Panther MCP v2.0.0!

Panther MCP 2.0.0 represents a major overhaul, delivering enhanced reliability, streamlined tool consolidation, and improved AI compatibility for security workflows.

🚨 Breaking Changes

• Removed --compat-mode flag: The compatibility mode flag and related legacy MCP support has been completely removed.

• Transport protocol changes: Server-Sent Events (SSE) transport has been replaced with Streamable HTTP transport. Update your transport configuration from SSE to streamable-http. See the Functionality section for configuration details.

• Tool consolidation: Individual detection tools (list_rules, get_rule_by_id, get_simple_rule_by_id, get_policy_by_id, etc.) have been consolidated into unified detection tools (list_detections, get_detection, disable_detection). Update your tool calls accordingly - see the Tools section for migration details.

• Data lake querying redesign: The two-step asynchronous query process (execute_data_lake_query + get_data_lake_query_results) has been replaced with a single synchronous query_data_lake tool. Query management tools (list_data_lake_queries, cancel_data_lake_query) have been removed. See the Tools section for migration guidance.

• Schema tool rename: get_panther_log_type_schema has been renamed to get_log_type_schema_details for consistency and enhanced functionality.

Tools

🆕 New Tools

• Data Models: list_data_models, get_data_model - Manage UDM mappings and data transformations in rules
• Users & Access Management: list_users, get_user, get_permissions, list_roles, get_role - User account and role management with permission diagnostics
• Scheduled Queries: list_scheduled_queries, get_scheduled_query - Manage automated SQL queries and reports
• Log Sources: get_http_log_source - Detailed configuration for HTTP/webhook log ingestion
• Schemas: list_log_type_schemas - List available log type schemas with optional filters

🔄 Changed Tools

• Detection tools consolidated: Multiple individual detection tools have been unified into three comprehensive tools:

  • list_detections now includes functionality from:

    • list_rules (Python rules)
    • list_scheduled_rules (cron-based rules)
    • list_simple_rules (YAML rules)
    • list_policies (cloud resource policies)

  • get_detection now includes functionality from:

    • get_rule_by_id (Python rules)
    • get_scheduled_rule_by_id (cron-based rules)
    • get_simple_rule_by_id (YAML rules)
    • get_policy_by_id (cloud resource policies)

  • disable_detection now includes functionality from:

    • disable_rule (Python rules only in v1.1.0, now supports all detection types)

• Data lake querying: Completely redesigned for synchronous operation:

  • execute_data_lake_query + get_data_lake_query_results → query_data_lake: Combined the two-step asynchronous process into a single synchronous tool that executes queries and returns results immediately

• Schema tools renamed: Tool was renamed for clarity and consistency:

  • get_panther_log_type_schema → get_log_type_schema_details: Enhanced functionality with comprehensive schema specifications

• User management tools renamed: Tool was renamed for consistency:

  • list_panther_users → list_users: Simplified naming for better consistency across user management tools

• Scheduled query tools enhanced: Improved functionality and validation:

  • list_scheduled_queries: Enhanced with name filtering and optimized response size by excluding SQL content from list responses (use get_scheduled_query for full SQL)
  • get_scheduled_query: Added UUID validation for query_id parameter to improve type safety

❌ Removed Tools

• get_sample_log_events: Removed to prevent LLM bias when analyzing logs. This tool was providing sample data that could influence analysis results.
• get_data_lake_query_results: Removed as part of the data lake querying redesign. Result retrieval is now handled automatically within the synchronous query_data_lake tool.
• list_data_lake_queries: Removed as part of the data lake querying redesign. Query management is now handled automatically within the synchronous query_data_lake tool.
• cancel_data_lake_query: Removed as part of the data lake querying redesign. Query timeout and cancellation are now handled automatically within query_data_lake.

Functionality

🆕 New Features

• Streamable HTTP Transport: Added support for running the MCP server over HTTP in addition to the default STDIO transport. This enables web-based integrations and persistent server deployments.

