Skip to main content
Glama
Sentinel-One

Purple AI MCP Server

Official
by Sentinel-One

Server Configuration

Describes the environment variables required to run the server.

NameRequiredDescriptionDefault
PURPLEMCP_CONSOLE_TOKENYesService user token (Account or Site level)
PURPLEMCP_STATELESS_HTTPNoEnable stateless HTTP mode for serverless deployments (e.g., Amazon Bedrock AgentCore)false
PURPLEMCP_TRANSPORT_MODENoMCP transport mode: stdio (default), sse, or streamable-httpstdio
PURPLEMCP_CONSOLE_BASE_URLYesConsole URL (e.g., https://console.sentinelone.net)

Capabilities

Features and capabilities supported by this server

CapabilityDetails
tools
{
  "listChanged": true
}
prompts
{
  "listChanged": false
}
resources
{
  "subscribe": false,
  "listChanged": false
}
experimental
{}

Tools

Functions exposed to the LLM to take actions

NameDescription
purple_aiA

Interact with SentinelOne's Purple AI, a cybersecurity assistant that helps you investigate threats, generate PowerQueries, and answer questions about SentinelOne. Purple AI understands natural language and converts your questions into structured security queries, or answers in plain language.

What Purple AI can do:

  • Generate and explain PowerQueries for threat hunting and detection

  • Help answer questions using threat intelligence and behavioral signals

  • Explore user, process, network, and file-based activities

  • Investigate MITRE TTPs, ransomware behavior, lateral movement, and more

  • Answer questions about SentinelOne capabilities

What Purple AI can't do:

  • Access active alerts (use the Alerts tool for that)

  • Modify configurations or directly interact with your endpoints

  • Run the PowerQueries itself (use the PowerQuery tool to run the PQ returned by Purple AI)


How to ask good questions

Purple AI works best when your questions are:

  • Descriptive: Include process names, file paths, domains, ports, or usernames

  • Focused: Describe what you're trying to understand or find

  • Scoped: If helpful, include filters like time ranges, endpoint type, or OS

Example questions:

  • Show me PowerShell processes that connected to external IPs

  • Find unsigned processes that accessed lsass.exe

  • List endpoints where the user “jsmith” logged in more than 5 times

  • Are there any reverse SSH tunnels from public IPs?

  • Find living-off-the-land binaries spawned from Microsoft Word

DO NOT instruct Purple AI to "Generate a Powerquery to ...". Instead, just say what you are looking for. Example: - GOOD: "Is APT-1337 in my environment?" - BAD: "Generate a PowerQuery to determine if APT-1337 is in my environment, including their typical tools, processes, and TTPs."


Tips for writing questions

  • Start with verbs like: show, find, list, search

  • Add specific entities like: powershell, svchost, lolbins, ssh, .tmp files

  • Use filters like: external IPs, non-Windows folders, file size over 1GB

  • Ask about behaviors: ransomware, persistence, privilege escalation, data staging, beaconing, phishing

powerqueryA

Execute advanced PowerQuery analytics on data in SentinelOne's Singularity Data Lake for complex threat hunting and data analysis.

PowerQuery is SentinelOne's high-performance query language for searching, transforming, and aggregating telemetry and log data in the Scalyr and Singularity XDR platforms. It uses a pipeline-based syntax for filtering, grouping, computing, and summarizing large-scale unstructured data. SentinelOne PowerQuery is not the same as Microsoft PowerQuery. It also looks somewhat like Splunk SPL but is not the same language.

IMPORTANT: You should ALWAYS use the purple_ai() tool to generate PowerQueries for this tool based on natural language. It is very unlikely you know how to write PowerQueries yourself.

If a user gives you a specific PowerQuery that wasn't generated by Purple AI, run it EXACTLY as sent. DO NOT modify the user's input, pass it directly to this tool.

Args: query: The PowerQuery string to execute start_datetime: Start time in ISO 8601 format. ISO 8601 is the international standard for datetime representation: YYYY-MM-DDTHH:MM:SS with timezone offset. MUST include timezone offset (Z for UTC or ±HH:MM for local time). Examples: "2024-01-15T10:30:00Z" (UTC/Zulu time), "2024-01-15T10:30:00+05:00" (UTC+5 hours, e.g., Asia/Karachi), "2024-01-15T10:30:00-08:00" (UTC-8 hours, e.g., US Pacific), "2024-01-15T10:30:00.123456+02:00" (with microseconds, UTC+2) end_datetime: End time in ISO 8601 format. Same format requirements as start_datetime. Must be later than start_datetime. Examples: "2024-01-15T11:30:00Z" (UTC), "2024-01-15T11:30:00+05:00" (UTC+5, same timezone as start), "2024-01-15T11:30:00-08:00" (UTC-8, same timezone as start)

Time Range Guidelines:

  • DEFAULT to a 24-hour search period unless the user specifies a different time range

  • Use get_timestamp_range(hours=24) to get the last 24 hours

  • Queries with longer time ranges may take longer to execute or timeout

  • The query timeout is 5 minutes; if exceeded, reduce the time range or simplify the query

Understanding Results:

  • Empty results (no data returned) are NORMAL and ACCEPTABLE. This means no records match your query criteria.

  • Empty results could indicate:

    • No matching data exists in the specified time range

    • The query conditions are too restrictive; remove filters to attempt to retrieve more results

    • The searched activity or behavior simply hasn't occurred

  • DO NOT repeatedly rephrase or retry queries that legitimately return no results

  • If you expect results but get none, consider adjusting the time range or query criteria rather than retrying the exact same query

get_timestamp_rangeC

Generate time range timestamps for PowerQuery analytics in SentinelOne's Singularity Data Lake.

iso_to_unix_timestampA

Convert an ISO 8601 datetime string to a UNIX timestamp in milliseconds (UTC).

