Interact with SentinelOne's Purple AI, a cybersecurity assistant that helps you investigate threats, generate PowerQueries, and answer questions about SentinelOne. Purple AI understands natural language and converts your questions into structured security queries, or answers in plain language.

What Purple AI can do:

• Generate and explain PowerQueries for threat hunting and detection

• Help answer questions using threat intelligence and behavioral signals

• Explore user, process, network, and file-based activities

• Investigate MITRE TTPs, ransomware behavior, lateral movement, and more

• Answer questions about SentinelOne capabilities

What Purple AI can't do:

• Access active alerts (use the Alerts tool for that)

• Modify configurations or directly interact with your endpoints

• Run the PowerQueries itself (use the PowerQuery tool to run the PQ returned by Purple AI)

How to ask good questions

Purple AI works best when your questions are:

• Descriptive: Include process names, file paths, domains, ports, or usernames

• Focused: Describe what you're trying to understand or find

• Scoped: If helpful, include filters like time ranges, endpoint type, or OS

Example questions:

• Show me PowerShell processes that connected to external IPs

• Find unsigned processes that accessed lsass.exe

• List endpoints where the user “jsmith” logged in more than 5 times

• Are there any reverse SSH tunnels from public IPs?

• Find living-off-the-land binaries spawned from Microsoft Word

DO NOT instruct Purple AI to "Generate a Powerquery to ...". Instead, just say what you are looking for. Example: - GOOD: "Is APT-1337 in my environment?" - BAD: "Generate a PowerQuery to determine if APT-1337 is in my environment, including their typical tools, processes, and TTPs."

Tips for writing questions

• Start with verbs like: show, find, list, search

• Add specific entities like: powershell, svchost, lolbins, ssh, .tmp files

• Use filters like: external IPs, non-Windows folders, file size over 1GB

• Ask about behaviors: ransomware, persistence, privilege escalation, data staging, beaconing, phishing

• If you want a PowerQuery, specifically say "generate a powerquery for " -> Example: "Generate a PowerQuery to detect Wizard Spider threat group indicators"

Execute advanced PowerQuery analytics on data in SentinelOne's Singularity Data Lake for complex threat hunting and data analysis.

PowerQuery is SentinelOne's high-performance query language for searching, transforming, and aggregating telemetry and log data in the Scalyr and Singularity XDR platforms. It uses a pipeline-based syntax for filtering, grouping, computing, and summarizing large-scale unstructured data. SentinelOne PowerQuery is not the same as Microsoft PowerQuery. It also looks somewhat like Splunk SPL but is not the same language.

IMPORTANT: You should ALWAYS use the purple_ai() tool to generate PowerQueries for this tool based on natural language. It is very unlikely you know how to write PowerQueries yourself.

If a user gives you a specific PowerQuery that wasn't generated by Purple AI, run it EXACTLY as sent. DO NOT modify the user's input, pass it directly to this tool.

Time Range Guidelines:

• DEFAULT to a 24-hour search period unless the user specifies a different time range

• Use get_timestamp_range(hours=24) to get the last 24 hours

• Queries with longer time ranges may take longer to execute or timeout

• The query timeout is 5 minutes; if exceeded, reduce the time range or simplify the query

Understanding Results:

• Empty results (no data returned) are NORMAL and ACCEPTABLE. This means no records match your query criteria.

• Empty results could indicate:

  • No matching data exists in the specified time range

  • The query conditions are too restrictive

  • The searched activity or behavior simply hasn't occurred

• DO NOT repeatedly rephrase or retry queries that legitimately return no results

• If you expect results but get none, consider adjusting the time range or query criteria rather than retrying the exact same query

Generate time range timestamps for PowerQuery analytics in SentinelOne's Singularity Data Lake.

Convert an ISO 8601 datetime string to a UNIX timestamp in milliseconds (UTC).

This tool accepts datetime strings in ISO 8601 format and converts them to UNIX timestamps (milliseconds since epoch: January 1, 1970 00:00:00 UTC). This is essential for datetime filter queries in Purple Alert, Vulnerability, Misconfiguration, and Inventory searches.

IMPORTANT: You should provide datetime inputs in the user's preferred timezone. This tool will automatically convert them to UTC timestamps for use in API queries. For example, if the user asks for "October 30, 2024 at 8 AM Eastern Time", you should submit "2024-10-30T08:00:00-04:00" (not convert it yourself to UTC).

Args: iso_datetime (str): An ISO 8601 formatted datetime string. Examples: - "2025-10-30T12:00:00Z" (UTC with 'Z' suffix) - "2025-10-30T12:00:00+00:00" (UTC with explicit offset) - "2025-10-30T08:00:00-04:00" (Eastern Time with offset) - "2025-10-30T17:00:00+05:00" (IST/Pakistan Time with offset) - "2025-10-30T12:00:00" (no timezone - treated as UTC)

Returns: str: The UNIX timestamp in milliseconds (UTC) as a JSON number string. Example: "1761825600000"

Common Use Cases: - Converting user-friendly datetime inputs to UNIX timestamps for API queries - Handling datetimes across different time zones automatically - Preparing datetime filters for Alert, Vulnerability, Misconfiguration, and Inventory searches

Examples: Input: "2025-10-30T12:00:00Z" (noon UTC) Output: "1761825600000"

Input: "2025-10-30T08:00:00-04:00" (8 AM EDT = noon UTC)
Output: "1761825600000"

Input: "2025-10-30T17:00:00+05:00" (5 PM PKT = noon UTC)
Output: "1761825600000"

Raises: ValueError: If the input string is not a valid ISO 8601 datetime format.

Notes: - All timestamps are returned in milliseconds (not seconds or nanoseconds) - All timestamps represent UTC time regardless of input timezone - If no timezone is specified in input, UTC is assumed - The tool handles timezone conversion automatically - provide times in the user's local timezone

Get detailed information about a specific alert by ID.

Retrieves comprehensive alert data including metadata, timing information, severity, status, associated assets, and analyst findings.

Args: alert_id: The unique identifier of the alert (string).

Returns: Detailed alert information in JSON format containing: - id: Unique alert identifier - externalId: External system identifier (if any) - severity: CRITICAL, HIGH, MEDIUM, LOW, INFO, UNKNOWN - status: NEW, IN_PROGRESS, RESOLVED, FALSE_POSITIVE - name: Alert title/name - description: Detailed description of the alert - detectedAt: ISO timestamp when alert was first detected - firstSeenAt: ISO timestamp of first occurrence (if different) - lastSeenAt: ISO timestamp of most recent occurrence - analystVerdict: Expert analysis result (if available) - classification: Alert category/type - confidenceLevel: Detection confidence score - dataSources: List of data sources that contributed to detection - detectionSource: {product, vendor} information - asset: Associated asset information {id, name, type} - assignee: Assigned user information {userId, email, fullName} - noteExists: Boolean indicating if notes are attached - result: Investigation outcome - storylineId: Associated storyline identifier - ticketId: Associated ticket identifier

Common Use Cases: - Incident investigation and triage - Alert enrichment with contextual data - Status and assignment tracking - Evidence collection for security workflows

Raises: RuntimeError: If there's an error retrieving the alert. ValueError: If alert_id is invalid or empty.