  • Set MCP_TRANSPORT=streamable-http environment variable
  • Configure host/port with MCP_HOST and MCP_PORT
  • Default HTTP endpoint: http://127.0.0.1:3000/mcp

• SQL Reserved Word Processing: Added automatic processing of SQL reserved words in data lake queries to prevent syntax errors

• Enhanced Field Annotations: Improved tool parameter annotations with better examples and descriptions for more reliable LLM interactions

• Standardized Date Parameter Validation: Added comprehensive ISO-8601 date validation with a new validators module to ensure consistent date handling across all tools. This improves AI compatibility by providing clear validation errors for date format issues.

• Advanced Filtering Capabilities: Added comprehensive filtering options across multiple tools:

  • Detection tools: Enhanced filtering by name, state, severity, tags, log types, resource types, creator, and modifier
  • Global helper tools: Advanced filtering by name contains, creator, and last modifier
  • User management tools: Improved pagination and search capabilities
  • Schema tools: Added filtering by archive status, usage status, and managed status

• Windows Compatibility: Fixed compatibility issues in server.py for Windows environments

🔧 Improvements

• FastMCP Upgrade: Upgraded from FastMCP v2.3.3 to v2.10.0 for improved performance and stability
• User Endpoint Limits: Added appropriate limits to user-related endpoints to prevent excessive API calls
• README Organization: Improved README structure with better categorization of tools and clearer installation instructions
• CI Enhancements: Added invisible character scanning in PR validation
• API Migration: Migrated alert tools from GraphQL to REST API for better performance and consistency
• Dependency Cleanup: Removed unused dependencies (uvicorn, starlette, mcp[cli]) and added proper version constraints
• GraphQL Query Optimization: Removed unused GraphQL queries to reduce bundle size and improve maintainability
• Comprehensive MCP Documentation: Added extensive developer-oriented documentation for CLAUDE.md including:
  • MCP development best practices
  • Testing guide with comprehensive patterns
  • Tool design patterns and anti-patterns
  • Server architecture guide

🐛 Bug Fixes

• Windows Server Issues: Fixed compatibility problems when running the server on Windows platforms
• Tool Naming Consistency: Standardized tool naming patterns across all modules
• Error Handling: Improved error responses and validation across all tools

✏️ Note for Cursor Users

For the best results in tool calling, Cursor users are advised to specifically select the GPT or Claude series models. These models are optimized for tool calls, and provide more accurate and reliable outcomes when using mcp-panther.

Contributors

Special thanks to our contributors who made this release possible:

• Corry Haines - Major data lake query reorganization and list_alerts improvements
• darwayne - Removing --compat-mode
• Lucy Suddenly - CI improvements with invisible character scanning
• FG (Frank Graziano) - Documentation improvements for Goose UI setup

Migration Guide

For users upgrading from v1.1.0

1. Remove --compat-mode flag: If you were using the --compat-mode flag, remove it from your configuration as it's no longer supported.

2. Update detection tool calls: Replace individual rule/policy tools with the new unified detection tools:

   # Old approach
   list_rules()
   get_rule_by_id("rule-123")
   
   # New approach  
   list_detections(detection_types=["rules"])
   get_detection("rule-123", detection_type=["rules"])
   

3. Update data lake querying: Replace the two-step async query process with the new synchronous approach:

   # Old approach (two separate calls)
   result1 = execute_data_lake_query("SELECT * FROM table")
   query_id = result1["query_id"]
   result2 = get_data_lake_query_results(query_id)
   
   # New approach (single call)
   result = query_data_lake("SELECT * FROM table")
   

4. Update user management tool calls: Replace the renamed user tool:

   # Old approach
   list_panther_users()
   
   # New approach
   list_users()
   

5. Remove get_sample_log_events usage: This tool has been removed - use direct data lake queries instead

6. Upgrade FastMCP: Ensure your environment supports FastMCP 2.10.0+ and remove any legacy MCP dependencies