This tool accepts datetime strings in ISO 8601 format and converts them to UNIX timestamps (milliseconds since epoch: January 1, 1970 00:00:00 UTC). This is essential for datetime filter queries in Purple Alert, Vulnerability, Misconfiguration, and Inventory searches.

IMPORTANT: You should provide datetime inputs in the user's preferred timezone. This tool will automatically convert them to UTC timestamps for use in API queries. For example, if the user asks for "October 30, 2024 at 8 AM Eastern Time", you should submit "2024-10-30T08:00:00-04:00" (not convert it yourself to UTC).

Args: iso_datetime (str): An ISO 8601 formatted datetime string. Examples: - "2025-10-30T12:00:00Z" (UTC with 'Z' suffix) - "2025-10-30T12:00:00+00:00" (UTC with explicit offset) - "2025-10-30T08:00:00-04:00" (Eastern Time with offset) - "2025-10-30T17:00:00+05:00" (IST/Pakistan Time with offset) - "2025-10-30T12:00:00" (no timezone - treated as UTC)

Returns: str: The UNIX timestamp in milliseconds (UTC) as a JSON number string. Example: "1761825600000"

Common Use Cases: - Converting user-friendly datetime inputs to UNIX timestamps for API queries - Handling datetimes across different time zones automatically - Preparing datetime filters for Alert, Vulnerability, Misconfiguration, and Inventory searches

Examples: Input: "2025-10-30T12:00:00Z" (noon UTC) Output: "1761825600000"

Input: "2025-10-30T08:00:00-04:00" (8 AM EDT = noon UTC)
Output: "1761825600000"

Input: "2025-10-30T17:00:00+05:00" (5 PM PKT = noon UTC)
Output: "1761825600000"

Raises: ValueError: If the input string is not a valid ISO 8601 datetime format.

Notes: - All timestamps are returned in milliseconds (not seconds or nanoseconds) - All timestamps represent UTC time regardless of input timezone - If no timezone is specified in input, UTC is assumed - The tool handles timezone conversion automatically - provide times in the user's local timezone

get_alertA

Get detailed information about a specific alert by ID.

Retrieves comprehensive alert data including metadata, timing information, severity, status, associated assets, and analyst findings.

Args: alert_id: The unique identifier of the alert (string).

Returns: Detailed alert information in JSON format containing: - id: Unique alert identifier - externalId: External system identifier (if any) - severity: CRITICAL, HIGH, MEDIUM, LOW, INFO, UNKNOWN - status: NEW, IN_PROGRESS, RESOLVED, FALSE_POSITIVE - name: Alert title/name - description: Detailed description of the alert - detectedAt: ISO timestamp when alert was first detected - firstSeenAt: ISO timestamp of first occurrence (if different) - lastSeenAt: ISO timestamp of most recent occurrence - analystVerdict: Expert analysis result (if available) - classification: Alert category/type - confidenceLevel: Detection confidence score - dataSources: List of data sources that contributed to detection - detectionSource: {product, vendor} information - asset: Associated asset information {id, name, type} - assignee: Assigned user information {userId, email, fullName} - noteExists: Boolean indicating if notes are attached - result: Investigation outcome - storylineId: Associated storyline identifier - ticketId: Associated ticket identifier

Common Use Cases: - Incident investigation and triage - Alert enrichment with contextual data - Status and assignment tracking - Evidence collection for security workflows

Raises: RuntimeError: If there's an error retrieving the alert. ValueError: If alert_id is invalid or empty.

list_alertsA

List alerts with pagination and filtering capabilities.

Retrieves a paginated list of alerts with basic filtering by assignment status. For advanced filtering by severity, status, time ranges, etc., use search_alerts instead.

Args: first: Number of alerts to retrieve (1-100, default: 10). after: Pagination cursor from previous response (optional). Use pageInfo.endCursor from previous response to get next page. view_type: Assignment filter with options: - "ALL": Show all alerts (default) - "ASSIGNED_TO_ME": Only alerts assigned to current user - "UNASSIGNED": Only unassigned alerts - "MY_TEAM": Only alerts assigned to user's team fields: Optional JSON string containing an array of field names to return. If not specified, returns all default fields (including dataSources). Use minimal fields like '["id"]' when paging through intermediate results.

        Available fields:
        - Basic: "id", "externalId", "severity", "status", "name", "description"
        - Timing: "detectedAt", "firstSeenAt", "lastSeenAt"
        - Analysis: "analystVerdict", "classification", "confidenceLevel"
        - Context: "noteExists", "result", "storylineId", "ticketId", "dataSources"
        - Nested objects (returns all subfields):
          - "detectionSource" (product, vendor)
          - "asset" (id, name, type)
          - "assignee" (userId, email, fullName)

        IMPORTANT - dataSources field behavior:
        - When fields=None (default): dataSources is INCLUDED automatically
        - When fields is provided: dataSources is ONLY included if explicitly requested
          Example with dataSources: '["id", "severity", "dataSources"]'
          Example without: '["id", "severity"]' (dataSources will be omitted)

        Examples:
        - Minimal for paging: '["id"]'
        - Summary view: '["id", "severity", "status", "name", "detectedAt"]'
        - With dataSources: '["id", "severity", "dataSources"]'
        - Full details: omit fields parameter or pass None

