# MCP Server ## Overview The Panther [Model Context Protocol (MCP)](https://modelcontextprotocol.io/introduction) server enables natural language interactions with Panther in your MCP [client](https://modelcontextprotocol.io/clients) of choice. Whether you're an analyst investigating alerts, a detection engineer writing rules in [Cursor](https://www.cursor.com/en), or a CISO seeking metrics and quick insights, the MCP server lets you work with the [Panther API](/panther-developer-workflows/api.md) using conversational AI. The Panther MCP server democratizes Panther access to users across your organization—imagine not having to know how to program in Python to write a rule, or not needing a query language like SQL or PantherFlow to search data. For example, you can use the Panther MCP server for: * **Detection engineering**: Generate rules based on real logs in your data lake, using clients like Cursor. * In Cursor, "Create a rule to monitor when AWS admins are created in account 333333444444" * **Alert triage**: Review and correlate many alerts generated within a given time period. * In Claude for Desktop, "Show me all medium+ alerts from the last 24 hours grouped by IP" * **Threat investigation**: Query your security logs and investigate anomalies. * In Claude for Desktop, "Query AWS CloudTrail logs for failed login attempts in the last day." * **Panther operations**: Expedite the resolution of operational issues end-to-end, such as [rule errors](/detections/rules.md#rule-errors-and-scheduled-rule-errors) or [system errors](/system-configuration/notifications/system-errors.md). * In Claude for Desktop, "Generate a report of our top 10 rules by alert volume this month" The Panther MCP server includes tools for working with a number of entities, like alerts, data, rules, data models, schemas, metrics, and Panther users. Learn more about these tools in the [Available Tools section in the `mcp-panther` repository's README](https://github.com/panther-labs/mcp-panther?tab=readme-ov-file#available-tools). The Panther MCP server is open-source—see the [contribution guidelines here](https://github.com/panther-labs/mcp-panther/blob/main/CONTRIBUTING.md). If you find a bug in the MCP server or need extra support while using it, please [create an issue in the repository](https://docs.github.com/en/issues/tracking-your-work-with-issues/using-issues/creating-an-issue). {% hint style="info" %} Use of Panther MCP features is subject to the [AI disclaimer found on the Legal page](/resources/help/legal.md#ai-disclaimer). {% endhint %} ## Using the MCP workflow 1. Install the MCP server in your client of choice (e.g., Claude for Desktop). * You can install the Panther MCP server locally using `docker` or `uvx`. For full instructions, see the [MCP Server Installation section of the README](https://github.com/panther-labs/mcp-panther?tab=readme-ov-file#mcp-server-installation). 2. Ask a Panther-relevant question or provide a prompt (e.g., "Write a detection for suspicious S3 bucket access"). 3. Your client uses `mcp-panther`'s [tools](https://github.com/panther-labs/mcp-panther?tab=readme-ov-file#available-tools) to interact with [Panther's APIs](/panther-developer-workflows/api.md) and gather necessary data. 4. Your client uses the response from `mcp-panther` to answer your question or execute the action you requested. ## Securing your MCP server To safely use the Panther MCP server, it's strongly recommended to follow the guidelines in the [Security Best Practices section in the mcp-panther repository's README](https://github.com/panther-labs/mcp-panther?tab=readme-ov-file#security-best-practices). ## The Panther MCP server vs. Panther AI The Panther MCP server and [Panther AI](/ai.md) both allow you to interact with your Panther instance with AI using free-form prompts, but there are a few key differences:

	Panther MCP server	Panther AI
Primary use case	Detection engineering, cross-tool workflows, ad-hoc investigations, custom internal agent creation	Guided alert triage and incident response
Access method	MCP clients like Cursor, Claude for Desktop, and Goose	Panther Console (and API, for Cloud Connected customers)
Integration capability	Works alongside other MCP servers (e.g., GitHub, Slack, Notion, etc.)	Panther-specific workflows only
Best for	Complex, exploratory tasks requiring flexibility across Panther	Repeatable, consistent security operations workflows
AI model	Uses your MCP client's chosen model (e.g., GPT-4, Claude, LLama4, etc.)	Powered by Claude AI models by Anthropic through Amazon Bedrock

## MCP Server Permissions Guide

Access Level	API Token Permissions
Read-only (minimum recommended)	`Read Alerts`, `View Rules` , `View Policies`, `Query Data Lake`, `View Log Sources` `Read Panther Metrics`, `Read User Info` , `Read API Token Info`
Write Actions	`Manage Alerts`, `Manage Rules`, and/or `Manage Policies`
AI Triage	`Run Panther AI`

--- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.panther.com/panther-developer-workflows/mcp-server.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.