Panther MCP server
Query the Panther data lake, triage alerts, and tune detections from your AI agents.
About
Connect Tracecat to Panther to triage alerts and query the data lake from agents working alongside SOC analysts and detection engineers. You can pull alerts with their underlying log events so an agent can reason about what fired without an analyst opening the console. From there, agents can run SQL against the Panther data lake for context, move alerts through triage states, and post comments back on the alert with the connected user's attribution intact.
Setup
- 1
Create an API key
The Panther MCP server authenticates with an API token created from your Panther instance. The token inherits the permissions you grant it, so scope it to the resources your agents need.
- 2
Select the
Panthertile in the Tracecat MCP catalogOpen the
MCP catalogin your workspace, select thePanthertile, and paste your API key. - 3
Enable
Pantherin your agentIn your
ai.agentaction orAgents→toolstab, selectPantherfrom theMCP integrationsdropdown.
Tools
list_alertsList alerts in Panther with filters for status, severity, and time range.
get_alertFetch the full detail for a single alert by ID.
get_alert_eventsReturn the underlying log events that fired the alert.
update_alert_statusMove an alert through triage states like open, triaged, or resolved.
add_alert_commentPost a comment on an alert with attribution to the connected user.
query_data_lakeRun a SQL query against the Panther data lake and return the rows.
list_databasesList databases in the Panther data lake.
list_database_tablesList tables in a Panther data lake database with schema metadata.
list_detectionsList Python detections, their status, and which log types they cover.
get_detectionFetch the source and metadata for a single detection by ID.