Returns: Paginated alert list in JSON format containing: - edges: Array of alert objects (with requested fields only) - pageInfo: Pagination metadata - hasNextPage: Boolean indicating more results available - hasPreviousPage: Boolean indicating previous page exists - startCursor: Cursor for first item in current page - endCursor: Cursor for last item (use for next page) - totalCount: Total number of matching alerts (if available)

Common Use Cases: - Dashboard alert feeds and overviews - Assignment-based alert distribution - Bulk alert processing workflows - Alert queue management

Pagination Example: 1. Call with first=20 to get first 20 alerts 2. Use pageInfo.endCursor as 'after' parameter for next 20 3. Continue until pageInfo.hasNextPage is false

IMPORTANT Performance Notes: - Cursor pagination is SEQUENTIAL ONLY - you cannot skip to arbitrary positions (e.g., cannot jump directly to "the 1532nd alert") - When paging through many results to reach a specific position, use fields=["id"] for intermediate pages to conserve context window - Use the totalCount field to understand the full result set size

Raises: RuntimeError: If there's an error listing alerts. ValueError: If parameters are invalid.

search_alertsA

Search alerts using advanced filters and criteria.

If a user is asking a "how many" type query, set the "first" field to 1 - "totalCount" is returned for any query.

Args: filters: JSON string containing an array of filter objects (optional). Each filter object must have: - fieldId: String field name (use flattened camelCase names below) - filterType: One of the supported filter types below - isNegated: Optional boolean to negate the filter (default: false)

        Common Field Names (flattened camelCase):
        - Core: "id", "severity", "status", "alertName", "detectedAt", "createdAt"
        - Analysis: "analystVerdict", "assigneeUserId", "assigneeFullName", "alertNoteExists"
        - Context: "storylineId", "description"

        Filter Types and Required Keys:

        String Filters (for severity, status, analystVerdict, etc.):
        - "string_equals": Exact match. Requires "value" key.
          Example: {"fieldId": "severity", "filterType": "string_equals", "value": "CRITICAL"}
        - "string_in": Match any of multiple values. Requires "values" key (list).
          Example: {"fieldId": "status", "filterType": "string_in", "values": ["NEW", "IN_PROGRESS"]}

        Boolean Filters (for alertNoteExists, etc.):
        - "boolean_equals": Exact match. Requires "value" key.
          Example: {"fieldId": "alertNoteExists", "filterType": "boolean_equals", "value": true}
        - "boolean_in": Match any of multiple values. Requires "values" key (list).
          Example: {"fieldId": "alertNoteExists", "filterType": "boolean_in", "values": [true, false]}

        Long Filters (for numeric IDs like assigneeUserId):
        - "long_equals": Exact match. Requires "value" key.
          Example: {"fieldId": "assigneeUserId", "filterType": "long_equals", "value": 123}
        - "long_in": Match any of multiple values. Requires "values" key (list).
          Example: {"fieldId": "assigneeUserId", "filterType": "long_in", "values": [1, 2, 3]}

        DateTime Filters (for detectedAt, createdAt):
        - "datetime_range": Range match using UNIX timestamps in milliseconds (UTC). Requires "start" and/or "end" keys.
          Optional: "startInclusive", "endInclusive" (default: true)

          IMPORTANT: All datetimes in the Alert API are in UTC timezone.
          You MUST use the iso_to_unix_timestamp tool to convert ISO 8601 datetime strings
          to UNIX timestamps (milliseconds) before using them in datetime filters.

          IMPORTANT: Unless the user specifies a field to query a DateTime on, use createdAt.

          The iso_to_unix_timestamp tool handles timezone conversion automatically.
          Provide datetimes in the user's preferred timezone (e.g., "2024-10-30T08:00:00-04:00" for Eastern Time)
          and the tool will convert to UTC milliseconds for the API.

          Example workflow:
          1. Call iso_to_unix_timestamp("2024-10-30T08:00:00-04:00") -> returns "1730289600000" (UTC)
          2. Use result in filter: {"fieldId": "createdAt", "filterType": "datetime_range", "start": 1730289600000}

          Example: {"fieldId": "createdAt", "filterType": "datetime_range", "start": 1730289600000}

        Fulltext Search (for alertName, id, storylineId):
        - "fulltext": Text search with case-insensitive substring matching. Requires "values" key (list).
          Example: {"fieldId": "alertName", "filterType": "fulltext", "values": ["malware", "threat"]}

        Limits:
        - Maximum 50 filters per request
        - Maximum 100 values in "values" arrays

first: Number of alerts to retrieve (1-100, default: 10).
after: Cursor for pagination (optional).
view_type: Filter by assignment - ALL, ASSIGNED_TO_ME, UNASSIGNED, MY_TEAM (default: ALL).
fields: Optional JSON string containing an array of field names to return.
        If not specified, returns all default fields (including dataSources).
        See list_alerts for available fields and dataSources behavior.

        IMPORTANT - dataSources field behavior:
        - When fields=None (default): dataSources is INCLUDED automatically
        - When fields is provided: dataSources is ONLY included if explicitly requested
          Example: '["id", "severity", "dataSources"]'

Performance Note: When paging through many results, use fields='["id"]' for intermediate pages to conserve context window space. Use totalCount to gauge result set size.

Returns: Filtered list of alerts in JSON format.

Raises: RuntimeError: If there's an error searching alerts. ValueError: If parameters are invalid.

Examples: CORRECT: filters=[ {"fieldId": "severity", "filterType": "string_in", "values": ["CRITICAL", "HIGH"]}, {"fieldId": "status", "filterType": "string_equals", "value": "NEW"}, {"fieldId": "alertNoteExists", "filterType": "boolean_equals", "value": false} ]

WRONG:
filters=[
  {"fieldId": "severity", "filterType": "EQUALS", "value": "CRITICAL"},  # Use "string_equals"
  {"fieldId": "status.value", "filterType": "string_equals", "value": "NEW"}  # Use "status" not "status.value"
]
get_alert_notesA

Get all notes and comments associated with an alert.

