCP-Panther! Here's how you can help:

  1. Report Issues: Open an issue for any bugs or feature requests
  2. Submit Pull Requests: Fork the repository and submit PRs for bug fixes or new features
  3. Improve Documentation: Help us make the documentation clearer and more comprehensive
  4. Share Use Cases: Let us know how you're using MCP-Panther and what could make it better

Please ensure your contributions follow our coding standards and include appropriate tests and documentation.

Contributors

This project exists thanks to all the people who contribute. Special thanks to Tomasz Tchorz and Glenn Edwards from Block, who played a core role in launching MCP-Panther as a joint open-source effort with Panther.

See our CONTRIBUTORS.md for a complete list of contributors.

License

This project is licensed under the Apache License 2.0 - see the LICENSE file for details.

Installation

TypingMind
Prerequisites:

Node.js 18+

{
  "mcpServers": {
    "mcp-panther": {
      "command": "uvx",
      "args": [
        "mcp-panther"
      ],
      "env": {
        "PANTHER_INSTANCE_URL": "https://YOUR-PANTHER-INSTANCE.domain",
        "PANTHER_API_TOKEN": "YOUR-PANTHER-API-TOKEN"
      }
    }
  }
}

Use Panther Labs MCP with multiple AI models

TypingMind connects MCP tools at the workspace level, so once Panther Labs is connected, you can use it with different AI models in TypingMind instead of setting it up separately for each model. This MCP runs locally through the TypingMind MCP connector on your device.

Setup guide to use the local connector

Use this when the MCP server needs access to local files, apps, or private resources on your computer.

1

Open the MCP settings

In TypingMind, go to Settings, Advanced Settings, then Model Context Protocol and choose Setup Connector.

  1. Open TypingMind in your browser.
  2. Click the Settings icon.
  3. Go to Advanced Settings.
  4. Open the Model Context Protocol section.
  5. Click Setup Connector and choose This Device.
TypingMind MCP connector setup screen with This Device selected
2

Run the connector command

Choose This Device, copy the command from TypingMind, and run it in Terminal. Keep the process running while you use MCP.

  1. Copy the setup command shown by TypingMind.
  2. Open Terminal on macOS or Windows Terminal on Windows.
  3. Paste and run the command.
  4. Approve the package install if Terminal asks you to proceed.
  5. Keep the Terminal window running while using MCP tools.
3

Add Panther Labs as a server

When the connector status is Ready, click Edit Servers and paste the MCP server configuration.

  1. Wait until the connector status shows Ready.
  2. Click Edit Servers.
  3. Paste the Panther Labs MCP server configuration.
  4. Save the server list.
  5. Refresh if you want to confirm the connector is still ready.
TypingMind MCP settings showing active server and Edit Servers button
{
  "mcpServers": {
    "panther-labs": {
      "command": "npx",
      "args": [
        "-y",
        "mcp-panther"
      ]
    }
  }
}
4

Use it across models

Save the server list, open Plugins, enable the Panther Labs MCP tools, then select any supported AI model in TypingMind and use the tools in chat or assign them to an AI agent.

  1. Open the Plugins page in TypingMind.
  2. Enable the Panther Labs MCP tools.
  3. Start a chat and choose the AI model you want to use.
  4. Use the MCP tools in chat or assign them to an AI agent.
  5. Switch to another AI model whenever needed without reconnecting MCP.
TypingMind chat using enabled MCP tools with a selected AI model
Can you use Panther Labs to help me with this task?
Panther Labs
Sure. I read it.
Here is what I found using Panther Labs.

Frequently asked questions

What is the Panther Labs MCP server used for?

Panther Labs is an MCP server that lets compatible AI clients connect to external tools and context. In TypingMind, you can add this MCP server once and make its tools available in your AI workspace.

Can I use Panther Labs MCP with multiple AI models in TypingMind?

Yes. TypingMind connects MCP tools at the workspace level, so you can use Panther Labs with different AI models such as Claude, ChatGPT, Gemini, or other models you have configured in TypingMind without setting up the MCP server separately for each model.

Why use Panther Labs MCP with TypingMind?

TypingMind is one of the best frontends for LLM chat because it brings multiple AI models, prompts, plugins, AI agents, API keys, and MCP tools into one workspace. With Panther Labs connected, you can use its MCP tools across your preferred models while keeping your chat workflow organized in TypingMind.

How do I connect Panther Labs MCP to TypingMind?

Panther Labs runs through the TypingMind local MCP connector. This is best when the MCP server needs access to local files, desktop apps, command-line tools, or private resources on your computer.

What tools does Panther Labs MCP provide in TypingMind?

Panther Labs exposes MCP capabilities that can be enabled from the TypingMind Plugins page and used in chat or assigned to AI agents.

Do I need to share my API keys with TypingMind to use Panther Labs MCP?

No. TypingMind is local-first and lets you keep your model providers, API keys, prompts, and MCP configuration under your control. If Panther Labs requires authentication, add the required headers, OAuth settings, or local configuration for that MCP server when you create the connection.

Related MCP Servers

View all
LaurieWired logo

GhidraMCP

LaurieWired
CommunityPopular

MCP Server for Ghidra

900
8.9K
0 tools
View details
0x4m4 logo

HexStrike AI

0x4m4
CommunityPopular

HexStrike AI MCP Agents is an advanced MCP server that lets AI agents (Claude, GPT, Copilot, etc.) autonomously run 150+ cybersecurity tools for automated pentesting, vulnerability discovery, bug bounty automation, and security research. Seamlessly bridge LLMs with real-world offensive security capabilities.

1.9K
8.7K
0 tools
View details
webflow logo

Webflow

webflow
CommunityPopular

Official Webflow MCP server. Manage sites, pages, CMS collections, and form submissions via Webflow's Data API. Publish drafts, update content, and automate site operations.

0
3.9K
16 tools
View details
integromat logo

Make.com (Integromat)

integromat
CommunityPopular

Official Make.com MCP server. Trigger scenarios, manage connections, and automate workflows across 2,000+ apps via Make's visual automation platform.

0
3.8K
16 tools
View details

Set up your own AI workspace now

Get notified about new features and future giveaways by subscribing to our newsletter 👇