List alerts with pagination and filtering capabilities.

Retrieves a paginated list of alerts with basic filtering by assignment status. For advanced filtering by severity, status, time ranges, etc., use search_alerts instead.

Args: first: Number of alerts to retrieve (1-100, default: 10). after: Pagination cursor from previous response (optional). Use pageInfo.endCursor from previous response to get next page. view_type: Assignment filter with options: - "ALL": Show all alerts (default) - "ASSIGNED_TO_ME": Only alerts assigned to current user - "UNASSIGNED": Only unassigned alerts - "MY_TEAM": Only alerts assigned to user's team fields: Optional JSON string containing an array of field names to return. If not specified, returns all default fields (including dataSources). Use minimal fields like '["id"]' when paging through intermediate results.

        Available fields:
        - Basic: "id", "externalId", "severity", "status", "name", "description"
        - Timing: "detectedAt", "firstSeenAt", "lastSeenAt"
        - Analysis: "analystVerdict", "classification", "confidenceLevel"
        - Context: "noteExists", "result", "storylineId", "ticketId", "dataSources"
        - Nested objects (returns all subfields):
          - "detectionSource" (product, vendor)
          - "asset" (id, name, type)
          - "assignee" (userId, email, fullName)

        IMPORTANT - dataSources field behavior:
        - When fields=None (default): dataSources is INCLUDED automatically
        - When fields is provided: dataSources is ONLY included if explicitly requested
          Example with dataSources: '["id", "severity", "dataSources"]'
          Example without: '["id", "severity"]' (dataSources will be omitted)

        Examples:
        - Minimal for paging: '["id"]'
        - Summary view: '["id", "severity", "status", "name", "detectedAt"]'
        - With dataSources: '["id", "severity", "dataSources"]'
        - Full details: omit fields parameter or pass None

Returns: Paginated alert list in JSON format containing: - edges: Array of alert objects (with requested fields only) - pageInfo: Pagination metadata - hasNextPage: Boolean indicating more results available - hasPreviousPage: Boolean indicating previous page exists - startCursor: Cursor for first item in current page - endCursor: Cursor for last item (use for next page) - totalCount: Total number of matching alerts (if available)

Common Use Cases: - Dashboard alert feeds and overviews - Assignment-based alert distribution - Bulk alert processing workflows - Alert queue management

Pagination Example: 1. Call with first=20 to get first 20 alerts 2. Use pageInfo.endCursor as 'after' parameter for next 20 3. Continue until pageInfo.hasNextPage is false

IMPORTANT Performance Notes: - Cursor pagination is SEQUENTIAL ONLY - you cannot skip to arbitrary positions (e.g., cannot jump directly to "the 1532nd alert") - When paging through many results to reach a specific position, use fields=["id"] for intermediate pages to conserve context window - Use the totalCount field to understand the full result set size

Raises: RuntimeError: If there's an error listing alerts. ValueError: If parameters are invalid.

Search alerts using advanced filters and criteria.

If a user is asking a "how many" type query, set the "first" field to 1 - "totalCount" is returned for any query.

Args: filters: JSON string containing an array of filter objects (optional). Each filter object must have: - fieldId: String field name (use flattened camelCase names below) - filterType: One of the supported filter types below - isNegated: Optional boolean to negate the filter (default: false)

        Common Field Names (flattened camelCase):
        - Core: "id", "severity", "status", "alertName", "detectedAt", "createdAt"
        - Analysis: "analystVerdict", "assigneeUserId", "assigneeFullName", "alertNoteExists"
        - Context: "storylineId", "description"

        Filter Types and Required Keys:

        String Filters (for severity, status, analystVerdict, etc.):
        - "string_equals": Exact match. Requires "value" key.
          Example: {"fieldId": "severity", "filterType": "string_equals", "value": "CRITICAL"}
        - "string_in": Match any of multiple values. Requires "values" key (list).
          Example: {"fieldId": "status", "filterType": "string_in", "values": ["NEW", "IN_PROGRESS"]}

        Boolean Filters (for alertNoteExists, etc.):
        - "boolean_equals": Exact match. Requires "value" key.
          Example: {"fieldId": "alertNoteExists", "filterType": "boolean_equals", "value": true}
        - "boolean_in": Match any of multiple values. Requires "values" key (list).
          Example: {"fieldId": "alertNoteExists", "filterType": "boolean_in", "values": [true, false]}

        Long Filters (for numeric IDs like assigneeUserId):
        - "long_equals": Exact match. Requires "value" key.
          Example: {"fieldId": "assigneeUserId", "filterType": "long_equals", "value": 123}
        - "long_in": Match any of multiple values. Requires "values" key (list).
          Example: {"fieldId": "assigneeUserId", "filterType": "long_in", "values": [1, 2, 3]}

        DateTime Filters (for detectedAt, createdAt):
        - "datetime_range": Range match using UNIX timestamps in milliseconds (UTC). Requires "start" and/or "end" keys.
          Optional: "startInclusive", "endInclusive" (default: true)

          IMPORTANT: All datetimes in the Alert API are in UTC timezone.
          You MUST use the iso_to_unix_timestamp tool to convert ISO 8601 datetime strings
          to UNIX timestamps (milliseconds) before using them in datetime filters.

          IMPORTANT: Unless the user specifies a field to query a DateTime on, use createdAt.

          The iso_to_unix_timestamp tool handles timezone conversion automatically.
          Provide datetimes in the user's preferred timezone (e.g., "2024-10-30T08:00:00-04:00" for Eastern Time)
          and the tool will convert to UTC milliseconds for the API.