Retrieves all analyst notes, comments, and annotations attached to a specific alert. Notes provide context, analysis findings, investigation steps, and collaboration history.

Args: alert_id: The unique identifier of the alert.

Returns: List of notes in JSON format, each containing: - id: Unique note identifier - text: Note content/message - createdAt: ISO timestamp when note was created - author: User information {userId, email, fullName} - alertId: Associated alert identifier

Notes are typically ordered by creation time (newest first).

Common Use Cases: - Investigation documentation and collaboration - Tracking analyst findings and decisions - Audit trail for alert handling - Knowledge sharing between team members - Compliance and reporting requirements

Note: Returns empty array if no notes exist. Check alert.noteExists field from get_alert to avoid unnecessary calls.

Raises: RuntimeError: If there's an error retrieving alert notes. ValueError: If alert_id is invalid or empty.

get_alert_historyA

Get the complete audit history and timeline for an alert.

Retrieves a chronological record of all actions, status changes, and events related to a specific alert. Provides full audit trail for compliance and investigation.

Args: alert_id: The unique identifier of the alert. first: Number of history events to retrieve (1-100, default: 10). after: Pagination cursor from previous response (optional).

Returns: Paginated chronological list in JSON format containing: - edges: Array of history events with: - createdAt: ISO timestamp when the event was created - eventText: Human-readable description of the event - eventType: Type of event (STATUS_CHANGED, ASSIGNMENT_CHANGED, NOTE_ADDED, etc.) - reportUrl: Optional URL to mitigation action report (if applicable) - historyItemCreator: Creator/author of the event (may be null for system events): - userId: User identifier - userType: Type of user (MDR, CONSOLE_USER, etc.) - pageInfo: Pagination metadata (same structure as list_alerts)

Common Event Types: - status_change: Alert status modified (NEW → IN_PROGRESS, etc.) - assignment: Alert assigned/unassigned to user or team - severity_change: Severity level modified - note_added: Analyst note or comment added - verdict_change: Analyst verdict updated - escalation: Alert escalated to higher priority - integration_action: External system actions (ticket creation, etc.)

Common Use Cases: - Compliance auditing and reporting - Investigation timeline reconstruction - Performance metrics and SLA tracking - Change management and accountability - Forensic analysis of alert handling

Raises: RuntimeError: If there's an error retrieving alert history. ValueError: If parameters are invalid.

get_alert_investigation_reportA

Get the agentic auto-investigation report associated with an alert.

Retrieves the comprehensive investigation report generated by Purple AI's Auto Investigations for a specific alert. This report includes analysis findings, evidence, conclusions, recommended actions, and a final verdict.

Args: alert_id: The unique identifier of the alert.

Returns: The agentic auto-investigation report in markdown format and the verdict.

Common use cases: - Reviewing the auto-investigation summary - Understanding the final verdict and recommendations on an alert - Retrieving previous report to review detailed analysis and evidence

Note: Returns None if no report exists.

Raises: RuntimeError: If there's an error retrieving the alert report. ValueError: If alert_id is invalid or empty.

get_misconfigurationA

Get detailed information about a specific misconfiguration by ID.

Retrieves comprehensive misconfiguration data including metadata, severity, affected assets, compliance information, remediation steps, and MITRE ATT&CK mappings.

Args: misconfiguration_id: The unique identifier of the misconfiguration (string).

Returns: Detailed misconfiguration information in JSON format containing: - id: Unique misconfiguration identifier - externalId: External system identifier - name: Misconfiguration title/name - description: Detailed description of the issue - severity: CRITICAL, HIGH, MEDIUM, LOW, INFO, UNKNOWN - status: NEW, IN_PROGRESS, ON_HOLD, RESOLVED, RISK_ACKED, SUPPRESSED, TO_BE_PATCHED - detectedAt: ISO timestamp when misconfiguration was detected - eventTime: ISO timestamp of the event - environment: Environment where detected (e.g., cloud, kubernetes) - product: Detection source product name - vendor: Detection source vendor name - asset: Associated asset information {id, name, type, category, cloudInfo, etc.} - scope: Organizational scope {account, site, group} - scopeLevel: account/site/group - analystVerdict: TRUE_POSITIVE or FALSE_POSITIVE - assignee: Assigned user information {id, email, fullName} - compliance: Compliance standards and requirements - remediation: Remediation steps and references - failedRules: List of failed security rules - findingData: Additional context and properties - mitreAttacks: MITRE ATT&CK technique mappings - cnapp: Cloud-native application protection details - evidence: Evidence data (files, IPs, ports, secrets, etc.)

Common Use Cases: - Security posture assessment - Compliance auditing and reporting - Vulnerability management workflows - Cloud security remediation - Risk assessment and prioritization

Raises: RuntimeError: If there's an error retrieving the misconfiguration. ValueError: If misconfiguration_id is invalid or empty.

list_misconfigurationsA

List misconfigurations with pagination and view filtering.

Retrieves a paginated list of misconfigurations with filtering by environment type. For advanced filtering by severity, status, compliance, etc., use search_misconfigurations instead.

