mcp-panther

Write detections, investigate alerts, and query logs from your favorite AI agents

Installation

Run this command in your terminal to add the MCP server to Claude Code.

Run in terminal:

Command

claude mcp add --transport stdio panther-labs-mcp-panther npx -y panther-mcp-panther

How to use

Panther MCP Server provides a suite of tooling to write and tune detections, query security logs with natural language, and triage alerts all from a unified interface. The server exposes tools under categories like Alerts, Data Lake, Detections, Scheduled Queries, Sources, Global Helpers, Data Models, Schemas, Metrics, and Users & Access Management. With these tools you can add comments to alerts, start AI-powered triage, retrieve summaries, run SQL-like queries against Panther’s data lake, inspect alert events, manage scheduled queries, and retrieve schema or log source details. Typical workflows include writing or tuning detections from your IDE, querying logs using natural language prompts, and bulk-updating alert statuses or assignees to triage incidents efficiently.

How to install

Prerequisites:

Node.js (recommended v14+ or as required by the MCP server) and npm installed on your system
Optional: Docker for containerized startup

Install and run using npx (no global install required):

Ensure you are authenticated to access the MCP package if needed (e.g., a private registry). 2) Start the server: npx -y panther-mcp-panther

Alternative: run via Docker (if provided by the project):

Pull the image: docker pull panther/mcp-panther:latest
Run the container: docker run -i panther/mcp-panther:latest

If you prefer a global npm install (less common for ephemeral runs):

Install globally: npm install -g panther-mcp-panther
Run the server (adjust path as needed): panther-mcp-panther

Note: If the MCP server requires specific environment variables (for example, API keys, endpoints, or authentication tokens), set them in your environment before starting the server (see additional_notes for details).

Additional notes

Environment variables and configuration options may control authentication, data sources, and destinations for detections and alerts. Common items to document include:

API_ENDPOINT or PANTHER_API_URL: base URL for Panther API
API_TOKEN or PANTHER_API_TOKEN: authentication token
LOG_LEVEL or MCP_LOG_LEVEL: logging verbosity
DATA_LAKE_CONNECTION_STRING or PANTHER_DATA_LAKE_URI: connection to the data lake If you encounter startup issues, check that your Node/npm versions are compatible with the MCP package, verify network access to any required Panther endpoints, and ensure any required tokens or secrets are provided. For local development, you can start with a minimal configuration and gradually enable advanced tools like AI triage or data-lake queries as you confirm connectivity.

Related MCP Servers

EU_AI_ACT_MCP

EU AI Act MCP (Model Context Protocol) that connects to your AI agents, helping you to comply with the EU AI Act.

packt-netops-ai-workshop

🔧 Build Intelligent Networks with AI

mcp-cyberbro

Using MCP is fun with Cyberbro!

ZAP

VIBE CODING 😈 lol

google-search-console

It connects directly to your Google Search Console account via the official API, letting you access key data right from AI tools like Claude Desktop or OpenAI Agents SDK and others .

Youtube

YouTube MCP Server is an AI-powered solution designed to revolutionize your YouTube experience. It empowers users to search for YouTube videos, retrieve detailed transcripts, and perform semantic searches over video content—all without relying on the official API. By integrating with a vector database, this server streamlines content discovery.