          Example workflow:
          1. Call iso_to_unix_timestamp("2024-10-30T08:00:00-04:00") -> returns "1730289600000" (UTC)
          2. Use result in filter: {"fieldId": "createdAt", "filterType": "datetime_range", "start": 1730289600000}

          Example: {"fieldId": "createdAt", "filterType": "datetime_range", "start": 1730289600000}

        Fulltext Search (for alertName, id, storylineId):
        - "fulltext": Text search with case-insensitive substring matching. Requires "values" key (list).
          Example: {"fieldId": "alertName", "filterType": "fulltext", "values": ["malware", "threat"]}

        Limits:
        - Maximum 50 filters per request
        - Maximum 100 values in "values" arrays

first: Number of alerts to retrieve (1-100, default: 10).
after: Cursor for pagination (optional).
view_type: Filter by assignment - ALL, ASSIGNED_TO_ME, UNASSIGNED, MY_TEAM (default: ALL).
fields: Optional JSON string containing an array of field names to return.
        If not specified, returns all default fields (including dataSources).
        See list_alerts for available fields and dataSources behavior.

        IMPORTANT - dataSources field behavior:
        - When fields=None (default): dataSources is INCLUDED automatically
        - When fields is provided: dataSources is ONLY included if explicitly requested
          Example: '["id", "severity", "dataSources"]'

Performance Note: When paging through many results, use fields='["id"]' for intermediate pages to conserve context window space. Use totalCount to gauge result set size.

Returns: Filtered list of alerts in JSON format.

Raises: RuntimeError: If there's an error searching alerts. ValueError: If parameters are invalid.

Examples: CORRECT: filters=[ {"fieldId": "severity", "filterType": "string_in", "values": ["CRITICAL", "HIGH"]}, {"fieldId": "status", "filterType": "string_equals", "value": "NEW"}, {"fieldId": "alertNoteExists", "filterType": "boolean_equals", "value": false} ]

WRONG:
filters=[
  {"fieldId": "severity", "filterType": "EQUALS", "value": "CRITICAL"},  # Use "string_equals"
  {"fieldId": "status.value", "filterType": "string_equals", "value": "NEW"}  # Use "status" not "status.value"
]

Get all notes and comments associated with an alert.

Retrieves all analyst notes, comments, and annotations attached to a specific alert. Notes provide context, analysis findings, investigation steps, and collaboration history.

Args: alert_id: The unique identifier of the alert.

Returns: List of notes in JSON format, each containing: - id: Unique note identifier - text: Note content/message - createdAt: ISO timestamp when note was created - author: User information {userId, email, fullName} - alertId: Associated alert identifier

Notes are typically ordered by creation time (newest first).

Common Use Cases: - Investigation documentation and collaboration - Tracking analyst findings and decisions - Audit trail for alert handling - Knowledge sharing between team members - Compliance and reporting requirements

Note: Returns empty array if no notes exist. Check alert.noteExists field from get_alert to avoid unnecessary calls.

Raises: RuntimeError: If there's an error retrieving alert notes. ValueError: If alert_id is invalid or empty.

Get the complete audit history and timeline for an alert.

Retrieves a chronological record of all actions, status changes, and events related to a specific alert. Provides full audit trail for compliance and investigation.

Args: alert_id: The unique identifier of the alert. first: Number of history events to retrieve (1-100, default: 10). after: Pagination cursor from previous response (optional).

Returns: Paginated chronological list in JSON format containing: - edges: Array of history events with: - createdAt: ISO timestamp when the event was created - eventText: Human-readable description of the event - eventType: Type of event (STATUS_CHANGED, ASSIGNMENT_CHANGED, NOTE_ADDED, etc.) - reportUrl: Optional URL to mitigation action report (if applicable) - historyItemCreator: Creator/author of the event (may be null for system events): - userId: User identifier - userType: Type of user (MDR, CONSOLE_USER, etc.) - pageInfo: Pagination metadata (same structure as list_alerts)

Common Event Types: - status_change: Alert status modified (NEW → IN_PROGRESS, etc.) - assignment: Alert assigned/unassigned to user or team - severity_change: Severity level modified - note_added: Analyst note or comment added - verdict_change: Analyst verdict updated - escalation: Alert escalated to higher priority - integration_action: External system actions (ticket creation, etc.)

Common Use Cases: - Compliance auditing and reporting - Investigation timeline reconstruction - Performance metrics and SLA tracking - Change management and accountability - Forensic analysis of alert handling

Raises: RuntimeError: If there's an error retrieving alert history. ValueError: If parameters are invalid.

Get detailed information about a specific misconfiguration by ID.

Retrieves comprehensive misconfiguration data including metadata, severity, affected assets, compliance information, remediation steps, and MITRE ATT&CK mappings.

Args: misconfiguration_id: The unique identifier of the misconfiguration (string).

Returns: Detailed misconfiguration information in JSON format containing: - id: Unique misconfiguration identifier - externalId: External system identifier - name: Misconfiguration title/name - description: Detailed description of the issue - severity: CRITICAL, HIGH, MEDIUM, LOW, INFO, UNKNOWN - status: NEW, IN_PROGRESS, ON_HOLD, RESOLVED, RISK_ACKED, SUPPRESSED, TO_BE_PATCHED - detectedAt: ISO timestamp when misconfiguration was detected - eventTime: ISO timestamp of the event - environment: Environment where detected (e.g., cloud, kubernetes) - product: Detection source product name - vendor: Detection source vendor name - asset: Associated asset information {id, name, type, category, cloudInfo, etc.} - scope: Organizational scope {account, site, group} - scopeLevel: account/site/group - analystVerdict: TRUE_POSITIVE or FALSE_POSITIVE - assignee: Assigned user information {id, email, fullName} - compliance: Compliance standards and requirements - remediation: Remediation steps and references - failedRules: List of failed security rules - findingData: Additional context and properties - mitreAttacks: MITRE ATT&CK technique mappings - cnapp: Cloud-native application protection details - evidence: Evidence data (files, IPs, ports, secrets, etc.)

Common Use Cases: - Security posture assessment - Compliance auditing and reporting - Vulnerability management workflows - Cloud security remediation - Risk assessment and prioritization

Raises: RuntimeError: If there's an error retrieving the misconfiguration. ValueError: If misconfiguration_id is invalid or empty.

List misconfigurations with pagination and view filtering.

Retrieves a paginated list of misconfigurations with filtering by environment type. For advanced filtering by severity, status, compliance, etc., use search_misconfigurations instead.

Args: first: Number of misconfigurations to retrieve (1-100, default: 10). after: Pagination cursor from previous response (optional). Use pageInfo.endCursor from previous response to get next page. view_type: Environment filter with options: - "ALL": Show all misconfigurations (default) - "CLOUD": Cloud environment only - "KUBERNETES": Kubernetes environment only - "IDENTITY": Identity-related misconfigurations - "INFRASTRUCTURE_AS_CODE": IaC misconfigurations - "ADMISSION_CONTROLLER": Admission controller findings - "OFFENSIVE_SECURITY": Offensive security findings - "SECRET_SCANNING": Secret scanning findings fields: Optional JSON string containing an array of field names to return. If not specified, returns all default fields. Use minimal fields like '["id"]' when paging through intermediate results.