Args: first: Number of misconfigurations to retrieve (1-100, default: 10). after: Pagination cursor from previous response (optional). Use pageInfo.endCursor from previous response to get next page. view_type: Environment filter with options: - "ALL": Show all misconfigurations (default) - "CLOUD": Cloud environment only - "KUBERNETES": Kubernetes environment only - "IDENTITY": Identity-related misconfigurations - "INFRASTRUCTURE_AS_CODE": IaC misconfigurations - "ADMISSION_CONTROLLER": Admission controller findings - "OFFENSIVE_SECURITY": Offensive security findings - "SECRET_SCANNING": Secret scanning findings fields: Optional JSON string containing an array of field names to return. If not specified, returns all default fields. Use minimal fields like '["id"]' when paging through intermediate results.

        Available fields:
        - Basic: "id", "externalId", "name", "severity", "status"
        - Timing: "detectedAt", "lastSeenAt", "eventTime"
        - Context: "environment", "product", "vendor", "organization"
        - Analysis: "analystVerdict", "mitigable", "exposureReason"
        - Type: "misconfigurationType"
        - IDs: "resourceUid", "exploitId", "exclusionPolicyId"
        - Nested objects (returns subfields):
          - "asset" (id, externalId, name, type, category, subcategory, privileged,
                    cloudInfo {accountId, accountName, providerName, region},
                    kubernetesInfo {cluster, namespace})
          - "scope" (account {id, name}, site {id, name}, group {id, name})
          - "assignee" (id, email, fullName)
          - "evidence" (fileName, fileType, iacFramework, ipAddress, port, subdomain)
          - "cnapp" (policy {id, version, group}, verifiedExploitable)
          - "admissionRequest" (category, resourceName, resourceNamespace, resourceType,
                               userName, userUid, userGroup)
          - "remediation" (mitigable, mitigationSteps)
          - "mitreAttacks" (techniqueId, techniqueName, techniqueUrl, tacticName, tacticUid)
        - Lists: "complianceStandards", "dataClassificationDataTypes", "dataClassificationCategories"
        - Enforcement: "enforcementAction"

        Examples:
        - Minimal for paging: '["id"]'
        - Summary view: '["id", "severity", "status", "name", "detectedAt"]'
        - With asset context: '["id", "name", "asset", "severity"]'
        - Full details: omit fields parameter or pass None

Returns: Paginated misconfiguration list in JSON format containing: - edges: Array of misconfiguration objects - pageInfo: Pagination metadata - hasNextPage: Boolean indicating more results available - hasPreviousPage: Boolean indicating previous page exists - startCursor: Cursor for first item in current page - endCursor: Cursor for last item (use for next page) - totalCount: Total number of matching misconfigurations

Common Use Cases: - Security dashboard feeds - Environment-specific security reviews - Bulk remediation workflows - Compliance reporting by scope - Cloud security posture management

Pagination Example: 1. Call with first=20 to get first 20 misconfigurations 2. Use pageInfo.endCursor as 'after' parameter for next 20 3. Continue until pageInfo.hasNextPage is false

Raises: RuntimeError: If there's an error listing misconfigurations. ValueError: If parameters are invalid.

search_misconfigurationsA

Search misconfigurations using advanced filters and criteria.

Args: filters: JSON string containing an array of filter objects (optional). Each filter object must have: - fieldId: String field name - MUST use flattened camelCase names (see Valid Field Names below) - filterType: One of the supported filter types below - isNegated: Optional boolean to negate the filter (default: false)

        Valid Field Names (fieldId values):
        IMPORTANT: Use these exact field names, NOT nested paths like "asset.name" or "evidence.secret"

        Core Fields:
        - "id": Misconfiguration ID
        - "name": Misconfiguration name
        - "severity": CRITICAL, HIGH, MEDIUM, LOW, INFO, UNKNOWN
        - "status": NEW, IN_PROGRESS, ON_HOLD, RESOLVED, RISK_ACKED, SUPPRESSED, TO_BE_PATCHED
        - "detectedAt": Detection timestamp
        - "lastSeenAt": Last seen timestamp
        - "environment": Environment type
        - "product": Product name
        - "vendor": Vendor name
        - "analystVerdict": TRUE_POSITIVE, FALSE_POSITIVE
        - "assigneeFullName": Assigned user full name
        - "exposureReason": Reason for exposure
        - "mitigable": Boolean - can be mitigated

        Asset Fields (use "asset" prefix, NOT "asset."):
        - "assetId": Asset identifier
        - "assetName": Asset name
        - "assetType": Asset type
        - "assetTypeCategory": Asset type category
        - "assetCategory": Asset category
        - "assetSubcategory": Asset subcategory
        - "assetCriticality": CRITICAL, HIGH, MEDIUM, LOW, UNKNOWN
        - "assetPrivileged": Boolean - privileged asset
        - "assetCloudResourceId": Cloud resource ID
        - "assetCloudAccountId": Cloud account ID
        - "assetCloudAccount": Cloud account name
        - "assetCloudRegion": Cloud region
        - "assetKubernetesCluster": Kubernetes cluster name
        - "assetKubernetesClusterId": Kubernetes cluster ID

        Policy Fields (use appropriate prefixes):
        - "policyId": Policy identifier
        - "policyVersion": Policy version
        - "policyGroup": Policy group name
        - "organization": Organization name
        - "enforcementAction": Enforcement action type
        - "iacFramework": Infrastructure as Code framework

        Compliance & Classification:
        - "complianceStandards": Compliance standards
        - "hasClassifiedData": Boolean - contains classified data
        - "dataClassificationCategories": Data classification categories
        - "dataClassificationDataTypes": Data classification types

        Secret Fields (use "secret" prefix, NOT "evidence.secret."):
        - "secretId": Secret identifier
        - "secretHash": Secret hash
        - "secretType": Type of secret
        - "secretValidity": Secret validity status

        Request Fields (for admission controller, use "request" prefix):
        - "requestResourceName": Resource name
        - "requestResourceType": Resource type
        - "requestResourceNamespace": Resource namespace
        - "requestUserName": User name
        - "requestUserUid": User UID
        - "requestUserGroup": User group
        - "requestCategory": Request category

        Other Fields:
        - "commitedBy": Committed by (IaC findings)
        - "verifiedExploitable": Boolean - verified as exploitable
        - "accountId": Account ID (hidden)
        - "siteId": Site ID (hidden)
        - "groupId": Group ID (hidden)

        Filter Types and Required Keys:
        IMPORTANT: The misconfigurations API does NOT support INT filters. Use STRING or BOOLEAN filters.

