> For the complete documentation index, see [llms.txt](https://docs.panther.com/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.panther.com/~/revisions/i7lJ3BCO5BWSo8qHQtoL/ai/panther-mcp-server.md). # Panther Remote MCP (Beta) ## Overview {% hint style="info" %} Panther Remote MCP is in open beta starting with Panther version 1.124, and is available to all customers. Please share any bug reports and feature requests with your Panther support team. {% endhint %} {% hint style="warning" %} **Prerequisite: `api.` subdomain.** Panther Remote MCP requires your Panther deployment to have an `api.` subdomain configured (set up as part of your [custom domain configuration](/~/revisions/i7lJ3BCO5BWSo8qHQtoL/system-configuration/panther-deployment-types/cloud-connected/set-up.md)). If your deployment doesn't have one, use [Local MCP](/~/revisions/i7lJ3BCO5BWSo8qHQtoL/ai/panther-mcp-server/local.md) instead. {% endhint %} Panther Remote MCP lets you interact with your Panther instance from any [MCP](https://modelcontextprotocol.io/)-compatible AI client — like Claude for Desktop, Cursor, or Goose — using natural language. Ask about alerts, query the data lake, look up an indicator, or pull a detection's source — all without leaving your editor or chat client. Panther exposes MCP in two ways: * **Remote (recommended)** — a hosted endpoint at your Panther instance. Users connect by pasting a URL into their MCP client and signing in through their browser. No install, no API token to manage, full audit logging, and a per-connection consent screen that lets users grant only the permissions they want to expose to the client. * [**Local**](/~/revisions/i7lJ3BCO5BWSo8qHQtoL/ai/panther-mcp-server/local.md) — the open-source [`mcp-panther`](https://github.com/panther-labs/mcp-panther) package, installed locally via `docker` or `uvx`. Useful for CI workflows, scripted agents, and custom internal tooling. Both talk to the same Panther backend, respect the same role-based permissions, and expose the same core tool set for alerts, detections, the data lake, log schemas, identity, and enrichments. {% hint style="info" %} Use of Panther MCP features is subject to the [AI disclaimer found on the Legal page](/~/revisions/i7lJ3BCO5BWSo8qHQtoL/resources/help/legal.md#ai-disclaimer). {% endhint %} ## Remote vs. Local at a glance | | **Remote (recommended)** | [**Local**](/~/revisions/i7lJ3BCO5BWSo8qHQtoL/ai/panther-mcp-server/local.md) | | ---------------------- | ----------------------------------------------------------- | ------------------------------------------------------------------------------ | | Install | None — paste a URL into your client | `docker` or `uvx` | | Authentication | OAuth 2.1 + PKCE through your Panther SSO | Panther API token | | Per-connection consent | Choose which of your permissions to expose | All API token permissions, always | | Audit logging | One audit event per tool call — easy to follow in one place | Scattered across the underlying REST API audit events that each tool call hits | For most users — and especially analysts, detection engineers, and CISOs spot-checking metrics — **Remote MCP is the path of least resistance**. The rest of this page describes the Remote experience. If you need the local install, see [Local MCP](/~/revisions/i7lJ3BCO5BWSo8qHQtoL/ai/panther-mcp-server/local.md). {% hint style="info" %} Remote MCP exposes Panther's **alerts, detections, data lake, schemas, identity, and enrichments**, and the tool surface is actively expanding. A handful of tools available in [Local MCP](/~/revisions/i7lJ3BCO5BWSo8qHQtoL/ai/panther-mcp-server/local.md) — such as Panther-hosted AI workflows (e.g., AI alert triage) and scheduled-query introspection — aren't on Remote MCP yet. If your workflow needs one of those today, use [Local MCP](/~/revisions/i7lJ3BCO5BWSo8qHQtoL/ai/panther-mcp-server/local.md). {% endhint %} ## Connecting your MCP client Your Panther Remote MCP endpoint is: ``` https://api./mcp ``` Most popular MCP clients (Claude for Desktop, Cursor, Goose) work out of the box — they redirect to loopback URLs (`localhost`, `127.0.0.1`), which Panther always permits. If your client uses a non-loopback redirect URL (e.g., a hosted web client or a custom native-app scheme), your Panther admin may need to add it to the allowlist — see [Admin setup](#admin-setup) below. Add Panther as a remote MCP server in your client. For example: {% tabs %} {% tab title="Claude for Desktop" %} 1. Open **Settings** > **Connectors** > **Add Custom Connector**. 2. Enter a name (e.g., `Panther`) and the URL `https://api./mcp`. 3. Save. Claude opens your browser to sign in to Panther. 4. Complete SSO and review the [consent screen](#choosing-what-the-client-can-do). 5. Approve. Your browser redirects back to Claude, which now has access to Panther tools. {% endtab %} {% tab title="Cursor" %} 1. Open **Settings** > **MCP** > **Add new MCP server**. 2. Select **Remote (OAuth)** and enter `https://api./mcp`. 3. Save. Cursor opens your browser to authorize. 4. Complete SSO and the [consent screen](#choosing-what-the-client-can-do). 