        Available fields:
        - Basic: "id", "externalId", "name", "severity", "status"
        - Timing: "detectedAt", "lastSeenAt", "eventTime"
        - Context: "environment", "product", "vendor", "organization"
        - Analysis: "analystVerdict", "mitigable", "exposureReason"
        - Type: "misconfigurationType"
        - IDs: "resourceUid", "exploitId", "exclusionPolicyId"
        - Nested objects (returns subfields):
          - "asset" (id, externalId, name, type, category, subcategory, privileged,
                    cloudInfo {accountId, accountName, providerName, region},
                    kubernetesInfo {cluster, namespace})
          - "scope" (account {id, name}, site {id, name}, group {id, name})
          - "assignee" (id, email, fullName)
          - "evidence" (fileName, fileType, iacFramework, ipAddress, port, subdomain)
          - "cnapp" (policy {id, version, group}, verifiedExploitable)
          - "admissionRequest" (category, resourceName, resourceNamespace, resourceType,
                               userName, userUid, userGroup)
          - "remediation" (mitigable, mitigationSteps)
          - "mitreAttacks" (techniqueId, techniqueName, techniqueUrl, tacticName, tacticUid)
        - Lists: "complianceStandards", "dataClassificationDataTypes", "dataClassificationCategories"
        - Enforcement: "enforcementAction"

        Examples:
        - Minimal for paging: '["id"]'
        - Summary view: '["id", "severity", "status", "name", "detectedAt"]'
        - With asset context: '["id", "name", "asset", "severity"]'
        - Full details: omit fields parameter or pass None

Returns: Paginated misconfiguration list in JSON format containing: - edges: Array of misconfiguration objects - pageInfo: Pagination metadata - hasNextPage: Boolean indicating more results available - hasPreviousPage: Boolean indicating previous page exists - startCursor: Cursor for first item in current page - endCursor: Cursor for last item (use for next page) - totalCount: Total number of matching misconfigurations

Common Use Cases: - Security dashboard feeds - Environment-specific security reviews - Bulk remediation workflows - Compliance reporting by scope - Cloud security posture management

Pagination Example: 1. Call with first=20 to get first 20 misconfigurations 2. Use pageInfo.endCursor as 'after' parameter for next 20 3. Continue until pageInfo.hasNextPage is false

Raises: RuntimeError: If there's an error listing misconfigurations. ValueError: If parameters are invalid.

Search misconfigurations using advanced filters and criteria.

Args: filters: JSON string containing an array of filter objects (optional). Each filter object must have: - fieldId: String field name - MUST use flattened camelCase names (see Valid Field Names below) - filterType: One of the supported filter types below - isNegated: Optional boolean to negate the filter (default: false)

        Valid Field Names (fieldId values):
        IMPORTANT: Use these exact field names, NOT nested paths like "asset.name" or "evidence.secret"

        Core Fields:
        - "id": Misconfiguration ID
        - "name": Misconfiguration name
        - "severity": CRITICAL, HIGH, MEDIUM, LOW, INFO, UNKNOWN
        - "status": NEW, IN_PROGRESS, ON_HOLD, RESOLVED, RISK_ACKED, SUPPRESSED, TO_BE_PATCHED
        - "detectedAt": Detection timestamp
        - "lastSeenAt": Last seen timestamp
        - "environment": Environment type
        - "product": Product name
        - "vendor": Vendor name
        - "analystVerdict": TRUE_POSITIVE, FALSE_POSITIVE
        - "assigneeFullName": Assigned user full name
        - "exposureReason": Reason for exposure
        - "mitigable": Boolean - can be mitigated

        Asset Fields (use "asset" prefix, NOT "asset."):
        - "assetId": Asset identifier
        - "assetName": Asset name
        - "assetType": Asset type
        - "assetTypeCategory": Asset type category
        - "assetCategory": Asset category
        - "assetSubcategory": Asset subcategory
        - "assetCriticality": CRITICAL, HIGH, MEDIUM, LOW, UNKNOWN
        - "assetPrivileged": Boolean - privileged asset
        - "assetCloudResourceId": Cloud resource ID
        - "assetCloudAccountId": Cloud account ID
        - "assetCloudAccount": Cloud account name
        - "assetCloudRegion": Cloud region
        - "assetKubernetesCluster": Kubernetes cluster name
        - "assetKubernetesClusterId": Kubernetes cluster ID

        Policy Fields (use appropriate prefixes):
        - "policyId": Policy identifier
        - "policyVersion": Policy version
        - "policyGroup": Policy group name
        - "organization": Organization name
        - "enforcementAction": Enforcement action type
        - "iacFramework": Infrastructure as Code framework

        Compliance & Classification:
        - "complianceStandards": Compliance standards
        - "hasClassifiedData": Boolean - contains classified data
        - "dataClassificationCategories": Data classification categories
        - "dataClassificationDataTypes": Data classification types

        Secret Fields (use "secret" prefix, NOT "evidence.secret."):
        - "secretId": Secret identifier
        - "secretHash": Secret hash
        - "secretType": Type of secret
        - "secretValidity": Secret validity status

        Request Fields (for admission controller, use "request" prefix):
        - "requestResourceName": Resource name
        - "requestResourceType": Resource type
        - "requestResourceNamespace": Resource namespace
        - "requestUserName": User name
        - "requestUserUid": User UID
        - "requestUserGroup": User group
        - "requestCategory": Request category

        Other Fields:
        - "commitedBy": Committed by (IaC findings)
        - "verifiedExploitable": Boolean - verified as exploitable
        - "accountId": Account ID (hidden)
        - "siteId": Site ID (hidden)
        - "groupId": Group ID (hidden)

        Filter Types and Required Keys:
        IMPORTANT: The misconfigurations API does NOT support INT filters. Use STRING or BOOLEAN filters.