        String Filters (for severity, status, product, vendor, etc.):
        - "string_equals": Exact match. Requires "value" key.
          Example: {"fieldId": "severity", "filterType": "string_equals", "value": "CRITICAL"}
        - "string_in": Match any of multiple values. Requires "values" key (list).
          Example: {"fieldId": "status", "filterType": "string_in", "values": ["NEW", "IN_PROGRESS"]}
          Note: product and vendor ONLY support STRING filters, NOT fulltext

        Boolean Filters (for mitigable, verifiedExploitable, hasClassifiedData, etc.):
        - "boolean_equals": Exact match for single boolean. Requires "value" key.
          Example: {"fieldId": "mitigable", "filterType": "boolean_equals", "value": true}
        - "boolean_in": Match any of multiple boolean values. Requires "values" key (list).
          Example: {"fieldId": "hasClassifiedData", "filterType": "boolean_in", "values": [true, null]}
          Note: Can include null to match missing/unset values
          SPECIAL CASE - secretValidity: ONLY supports boolean_in (NOT boolean_equals)

        DateTime Filters (for detectedAt, lastSeenAt):
        - "datetime_range": Range match using UNIX timestamps in milliseconds (UTC). Requires "start" and/or "end" keys.
          Optional: "startInclusive", "endInclusive" (default: true)

          IMPORTANT: All datetimes in the Misconfiguration API are in UTC timezone.
          You MUST use the iso_to_unix_timestamp tool to convert ISO 8601 datetime strings
          to UNIX timestamps (milliseconds) before using them in datetime filters.

          IMPORTANT: Unless the user specifies a field to query a DateTime on, use lastSeenAt.

          The iso_to_unix_timestamp tool handles timezone conversion automatically.
          Provide datetimes in the user's preferred timezone (e.g., "2024-10-30T08:00:00-04:00" for Eastern Time)
          and the tool will convert to UTC milliseconds for the API.

          Example workflow:
          1. Call iso_to_unix_timestamp("2024-10-30T08:00:00-04:00") -> returns "1730289600000" (UTC)
          2. Use result in filter: {"fieldId": "detectedAt", "filterType": "datetime_range", "start": 1730289600000}

          Example: {"fieldId": "detectedAt", "filterType": "datetime_range", "start": 1730289600000}

        Fulltext Search (for name, exposureReason, asset/resource names, compliance, etc.):
        - "fulltext": Single-value text search. Requires "values" key (list of search terms).
          Example: {"fieldId": "name", "filterType": "fulltext", "values": ["s3"]}
        - "fulltext_in": Multi-value text search with partial matching. Requires "values" key (list).
          Example: {"fieldId": "assetName", "filterType": "fulltext_in", "values": ["server", "test", "web"]}
          SPECIAL CASES - secretHash/secretId: ONLY support fulltext/fulltext_in (NOT string_equals)

        Limits:
        - Maximum 50 filters per request
        - Maximum 100 values in "values" arrays

first: Number of misconfigurations to retrieve (1-100, default: 10).
after: Cursor for pagination (optional).
view_type: Filter by environment - ALL, CLOUD, KUBERNETES, etc.
fields: Optional JSON string containing an array of field names to return.
        If not specified, returns all default fields.
        See list_misconfigurations for available fields and examples.

        Available fields:
        - Basic: "id", "externalId", "name", "severity", "status"
        - Timing: "detectedAt", "lastSeenAt", "eventTime"
        - Context: "environment", "product", "vendor", "organization"
        - Analysis: "analystVerdict", "mitigable", "exposureReason"
        - Type: "misconfigurationType"
        - IDs: "resourceUid", "exploitId", "exclusionPolicyId"
        - Nested objects: "asset", "scope", "assignee", "evidence", "cnapp",
                        "admissionRequest", "remediation", "mitreAttacks"
          (See list_misconfigurations for exact subfields returned)
        - Lists: "complianceStandards", "dataClassificationDataTypes",
                "dataClassificationCategories"

        Examples:
        - Minimal for paging: '["id"]'
        - Summary: '["id", "severity", "status", "name", "detectedAt"]'
        - With asset: '["id", "name", "asset", "severity"]'

Performance Note: When paging through many results, use fields='["id"]' for intermediate pages to conserve context window space. Use totalCount to gauge result set size.

Returns: Filtered list of misconfigurations in JSON format.

Raises: RuntimeError: If there's an error searching misconfigurations. ValueError: If parameters are invalid.

Examples: CORRECT: filters=[ {"fieldId": "severity", "filterType": "string_equals", "value": "CRITICAL"}, {"fieldId": "status", "filterType": "string_in", "values": ["NEW", "IN_PROGRESS"]}, {"fieldId": "assetCloudRegion", "filterType": "string_in", "values": ["us-east-1", "us-west-2"]} ] WRONG: filters=[ {"fieldId": "asset.name", "filterType": "fulltext", "values": ["test"]}, # Use "assetName" not "asset.name" {"fieldId": "evidence.secret.hash", "filterType": "string_equals", "value": "abc123"}, # Use "secretHash" not "evidence.secret.hash" {"fieldId": "severity", "filterType": "EQUALS", "value": "CRITICAL"} # Use "string_equals" not "EQUALS" ]

get_misconfiguration_notesA

Get all notes and comments associated with a misconfiguration.