5. Approve to return to Cursor with Panther tools available. {% endtab %} {% endtabs %} Refer to your MCP client's documentation for the exact menu paths — the flow is otherwise identical: paste the URL, sign in, consent, done. ## Choosing what the client can do After signing in, you'll land on Panther's **MCP authorization** page. This is where you choose how much of your access to share with the MCP client. By default, the consent screen pre-selects every permission your Panther role currently holds. You can **deselect any permission** to narrow what the connected client can do. For example: * **Read-only investigation:** Leave **Read Alerts**, **View Rules**, **Query Data Lake**, **View Log Sources**, and **Read User Info** checked; deselect everything else. * **Triage + comment:** Add **Manage Alerts** to the read-only set so the client can update status, assign, and comment on alerts. * **Detection engineering:** Add **View Policies** so the AI can read detection logic — and only add **Manage Rules** if you want the client to be able to author detections. Tool visibility in the MCP client follows your grant. If you deselect **Manage Alerts**, the alert-write tools won't appear in the client's tool list at all. A few important properties of the consent screen: * **You can only grant permissions you already have.** The backend rejects any selection that exceeds your current role. * **Permission revocations apply on refresh.** If your role is reduced after you've connected, the next refresh will fail closed rather than silently retain the old scope. * **Each user connects individually.** Connections are personal — there is no shared "service account" token. Audit logs attribute every tool call to the user who connected. {% hint style="info" %} **Treat this like any OAuth consent screen.** Grant the minimum set of permissions you need for the workflow at hand. Connecting a less-trusted client? Narrow more aggressively — you can always reconnect with broader scope later. {% endhint %} ## What you can do from your MCP client Panther's Remote MCP server exposes tools across the following domains. The exact list visible in your client depends on what you granted during consent and on your underlying role permissions. | Domain | What's available | | --------------------------- | ----------------------------------------------------------------------- | | **Alerts** | List, get, update, assign, bulk-update, add comments, list context tags | | **Detections** | List rules and policies, get detection source and metadata | | **Data lake — SQL** | Execute arbitrary SQL against `panther_logs` and `panther_signals` | | **Data lake — search** | Attribute/value search without writing SQL | | **Data lake — exploration** | Activity histograms, column-level summarization | | **Log types** | List log types, fetch their schemas | | **Log sources** | List configured log sources and their health | | **Enrichments** | Look up indicators of compromise | | **Identity** | List and read users and roles | Example prompts that work out of the box: * "Show me all high-severity alerts from the last 24 hours grouped by detection." * "Query AWS CloudTrail for failed `ConsoleLogin` events from this IP in the last week." * "Look up IOC reputation for these five domains." * "Read the rule source for `AWS.IAM.RootKeyUsage` and explain what it triggers on." * "Add a comment to alert `abc123…` summarizing my investigation." For a complete and up-to-date list of available tools, query your MCP client after connecting — it lists the exact tool set it sees based on your consent. ## Admin setup {% hint style="info" %} You must have the **Edit Settings & SAML Preferences** permission to configure Remote MCP. {% endhint %} The only admin task for Remote MCP is allowlisting redirect URLs that your users' MCP clients use to receive the authorization code, and only when those clients use non-loopback redirects. Loopback addresses (`localhost`, `127.0.0.1`, `::1`) are always permitted, which covers most desktop MCP clients out of the box. To configure additional redirect URLs: 1. In the upper-right corner of your Panther Console, click the gear icon (**Settings**) > **Panther AI**. 2. Navigate to the **Remote MCP** tab. 3. Configure the following: * **Allowed redirect domains** — domains permitted for `https://` OAuth redirects (e.g., `claude.ai`, `*.cursor.com`). Loopback addresses (`localhost`, `127.0.0.1`, `::1`) are always allowed and do not need to be listed. * **Allowed custom schemes** — scheme names permitted for native-app deep-link redirects (e.g., `cursor`, `mcp`, `com.example.app`). Reserved values (`http`, `https`, `javascript`, `data`, `file`, `vbscript`) are rejected. 