        String Filters (for severity, status, product, vendor, etc.):
        - "string_equals": Exact match. Requires "value" key.
          Example: {"fieldId": "severity", "filterType": "string_equals", "value": "CRITICAL"}
        - "string_in": Match any of multiple values. Requires "values" key (list).
          Example: {"fieldId": "status", "filterType": "string_in", "values": ["NEW", "IN_PROGRESS"]}
          Note: product and vendor ONLY support STRING filters, NOT fulltext

        Boolean Filters (for mitigable, verifiedExploitable, hasClassifiedData, etc.):
        - "boolean_equals": Exact match for single boolean. Requires "value" key.
          Example: {"fieldId": "mitigable", "filterType": "boolean_equals", "value": true}
        - "boolean_in": Match any of multiple boolean values. Requires "values" key (list).
          Example: {"fieldId": "hasClassifiedData", "filterType": "boolean_in", "values": [true, null]}
          Note: Can include null to match missing/unset values
          SPECIAL CASE - secretValidity: ONLY supports boolean_in (NOT boolean_equals)

        DateTime Filters (for detectedAt, lastSeenAt):
        - "datetime_range": Range match using UNIX timestamps in milliseconds (UTC). Requires "start" and/or "end" keys.
          Optional: "startInclusive", "endInclusive" (default: true)

          IMPORTANT: All datetimes in the Misconfiguration API are in UTC timezone.
          You MUST use the iso_to_unix_timestamp tool to convert ISO 8601 datetime strings
          to UNIX timestamps (milliseconds) before using them in datetime filters.

          IMPORTANT: Unless the user specifies a field to query a DateTime on, use lastSeenAt.

          The iso_to_unix_timestamp tool handles timezone conversion automatically.
          Provide datetimes in the user's preferred timezone (e.g., "2024-10-30T08:00:00-04:00" for Eastern Time)
          and the tool will convert to UTC milliseconds for the API.

          Example workflow:
          1. Call iso_to_unix_timestamp("2024-10-30T08:00:00-04:00") -> returns "1730289600000" (UTC)
          2. Use result in filter: {"fieldId": "detectedAt", "filterType": "datetime_range", "start": 1730289600000}

          Example: {"fieldId": "detectedAt", "filterType": "datetime_range", "start": 1730289600000}

        Fulltext Search (for name, exposureReason, asset/resource names, compliance, etc.):
        - "fulltext": Single-value text search. Requires "values" key (list of search terms).
          Example: {"fieldId": "name", "filterType": "fulltext", "values": ["s3"]}
        - "fulltext_in": Multi-value text search with partial matching. Requires "values" key (list).
          Example: {"fieldId": "assetName", "filterType": "fulltext_in", "values": ["server", "prod", "web"]}
          SPECIAL CASES - secretHash/secretId: ONLY support fulltext/fulltext_in (NOT string_equals)

        Limits:
        - Maximum 50 filters per request
        - Maximum 100 values in "values" arrays

first: Number of misconfigurations to retrieve (1-100, default: 10).
after: Cursor for pagination (optional).
view_type: Filter by environment - ALL, CLOUD, KUBERNETES, etc.
fields: Optional JSON string containing an array of field names to return.
        If not specified, returns all default fields.
        See list_misconfigurations for available fields and examples.

        Available fields:
        - Basic: "id", "externalId", "name", "severity", "status"
        - Timing: "detectedAt", "lastSeenAt", "eventTime"
        - Context: "environment", "product", "vendor", "organization"
        - Analysis: "analystVerdict", "mitigable", "exposureReason"
        - Type: "misconfigurationType"
        - IDs: "resourceUid", "exploitId", "exclusionPolicyId"
        - Nested objects: "asset", "scope", "assignee", "evidence", "cnapp",
                        "admissionRequest", "remediation", "mitreAttacks"
          (See list_misconfigurations for exact subfields returned)
        - Lists: "complianceStandards", "dataClassificationDataTypes",
                "dataClassificationCategories"

        Examples:
        - Minimal for paging: '["id"]'
        - Summary: '["id", "severity", "status", "name", "detectedAt"]'
        - With asset: '["id", "name", "asset", "severity"]'

Performance Note: When paging through many results, use fields='["id"]' for intermediate pages to conserve context window space. Use totalCount to gauge result set size.

Returns: Filtered list of misconfigurations in JSON format.

Raises: RuntimeError: If there's an error searching misconfigurations. ValueError: If parameters are invalid.

Examples: CORRECT: filters=[ {"fieldId": "severity", "filterType": "string_equals", "value": "CRITICAL"}, {"fieldId": "status", "filterType": "string_in", "values": ["NEW", "IN_PROGRESS"]}, {"fieldId": "assetCloudRegion", "filterType": "string_in", "values": ["us-east-1", "us-west-2"]} ] WRONG: filters=[ {"fieldId": "asset.name", "filterType": "fulltext", "values": ["prod"]}, # Use "assetName" not "asset.name" {"fieldId": "evidence.secret.hash", "filterType": "string_equals", "value": "abc123"}, # Use "secretHash" not "evidence.secret.hash" {"fieldId": "severity", "filterType": "EQUALS", "value": "CRITICAL"} # Use "string_equals" not "EQUALS" ]

Get all notes and comments associated with a misconfiguration.

Retrieves all analyst notes, comments, and annotations attached to a specific misconfiguration. Notes provide context, analysis findings, remediation steps, and collaboration history.

Args: misconfiguration_id: The unique identifier of the misconfiguration.

Returns: List of notes in JSON format, each containing: - id: Unique note identifier - misconfigurationId: Associated misconfiguration identifier - text: Note content/message - author: User information {id, email, fullName, deleted} - createdAt: ISO timestamp when note was created - updatedAt: ISO timestamp when note was last updated (if applicable)

Notes are typically ordered by creation time (newest first).

Common Use Cases: - Remediation documentation and collaboration - Tracking analyst findings and decisions - Audit trail for security issue handling - Knowledge sharing between security teams - Compliance and reporting requirements

Raises: RuntimeError: If there's an error retrieving misconfiguration notes. ValueError: If misconfiguration_id is invalid or empty.

Get the complete audit history and timeline for a misconfiguration.

Retrieves a chronological record of all actions, status changes, and events related to a specific misconfiguration. Provides full audit trail for compliance and investigation.

Args: misconfiguration_id: The unique identifier of the misconfiguration. first: Number of history events to retrieve (1-100, default: 10). after: Pagination cursor from previous response (optional).

Returns: Paginated chronological list in JSON format containing: - edges: Array of history events with: - eventType: Type of event (CREATION, STATUS, ANALYST_VERDICT, USER_ASSIGNMENT, NOTES, WORKFLOW_ACTION) - eventText: Human-readable description of the event - createdAt: ISO timestamp when event occurred - pageInfo: Pagination metadata (same structure as list_misconfigurations)

Common Event Types: - CREATION: Misconfiguration first detected - STATUS: Status changed (NEW → IN_PROGRESS, etc.) - ANALYST_VERDICT: Verdict updated (TRUE_POSITIVE/FALSE_POSITIVE) - USER_ASSIGNMENT: Assigned/unassigned to user - NOTES: Note or comment added - WORKFLOW_ACTION: Automated action or workflow step

Common Use Cases: - Compliance auditing and reporting - Investigation timeline reconstruction - Performance metrics and SLA tracking - Change management and accountability - Security posture trend analysis

Raises: RuntimeError: If there's an error retrieving misconfiguration history. ValueError: If parameters are invalid.