Retrieves all analyst notes, comments, and annotations attached to a specific misconfiguration. Notes provide context, analysis findings, remediation steps, and collaboration history.

Args: misconfiguration_id: The unique identifier of the misconfiguration.

Returns: List of notes in JSON format, each containing: - id: Unique note identifier - misconfigurationId: Associated misconfiguration identifier - text: Note content/message - author: User information {id, email, fullName, deleted} - createdAt: ISO timestamp when note was created - updatedAt: ISO timestamp when note was last updated (if applicable)

Notes are typically ordered by creation time (newest first).

Common Use Cases: - Remediation documentation and collaboration - Tracking analyst findings and decisions - Audit trail for security issue handling - Knowledge sharing between security teams - Compliance and reporting requirements

Raises: RuntimeError: If there's an error retrieving misconfiguration notes. ValueError: If misconfiguration_id is invalid or empty.

get_misconfiguration_historyA

Get the complete audit history and timeline for a misconfiguration.

Retrieves a chronological record of all actions, status changes, and events related to a specific misconfiguration. Provides full audit trail for compliance and investigation.

Args: misconfiguration_id: The unique identifier of the misconfiguration. first: Number of history events to retrieve (1-100, default: 10). after: Pagination cursor from previous response (optional).

Returns: Paginated chronological list in JSON format containing: - edges: Array of history events with: - eventType: Type of event (CREATION, STATUS, ANALYST_VERDICT, USER_ASSIGNMENT, NOTES, WORKFLOW_ACTION) - eventText: Human-readable description of the event - createdAt: ISO timestamp when event occurred - pageInfo: Pagination metadata (same structure as list_misconfigurations)

Common Event Types: - CREATION: Misconfiguration first detected - STATUS: Status changed (NEW → IN_PROGRESS, etc.) - ANALYST_VERDICT: Verdict updated (TRUE_POSITIVE/FALSE_POSITIVE) - USER_ASSIGNMENT: Assigned/unassigned to user - NOTES: Note or comment added - WORKFLOW_ACTION: Automated action or workflow step

Common Use Cases: - Compliance auditing and reporting - Investigation timeline reconstruction - Performance metrics and SLA tracking - Change management and accountability - Security posture trend analysis

Raises: RuntimeError: If there's an error retrieving misconfiguration history. ValueError: If parameters are invalid.

get_vulnerabilityA

Get detailed information about a specific vulnerability by ID.

Retrieves comprehensive vulnerability data including CVE details, affected assets, risk scores, EPSS metrics, exploit maturity, and remediation information.

Args: vulnerability_id: The unique identifier of the vulnerability (string).

Returns: Detailed vulnerability information in JSON format containing: - id: Unique vulnerability identifier - externalId: External system identifier - name: Vulnerability title/name - severity: CRITICAL, HIGH, MEDIUM, LOW, UNKNOWN - status: NEW, IN_PROGRESS, ON_HOLD, RESOLVED, RISK_ACKED, SUPPRESSED, TO_BE_PATCHED - detectedAt: ISO timestamp when vulnerability was detected - lastSeenAt: ISO timestamp of most recent occurrence - updatedAt: ISO timestamp of last update - product: Detection source product name - vendor: Detection source vendor name - asset: Associated asset information {id, name, type, category, cloudInfo, etc.} - scope: Organizational scope {account, site, group} - scopeLevel: account/site/group - cve: CVE details including: - id: CVE identifier (CVE-YYYY-NNNN) - description: CVE description - nvdBaseScore: NVD base score - riskScore: SentinelOne risk score - publishedDate: Publication date - epssScore: EPSS probability score - epssPercentile: EPSS percentile - exploitMaturity: Exploit code maturity level - exploitedInTheWild: Boolean indicating active exploitation - kevAvailable: CISA KEV catalog availability - s1BaseValues: CVSS vector components - riskIndicators: Additional risk indicators - timeline: CVE timeline events - software: Affected software {name, version, fixVersion, type, vendor} - findingData: Additional context and properties - paidScope: Whether under paid scope - remediationInsightsAvailable: Remediation insights availability - selfLink: Link to the vulnerability details - analystVerdict: TRUE_POSITIVE or FALSE_POSITIVE - assignee: Assigned user information {id, email, fullName} - exclusionPolicyId: Exclusion policy identifier if applicable

Common Use Cases: - Vulnerability assessment and prioritization - CVE research and analysis - Risk scoring and exposure analysis - Patch management workflows - Compliance reporting

Raises: RuntimeError: If there's an error retrieving the vulnerability. ValueError: If vulnerability_id is invalid or empty.

list_vulnerabilitiesA

List vulnerabilities with pagination.

Retrieves a paginated list of vulnerabilities in the environment. For advanced filtering by severity, CVE, asset type, etc., use search_vulnerabilities instead.

Args: first: Number of vulnerabilities to retrieve (1-100, default: 10). after: Pagination cursor from previous response (optional). Use pageInfo.endCursor from previous response to get next page. fields: Optional JSON string containing an array of field names to return. If not specified, returns all default fields. Use minimal fields like '["id"]' when paging through intermediate results.

