# Panther AI Tools ## Tools Panther AI has access to many of the same tools available to human users of Panther. Panther AI automatically selects which tools to use based on your prompt — you don't need to specify tools, but understanding what's available helps you craft effective prompts. For example, asking "What happened before this alert fired?" will prompt AI to use alert and data lake tools, while "Write a detection for brute-force logins" will use detection authoring tools. When running tools (either in the Console or programmatically), Panther AI has the same permissions set as the current user. When entering your own prompt, you can direct it to use certain tools, if desired. The most commonly used tools include `panther_ai_datalake_execute_sql` (custom SQL queries), `panther_ai_alerts_get` (alert details), and `panther_ai_detections_get` (detection metadata and code). See [which tools require human approval before execution above](#tool-approval). ### **Alert management** * `panther_ai_alerts_add_comment`: Add comments to alerts * `panther_ai_alerts_list`: List recent alerts (default 7 days) with filtering by type, severity, status, log type, source, quality, or context tags * `panther_ai_alerts_get`: Get detailed alert information, including up to 25 recent comments and sampled events * `panther_ai_alerts_assign`: Assign alerts to users * `panther_ai_alerts_bulk_update`: Update up to 100 alerts at once with status, quality, tags, assignee, or comments * `panther_ai_alerts_list_context_tags`: List all available context tags for categorizing alerts * `panther_ai_alerts_update`: Update the status of alerts, quality assessment, or context tags ### **Data search and analysis** * `panther_ai_datalake_summarize_column`: Compute top/bottom unique values with counts for any column or nested field, with results automatically enriched from lookup tables * `panther_ai_datalake_search_logs`: Simple key/value search for straightforward single-attribute lookups returning complete log records * `panther_ai_datalake_execute_sql`: Execute database-compatible SQL queries against Panther's data lake * `panther_ai_datalake_activity_histogram`: Generate activity histograms to identify peak activity times before detailed searches * `panther_ai_utilities_pantherflow_query`: Submit a PantherFlow query for validation and display * `panther_ai_utilities_pantherflow_query_skill`: Get PantherFlow query language reference and generation instructions * `panther_ai_utilities_sql_query_author_skill`: Get SQL query authoring guidance and best practices for generating database-compatible queries ### **Cloud resources** * `panther_ai_cloud_resources_list_types`: Get a static list of supported AWS resource types for cloud resource queries and policy development * `panther_ai_cloud_resources_list`: Search and filter cloud resources by type, compliance status, account, or ARN substring * `panther_ai_cloud_resources_get`: Retrieve detailed resource configuration data for a specific cloud resource * `panther_ai_cloud_resources_get_sample`: Get a sample resource of a specific type for policy authoring and testing ### **Cloud security scanning** * `panther_ai_cloud_scanning_get_overview`: Get organization-level compliance posture summary with top failing policies and resources * `panther_ai_cloud_scanning_describe_policy`: Analyze per-resource compliance results for a specific policy * `panther_ai_cloud_scanning_describe_resource`: Analyze per-policy compliance results for a specific resource * `panther_ai_cloud_scanning_list_cis_controls`: Get CIS AWS Foundations Benchmark reference data and control details ### **Detection management** * `panther_ai_detections_list`: List and search detections (rules, scheduled rules, correlation rules, policies) with filtering by name, severity, log type, tags, MITRE ATT\&CK, status, and author * `panther_ai_detections_get`: Get complete detection details including Python code, tests, and runbook * `panther_ai_detections_write`: Create or update a detection directly in Panther. Supports RULE (real-time streaming), SCHEDULED\_RULE (historical), and POLICY (cloud resource compliance) types. Settings not in the schema (enabled state, tags, alert destinations) are preserved automatically on updates. * `panther_ai_detections_author`: Author a new detection with testing and validation. Tests detection code in Panther's Python execution environment, validating rule(), alert\_context(), title(), dedup() for rules, or policy() for policies. Returns syntax errors, runtime exceptions, and logic errors with details. * `panther_ai_detections_writer_skill`: Get specific instructions before writing a Panther detection ### **Log sources, schemas, and metadata** * `panther_ai_log_sources_get_sample_data`: Retrieve sample data from a log source to understand data structure and verify ingestion * `panther_ai_log_sources_list`: List log sources with health status (permissions, data flow, errors), with filtering by log type, health, and integration type * `panther_ai_log_types_get_schema`: Get complete schema for log types including column definitions and nested field paths for SQL queries * `panther_ai_log_types_list`: List available log types with table names and descriptions * `panther_ai_log_types_test_schema`: Test a schema against sample data to validate correctness, returning match/unmatch statistics and error messages. Designed for iterative use until 100% match is achieved. * `panther_ai_log_types_writer_skill`: Get instructions about schema structure, field types, and best practices before creating schemas * `panther_ai_log_types_guidance_skill`: Get instructions for analyzing events based on log type * `panther_ai_utilities_classification_error_fixer_skill`: Get instructions for diagnosing and fixing log classification errors ### **Query (Saved Search) management** * `panther_ai_datalake_list_saved_queries`: List saved queries (Saved Searches) for discovery and reuse * `panther_ai_datalake_get_query_results`: Retrieve results of previously executed async queries by query ID * `panther_ai_datalake_write_saved_query`: Save a SQL query with a descriptive name and description for later reuse. The query is executed first to verify validity before saving. ### **Enrichment and context** * `panther_ai_enrichments_lookup`: Look up enrichment data for IOCs and indicators (IP addresses, domains, hashes, usernames, email addresses, AWS ARNs) * `panther_ai_users_list`: List Panther workspace users with IDs, names, and status for referencing in assignments and filters * `panther_ai_users_get`: Get detailed user information including permissions and roles * `panther_ai_roles_list`: List Panther roles and their permissions * `panther_ai_roles_get`: Get details about a specific role, including permissions and log type access * `panther_ai_utilities_calculate_risk_score`: Calculate a normalized risk score for entities (users, IPs, etc.) based on alert history and security indicators ### **Utilities** * `panther_ai_utilities_ask_question`: Ask the user a structured multiple-choice question to gather information needed for the current task. Presents 2-10 specific options with a built-in "Other" option for custom responses. Supports single-select and multi-select response types. * `panther_ai_utilities_fetch_web`: Fetch content from web pages and process user-uploaded file attachments. For web URLs, access is restricted to approved domains configured in [Panther AI settings](https://docs.panther.com/system-configuration#web-access), with user approval required for non-approved domains depending on settings. File attachments are stored securely in S3 for the duration of the AI conversation. Supports text pages, images (PNG, JPEG, GIF, WebP), and PDF documents. * `panther_ai_utilities_panther_docs_skill`: Get instructions for navigating Panther documentation at docs.panther.com ### **AI responses and citations** * `panther_ai_memory_get_response`: Retrieve a complete AI response by its ID, including parent and child responses for full conversation context. AI responses form a tree structure where conversations branch through follow-ups and related analyses. * `panther_ai_memory_search_responses`: Search conversation history using semantic search for previous AI responses. Queries can be natural language questions, contextual phrases, or specific indicators (IP addresses, alert IDs, usernames). * `panther_ai_citations_list`: List citations accumulated during the current conversation (resource references viewed or modified)