Get detailed information about a specific vulnerability by ID.

Retrieves comprehensive vulnerability data including CVE details, affected assets, risk scores, EPSS metrics, exploit maturity, and remediation information.

Args: vulnerability_id: The unique identifier of the vulnerability (string).

Returns: Detailed vulnerability information in JSON format containing: - id: Unique vulnerability identifier - externalId: External system identifier - name: Vulnerability title/name - severity: CRITICAL, HIGH, MEDIUM, LOW, UNKNOWN - status: NEW, IN_PROGRESS, ON_HOLD, RESOLVED, RISK_ACKED, SUPPRESSED, TO_BE_PATCHED - detectedAt: ISO timestamp when vulnerability was detected - lastSeenAt: ISO timestamp of most recent occurrence - updatedAt: ISO timestamp of last update - product: Detection source product name - vendor: Detection source vendor name - asset: Associated asset information {id, name, type, category, cloudInfo, etc.} - scope: Organizational scope {account, site, group} - scopeLevel: account/site/group - cve: CVE details including: - id: CVE identifier (CVE-YYYY-NNNN) - description: CVE description - nvdBaseScore: NVD base score - riskScore: SentinelOne risk score - publishedDate: Publication date - epssScore: EPSS probability score - epssPercentile: EPSS percentile - exploitMaturity: Exploit code maturity level - exploitedInTheWild: Boolean indicating active exploitation - kevAvailable: CISA KEV catalog availability - s1BaseValues: CVSS vector components - riskIndicators: Additional risk indicators - timeline: CVE timeline events - software: Affected software {name, version, fixVersion, type, vendor} - findingData: Additional context and properties - paidScope: Whether under paid scope - remediationInsightsAvailable: Remediation insights availability - selfLink: Link to the vulnerability details - analystVerdict: TRUE_POSITIVE or FALSE_POSITIVE - assignee: Assigned user information {id, email, fullName} - exclusionPolicyId: Exclusion policy identifier if applicable

Common Use Cases: - Vulnerability assessment and prioritization - CVE research and analysis - Risk scoring and exposure analysis - Patch management workflows - Compliance reporting

Raises: RuntimeError: If there's an error retrieving the vulnerability. ValueError: If vulnerability_id is invalid or empty.

List vulnerabilities with pagination.

Retrieves a paginated list of vulnerabilities in the environment. For advanced filtering by severity, CVE, asset type, etc., use search_vulnerabilities instead.

Args: first: Number of vulnerabilities to retrieve (1-100, default: 10). after: Pagination cursor from previous response (optional). Use pageInfo.endCursor from previous response to get next page. fields: Optional JSON string containing an array of field names to return. If not specified, returns all default fields. Use minimal fields like '["id"]' when paging through intermediate results.

        Available fields:
        - Basic: "id", "name", "severity", "status"
        - Timing: "detectedAt", "lastSeenAt"
        - Context: "product", "vendor"
        - Analysis: "analystVerdict"
        - IDs: "exclusionPolicyId"
        - Nested objects (returns subfields):
          - "cve" (id, nvdBaseScore, riskScore, publishedDate, epssScore,
                  exploitMaturity, exploitedInTheWild)
          - "software" (name, version, fixVersion, type, vendor)
          - "asset" (id, externalId, name, type, category, subcategory, privileged,
                    cloudInfo {accountId, accountName, providerName, region},
                    kubernetesInfo {cluster, namespace})
          - "scope" (account {id, name}, site {id, name}, group {id, name})
          - "assignee" (id, email, fullName)

        Examples:
        - Minimal for paging: '["id"]'
        - Summary view: '["id", "severity", "status", "name", "detectedAt"]'
        - With CVE details: '["id", "name", "cve", "software"]'
        - Full details: omit fields parameter or pass None

Returns: Paginated vulnerability list in JSON format containing: - edges: Array of vulnerability objects - pageInfo: Pagination metadata - hasNextPage: Boolean indicating more results available - hasPreviousPage: Boolean indicating previous page exists - startCursor: Cursor for first item in current page - endCursor: Cursor for last item (use for next page) - totalCount: Total number of matching vulnerabilities

Common Use Cases: - Vulnerability dashboard feeds - Security posture overview - Bulk vulnerability processing - Patch priority queues - Compliance reporting

Pagination Example: 1. Call with first=20 to get first 20 vulnerabilities 2. Use pageInfo.endCursor as 'after' parameter for next 20 3. Continue until pageInfo.hasNextPage is false

Raises: RuntimeError: If there's an error listing vulnerabilities. ValueError: If parameters are invalid.

Search vulnerabilities using advanced filters and criteria.

Args: filters: JSON string containing an array of filter objects (optional). Each filter object must have: - fieldId: String field name - MUST use flattened camelCase names (see Valid Field Names below) - filterType: One of the supported filter types below - isNegated: Optional boolean to negate the filter (default: false)

        Valid Field Names (fieldId values):
        IMPORTANT: Use these exact field names, NOT nested paths like "cve.id" or "asset.name"

        Core Fields:
        - "id": Vulnerability ID
        - "name": Vulnerability name
        - "severity": CRITICAL, HIGH, MEDIUM, LOW, UNKNOWN
        - "status": NEW, IN_PROGRESS, ON_HOLD, RESOLVED, RISK_ACKED, SUPPRESSED, TO_BE_PATCHED
        - "detectedAt": Detection timestamp
        - "lastSeenAt": Last seen timestamp
        - "product": Product name
        - "vendor": Vendor name
        - "analystVerdict": TRUE_POSITIVE, FALSE_POSITIVE
        - "assigneeFullName": Assigned user full name

        CVE Fields (use "cve" prefix, NOT "cve."):
        - "cveId": CVE identifier (e.g. CVE-2024-1234)
        - "cveNvdBaseScore": NVD base score (SORT ONLY - not filterable)
        - "cveRiskScore": SentinelOne risk score (SORT ONLY - not filterable)
        - "cveEpssScore": EPSS probability score (STRING_IN only - use ranges: "0.0-0.35", "0.35-0.5", "0.5-0.75", "0.75-1.0")
        - "cveExploitMaturity": NOT_AVAILABLE, UNPROVEN, PROOF_OF_CONCEPT, FUNCTIONAL, HIGH
        - "cveExploitedInTheWild": Boolean - actively exploited
        - "cveKevAvailable": Boolean - in CISA KEV catalog
        - "cveReportConfidence": Report confidence level