4. Save changes. Updates may take up to 10 minutes to take effect due to configuration caching. ### Allowed redirect domains — glob semantics The domain allowlist supports glob patterns: | Pattern | Matches | Does NOT match | | -------------- | ----------------------------------- | ------------------------------------------------ | | `claude.ai` | `claude.ai` only | `api.claude.ai`, `notclaude.ai` | | `*.cursor.com` | `auth.cursor.com`, `api.cursor.com` | `cursor.com` (no subdomain), `notcursor.com` | | `*cursor.com` | `auth.cursor.com`, `notcursor.com` | *Use sparingly* — also matches lookalike domains | {% hint style="warning" %} `*example.com` is a string-match wildcard, not a dot-boundary one — it will also match `notexample.com`. For "any subdomain of example.com" use `*.example.com` instead. {% endhint %} Matching is case-insensitive on the hostname. ### Permissions overview Remote MCP touches three Panther permissions: | Permission | Role this grants | | ------------------------------------------------------------------------- | ------------------------------------------------------------- | | **Edit Settings & SAML Preferences** | Configure the redirect allowlists (admin) | | **Read Settings & SAML Preferences** | View the Remote MCP settings page (admin/analyst) | | Any tool-specific permission (e.g., **Read Alerts**, **Query Data Lake**) | Becomes available for the user to grant on the consent screen | Users do not need any special "MCP" permission to connect — their existing role permissions are what they can choose to expose to a client. ## Security * **OAuth 2.1 + PKCE.** Standard, audited flow. State, PKCE, and browser-bound flow IDs protect the OAuth handshake from interception and cross-session injection. * **Least-privilege consent.** The per-connection consent screen lets users grant only the subset of their permissions they want exposed to a client. * **Consolidated audit logging.** Every tool invocation is recorded as a single audit-log event (search by event type `AI_TOOL_INVOKE`) in [Panther audit logs](/~/revisions/i7lJ3BCO5BWSo8qHQtoL/data-onboarding/supported-logs/panther-audit-logs.md), attributed to the connecting user. This is easier to follow than Local MCP, where a single tool call surfaces as multiple downstream REST API audit events spread across the endpoints it touched. ## How Panther Remote MCP differs from Panther AI Panther Remote MCP and [Panther AI](/~/revisions/i7lJ3BCO5BWSo8qHQtoL/ai.md) both let you interact with Panther using natural language, but they're built for different use cases. | | **Panther Remote MCP** | **Panther AI** | | -------------------------- | ----------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | **Primary use case** | Cross-tool workflows, ad-hoc investigations, detection engineering in your editor, custom internal agents | Guided alert triage and incident response inside the Panther Console | | **Where you use it** | [MCP clients](https://modelcontextprotocol.io/clients) like Claude for Desktop, Cursor, Goose | Panther Console (and Panther AI GraphQL operations, for [Cloud Connected](/~/revisions/i7lJ3BCO5BWSo8qHQtoL/system-configuration/panther-deployment-types/cloud-connected.md) customers) | | **AI model** | Your MCP client's chosen model (Claude, GPT, etc.) | [Claude models](https://www.anthropic.com/claude) via [Amazon Bedrock](https://aws.amazon.com/bedrock/), provisioned by Panther | | **Integration capability** | Composes with other [MCP servers](https://github.com/modelcontextprotocol/servers) the client has installed | Panther-specific workflows only | | **Best for** | Complex, exploratory work across multiple tools | Repeatable, in-Console security operations | The two are complementary — many customers run both. Panther AI handles in-Console triage and detection authoring; Panther MCP gives the same data and detection surface to whatever LLM-powered tool the user prefers. ## Troubleshooting
"Redirect URI is not allowed" after I sign in Your MCP client's redirect URI isn't on your admin's allowlist. Ask your Panther admin to add the appropriate domain to **Allowed redirect domains**, or the scheme to **Allowed custom schemes**, in **Settings** > **Panther AI** > **Remote MCP**. Changes may take up to 10 minutes to propagate.
The client connects but I see no tools (or fewer than expected) Tool visibility is filtered by what you granted on the consent screen and by your underlying Panther role. Disconnect and reconnect from your MCP client to redo the consent flow, and make sure the relevant permissions are checked. If a permission is missing from the consent screen entirely, your Panther role doesn't grant it — contact an admin.
A tool keeps failing with "permission denied" or "unauthorized" Your role likely changed after you connected — Remote MCP refuses to silently retain old permissions. Disconnect from the MCP client and reconnect to refresh your consent under your current role.
Can I use a Panther API token with Remote MCP? No. Remote MCP requires the OAuth flow tied to your user identity. If you need an API-token-based MCP server (for CI, scripted agents, etc.), use [Local MCP](/~/revisions/i7lJ3BCO5BWSo8qHQtoL/ai/panther-mcp-server/local.md) instead.
What's the difference between this and the third-party MCP integrations under Panther AI? The [MCP Integrations](/~/revisions/i7lJ3BCO5BWSo8qHQtoL/ai/mcp-integrations.md) page describes Panther AI connecting **out** to third-party MCP servers like Atlassian or PagerDuty so Panther AI can use their tools during a conversation. This page describes the opposite direction: external MCP clients connecting **in** to Panther so they can use Panther's tools. Different direction, different audience, different setup.
--- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter: ``` GET https://docs.panther.com/~/revisions/i7lJ3BCO5BWSo8qHQtoL/ai/panther-mcp-server.md?ask=&goal= ``` `ask` is the immediate question: it should be specific, self-contained, and written in natural language. `goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.