Panther MCP server
Query the Panther data lake, triage alerts, and tune detections from your AI agents.
About
Connect Tracecat to Panther to triage alerts and query the data lake from agents working alongside SOC analysts and detection engineers. You can pull alerts with their underlying log events so an agent can reason about what fired without an analyst opening the console. From there, agents can run SQL against the Panther data lake for context, move alerts through triage states, and post comments back on the alert with the connected user's attribution intact.
Setup
- 1
Create an API key
The Panther MCP server authenticates with an API token created from your Panther instance. The token inherits the permissions you grant it, so scope it to the resources your agents need.
- 2
Select the
Panthertile in the Tracecat MCP catalogOpen the
MCP catalogin your workspace, select thePanthertile, and paste your API key. - 3
Enable
Pantherin your agentIn your
ai.agentaction orAgents→toolstab, selectPantherfrom theMCP integrationsdropdown.
Tools
list_alerts | List alerts in Panther with filters for status, severity, and time range. |
get_alert | Fetch the full detail for a single alert by ID. |
get_alert_events | Return the underlying log events that fired the alert. |
update_alert_status | Move an alert through triage states like open, triaged, or resolved. |
add_alert_comment | Post a comment on an alert with attribution to the connected user. |
query_data_lake | Run a SQL query against the Panther data lake and return the rows. |
list_databases | List databases in the Panther data lake. |
list_database_tables | List tables in a Panther data lake database with schema metadata. |
list_detections | List Python detections, their status, and which log types they cover. |
get_detection | Fetch the source and metadata for a single detection by ID. |