        Software Fields (use "software" prefix, NOT "software."):
        - "softwareName": Software package name
        - "softwareVersion": Installed version
        - "softwareFixVersion": Available fix version
        - "softwareFixVersionAvailable": Boolean - fix available
        - "softwareType": OPERATING_SYSTEM, APPLICATION, LIBRARY, etc.
        - "softwareVendor": Software vendor name

        Asset Fields (use "asset" prefix, NOT "asset."):
        - "assetId": Asset identifier
        - "assetName": Asset name
        - "assetType": Asset type
        - "assetTypeCategory": Asset type category
        - "assetCategory": Asset category
        - "assetSubcategory": Asset subcategory
        - "assetCriticality": CRITICAL, HIGH, MEDIUM, LOW, UNKNOWN
        - "assetPrivileged": Boolean - privileged asset
        - "assetCloudResourceId": Cloud resource ID
        - "assetCloudAccountId": Cloud account ID
        - "assetCloudAccount": Cloud account name
        - "assetCloudRegion": Cloud region
        - "assetKubernetesCluster": Kubernetes cluster name
        - "assetKubernetesClusterId": Kubernetes cluster ID

        Other Fields:
        - "remediationInsightsAvailable": Boolean - remediation insights available
        - "accountId": Account ID (hidden)
        - "siteId": Site ID (hidden)
        - "groupId": Group ID (hidden)

        Filter Types and Required Keys:
        IMPORTANT: The vulnerabilities API does NOT support INT filters. Use STRING or BOOLEAN filters.

        String Filters (for severity, status, product, vendor, etc.):
        - "string_equals": Exact match. Requires "value" key.
          Example: {"fieldId": "severity", "filterType": "string_equals", "value": "CRITICAL"}
        - "string_in": Match any of multiple values. Requires "values" key (list).
          Example: {"fieldId": "status", "filterType": "string_in", "values": ["NEW", "IN_PROGRESS"]}
          SPECIAL CASE - cveEpssScore: Use range format like {"fieldId": "cveEpssScore", "filterType": "string_in", "values": ["0.5-0.75", "0.75-1.0"]}
          Note: product and vendor ONLY support STRING filters, NOT fulltext

        Boolean Filters (for exploited, KEV, fix available, etc.):
        - "boolean_equals": Exact match for single boolean. Requires "value" key.
          Example: {"fieldId": "cveExploitedInTheWild", "filterType": "boolean_equals", "value": true}
        - "boolean_in": Match any of multiple boolean values. Requires "values" key (list).
          Example: {"fieldId": "softwareFixVersionAvailable", "filterType": "boolean_in", "values": [true, null]}
          Note: Can include null to match missing/unset values

        DateTime Filters (for detectedAt, lastSeenAt):
        - "datetime_range": Range match using UNIX timestamps in milliseconds (UTC). Requires "start" and/or "end" keys.
          Optional: "startInclusive", "endInclusive" (default: true)

          IMPORTANT: All datetimes in the Vulnerability API are in UTC timezone.
          You MUST use the iso_to_unix_timestamp tool to convert ISO 8601 datetime strings
          to UNIX timestamps (milliseconds) before using them in datetime filters.

          IMPORTANT: Unless the user specifies a field to query a DateTime on, use detectedAt.

          The iso_to_unix_timestamp tool handles timezone conversion automatically.
          Provide datetimes in the user's preferred timezone (e.g., "2024-10-30T08:00:00-04:00" for Eastern Time)
          and the tool will convert to UTC milliseconds for the API.

          Example workflow:
          1. Call iso_to_unix_timestamp("2024-10-30T08:00:00-04:00") -> returns "1730289600000" (UTC)
          2. Use result in filter: {"fieldId": "detectedAt", "filterType": "datetime_range", "start": 1730289600000}

          Example: {"fieldId": "detectedAt", "filterType": "datetime_range", "start": 1730289600000}

        Fulltext Search (for name, CVE ID, software/asset names):
        - "fulltext": Single-value text search. Requires "values" key (list of search terms).
          Example: {"fieldId": "name", "filterType": "fulltext", "values": ["log4j"]}
        - "fulltext_in": Multi-value text search with partial matching. Requires "values" key (list).
          Example: {"fieldId": "assetName", "filterType": "fulltext_in", "values": ["server", "prod", "web"]}

        Limits:
        - Maximum 50 filters per request
        - Maximum 100 values in "values" arrays

first: Number of vulnerabilities to retrieve (1-100, default: 10).
after: Cursor for pagination (optional).
fields: Optional JSON string containing an array of field names to return.
        If not specified, returns all default fields.
        See list_vulnerabilities for available fields and examples.

        Available fields:
        - Basic: "id", "name", "severity", "status"
        - Timing: "detectedAt", "lastSeenAt"
        - Context: "product", "vendor"
        - Analysis: "analystVerdict"
        - IDs: "exclusionPolicyId"
        - Nested objects: "cve", "software", "asset", "scope", "assignee"
          (See list_vulnerabilities for exact subfields returned)

        Examples:
        - Minimal for paging: '["id"]'
        - Summary: '["id", "severity", "status", "name", "detectedAt"]'
        - With CVE: '["id", "name", "cve", "software"]'

Performance Note: When paging through many results, use fields='["id"]' for intermediate pages to conserve context window space. Use totalCount to gauge result set size.

Returns: Filtered list of vulnerabilities in JSON format.

Raises: RuntimeError: If there's an error searching vulnerabilities. ValueError: If parameters are invalid.

Examples: CORRECT: filters=[ {"fieldId": "severity", "filterType": "string_equals", "value": "CRITICAL"}, {"fieldId": "cveExploitedInTheWild", "filterType": "boolean_equals", "value": true}, {"fieldId": "assetType", "filterType": "string_in", "values": ["SERVER", "WORKSTATION"]} ] WRONG: filters=[ {"fieldId": "cve.id", "filterType": "string_equals", "value": "CVE-2024-1234"}, # Use "cveId" not "cve.id" {"fieldId": "asset.name", "filterType": "fulltext", "values": ["prod"]}, # Use "assetName" not "asset.name" {"fieldId": "severity", "filterType": "EQUALS", "value": "CRITICAL"} # Use "string_equals" not "EQUALS" ]

Get all notes and comments associated with a vulnerability.

Retrieves all analyst notes, comments, and annotations attached to a specific vulnerability. Notes provide context, analysis findings, remediation steps, and collaboration history.

Args: vulnerability_id: The unique identifier of the vulnerability.

Returns: List of notes in JSON format, each containing: - id: Unique note identifier - vulnerabilityId: Associated vulnerability identifier - text: Note content/message - author: User information {id, email, fullName, deleted} - createdAt: ISO timestamp when note was created - updatedAt: ISO timestamp when note was last updated (if applicable)

Notes are typically ordered by creation time (newest first).

Common Use Cases: - Vulnerability analysis documentation - Tracking security team findings and decisions - Audit trail for vulnerability handling - Knowledge sharing between security analysts - Compliance and reporting requirements

Raises: RuntimeError: If there's an error retrieving vulnerability notes. ValueError: If vulnerability_id is invalid or empty.

Get the complete audit history and timeline for a vulnerability.

Retrieves a chronological record of all actions, status changes, and events related to a specific vulnerability. Provides full audit trail for compliance and investigation.

Args: vulnerability_id: The unique identifier of the vulnerability. first: Number of history events to retrieve (1-100, default: 10). after: Pagination cursor from previous response (optional).

Returns: Paginated chronological list in JSON format containing: - edges: Array of history events with: - eventType: Type of event (CREATION, STATUS, ANALYST_VERDICT, USER_ASSIGNMENT, NOTES, WORKFLOW_ACTION) - eventText: Human-readable description of the event - createdAt: ISO timestamp when event occurred - pageInfo: Pagination metadata (same structure as list_vulnerabilities)

Common Event Types: - CREATION: Vulnerability first detected - STATUS: Status changed (NEW → IN_PROGRESS, etc.) - ANALYST_VERDICT: Verdict updated (TRUE_POSITIVE/FALSE_POSITIVE) - USER_ASSIGNMENT: Assigned/unassigned to user - NOTES: Note or comment added - WORKFLOW_ACTION: Automated action or workflow step

Common Use Cases: - Compliance auditing and reporting - Investigation timeline reconstruction - Performance metrics and SLA tracking - Change management and accountability - Vulnerability lifecycle analysis

Raises: RuntimeError: If there's an error retrieving vulnerability history. ValueError: If parameters are invalid.

Get detailed information about a specific managed asset in SentinelOne by ID.

Use this tool to retrieve information about SentinelOne managed assets such as computers, servers, workstations, cloud resources, and network devices.

Args: item_id: The unique identifier of the inventory item.

Returns: Detailed inventory item information in JSON format containing asset details, metadata, cloud information, agent details, tags, and associated notes.

Raises: ValueError: If item_id is invalid or empty. InventoryAuthenticationError: If authentication fails. InventoryNetworkError: If network operation fails. InventoryAPIError: If the API returns an error. InventoryClientError: For other client-level errors.

List managed assets in SentinelOne with pagination and optional filtering.

Use this tool to browse SentinelOne managed assets including computers, servers, workstations, cloud resources, and network-discovered devices.

Args: limit: Number of items to retrieve (1-1000, default: 50). skip: Number of items to skip for pagination (default: 0). surface: Optional surface filter: - "ENDPOINT": Endpoint assets (agents, workstations, servers, computers) - "CLOUD": Cloud resources (AWS, Azure, GCP) - "IDENTITY": Identity entities (AD, Entra ID) - "NETWORK_DISCOVERY": Network-discovered devices (Ranger)

Returns: Paginated list of inventory items in JSON format with pagination info.

Raises: ValueError: If parameters are invalid. InventoryAuthenticationError: If authentication fails. InventoryNetworkError: If network operation fails. InventoryAPIError: If the API returns an error. InventoryClientError: For other client-level errors.

Search for managed assets in SentinelOne using REST API filters.

Use this tool to find specific SentinelOne managed assets such as computers, servers, workstations, cloud resources, and network devices by various criteria (name, type, status, tags, etc.). Multiple filters are combined with AND logic.

Note: For surface-specific filtering (ENDPOINT, CLOUD, IDENTITY, NETWORK_DISCOVERY), use the list_inventory_items tool instead, which supports surface filtering via GET.

Args: filters: JSON string containing filter dictionary (optional, default: {}). Use REST API filter format with field names in camelCase.

         Standard Filters (exact match - matches ANY value in list):
         - {"resourceType": ["Windows Server", "Linux Server"]}
         - {"assetStatus": ["Active", "Inactive"]}
         - {"category": ["Server", "Workstation"]}
         - {"infectionStatus": ["Infected", "Clean"]}

         Contains Filters (partial match - case-insensitive):
         - {"name__contains": ["prod", "test"]}
         - {"cloudProviderAccountName__contains": ["production"]}
         - {"osName__contains": ["Windows", "Ubuntu"]}

         Range Filters (date ranges - use ISO date strings or millisecond timestamps):
         - {"lastActiveDt__between": {"from": "2024-01-01", "to": "2024-12-31"}}
         - {"lastActiveDt__between": {"from": 1704067200000, "to": 1735689599000}}

         IMPORTANT: All datetimes in the Inventory API are in UTC timezone.
         For timestamp-based date filters, you can use the iso_to_unix_timestamp tool
         to convert ISO 8601 datetime strings to UNIX timestamps in milliseconds (UTC).

         The iso_to_unix_timestamp tool handles timezone conversion automatically.
         Provide datetimes in the user's preferred timezone (e.g., "2024-01-01T00:00:00-05:00" for Eastern Time)
         and the tool will convert to UTC milliseconds for the API.

         Example workflow for timestamp filters:
         1. Call iso_to_unix_timestamp("2024-01-01T00:00:00-05:00") -> returns "1704085200000" (UTC)
         2. Use in filter: {"lastActiveDt__between": {"from": 1704085200000, "to": 1735693199000}}

         ID Filters (exact ID matches):
         - {"id__in": ["uuid1", "uuid2", "uuid3"]}

         Negation Filters (exclude values):
         - {"assetStatus__nin": ["Decommissioned"]}
         - {"resourceType__nin": ["Unknown"]}

         Combining Filters (AND logic - all must match):
         - {"resourceType": ["Windows Server"], "assetStatus": ["Active"], "name__contains": ["prod"]}

         Common Examples:
         - Find production servers: {"name__contains": ["prod"], "resourceType": ["Windows Server", "Linux Server"]}
         - Find active AWS instances: {"cloudProvider": ["AWS"], "assetStatus": ["Active"]}
         - Find recently active endpoints: {"lastActiveDt__between": {"from": "2024-12-01", "to": "2024-12-31"}}

limit: Number of items to retrieve (1-1000, default: 50).
skip: Number of items to skip for pagination (default: 0).

Returns: Filtered list of inventory items in JSON format with pagination info. Returns empty list if no matches found.

Raises: ValueError: If filters JSON is invalid or parameters are out of range. InventoryAuthenticationError: If authentication fails. InventoryNetworkError: If network operation fails. InventoryAPIError: If the API returns an error. InventoryClientError: For other client-level errors.