        Available fields:
        - Basic: "id", "name", "severity", "status"
        - Timing: "detectedAt", "lastSeenAt"
        - Context: "product", "vendor"
        - Analysis: "analystVerdict"
        - IDs: "exclusionPolicyId"
        - Nested objects (returns subfields):
          - "cve" (id, nvdBaseScore, riskScore, publishedDate, epssScore,
                  exploitMaturity, exploitedInTheWild)
          - "software" (name, version, fixVersion, type, vendor)
          - "asset" (id, externalId, name, type, category, subcategory, privileged,
                    cloudInfo {accountId, accountName, providerName, region},
                    kubernetesInfo {cluster, namespace})
          - "scope" (account {id, name}, site {id, name}, group {id, name})
          - "assignee" (id, email, fullName)

        Examples:
        - Minimal for paging: '["id"]'
        - Summary view: '["id", "severity", "status", "name", "detectedAt"]'
        - With CVE details: '["id", "name", "cve", "software"]'
        - Full details: omit fields parameter or pass None

Returns: Paginated vulnerability list in JSON format containing: - edges: Array of vulnerability objects - pageInfo: Pagination metadata - hasNextPage: Boolean indicating more results available - hasPreviousPage: Boolean indicating previous page exists - startCursor: Cursor for first item in current page - endCursor: Cursor for last item (use for next page) - totalCount: Total number of matching vulnerabilities

Common Use Cases: - Vulnerability dashboard feeds - Security posture overview - Bulk vulnerability processing - Patch priority queues - Compliance reporting

Pagination Example: 1. Call with first=20 to get first 20 vulnerabilities 2. Use pageInfo.endCursor as 'after' parameter for next 20 3. Continue until pageInfo.hasNextPage is false

Raises: RuntimeError: If there's an error listing vulnerabilities. ValueError: If parameters are invalid.

search_vulnerabilitiesA

Search vulnerabilities using advanced filters and criteria.

Args: filters: JSON string containing an array of filter objects (optional). Each filter object must have: - fieldId: String field name - MUST use flattened camelCase names (see Valid Field Names below) - filterType: One of the supported filter types below - isNegated: Optional boolean to negate the filter (default: false)

        Valid Field Names (fieldId values):
        IMPORTANT: Use these exact field names, NOT nested paths like "cve.id" or "asset.name"

        Core Fields:
        - "id": Vulnerability ID
        - "name": Vulnerability name
        - "severity": CRITICAL, HIGH, MEDIUM, LOW, UNKNOWN
        - "status": NEW, IN_PROGRESS, ON_HOLD, RESOLVED, RISK_ACKED, SUPPRESSED, TO_BE_PATCHED
        - "detectedAt": Detection timestamp
        - "lastSeenAt": Last seen timestamp
        - "product": Product name
        - "vendor": Vendor name
        - "analystVerdict": TRUE_POSITIVE, FALSE_POSITIVE
        - "assigneeFullName": Assigned user full name

        CVE Fields (use "cve" prefix, NOT "cve."):
        - "cveId": CVE identifier (e.g. CVE-2024-1234)
        - "cveNvdBaseScore": NVD base score (SORT ONLY - not filterable)
        - "cveRiskScore": SentinelOne risk score (SORT ONLY - not filterable)
        - "cveEpssScore": EPSS probability score (STRING_IN only - use ranges: "0.0-0.35", "0.35-0.5", "0.5-0.75", "0.75-1.0")
        - "cveExploitMaturity": NOT_AVAILABLE, UNPROVEN, PROOF_OF_CONCEPT, FUNCTIONAL, HIGH
        - "cveExploitedInTheWild": Boolean - actively exploited
        - "cveKevAvailable": Boolean - in CISA KEV catalog
        - "cveReportConfidence": Report confidence level

        Software Fields (use "software" prefix, NOT "software."):
        - "softwareName": Software package name
        - "softwareVersion": Installed version
        - "softwareFixVersion": Available fix version
        - "softwareFixVersionAvailable": Boolean - fix available
        - "softwareType": OPERATING_SYSTEM, APPLICATION, LIBRARY, etc.
        - "softwareVendor": Software vendor name

        Asset Fields (use "asset" prefix, NOT "asset."):
        - "assetId": Asset identifier
        - "assetName": Asset name
        - "assetType": Asset type
        - "assetTypeCategory": Asset type category
        - "assetCategory": Asset category
        - "assetSubcategory": Asset subcategory
        - "assetCriticality": CRITICAL, HIGH, MEDIUM, LOW, UNKNOWN
        - "assetPrivileged": Boolean - privileged asset
        - "assetCloudResourceId": Cloud resource ID
        - "assetCloudAccountId": Cloud account ID
        - "assetCloudAccount": Cloud account name
        - "assetCloudRegion": Cloud region
        - "assetKubernetesCluster": Kubernetes cluster name
        - "assetKubernetesClusterId": Kubernetes cluster ID

        Other Fields:
        - "remediationInsightsAvailable": Boolean - remediation insights available
        - "accountId": Account ID (hidden)
        - "siteId": Site ID (hidden)
        - "groupId": Group ID (hidden)

        Filter Types and Required Keys:
        IMPORTANT: The vulnerabilities API does NOT support INT filters. Use STRING or BOOLEAN filters.

        String Filters (for severity, status, product, vendor, etc.):
        - "string_equals": Exact match. Requires "value" key.
          Example: {"fieldId": "severity", "filterType": "string_equals", "value": "CRITICAL"}
        - "string_in": Match any of multiple values. Requires "values" key (list).
          Example: {"fieldId": "status", "filterType": "string_in", "values": ["NEW", "IN_PROGRESS"]}
          SPECIAL CASE - cveEpssScore: Use range format like {"fieldId": "cveEpssScore", "filterType": "string_in", "values": ["0.5-0.75", "0.75-1.0"]}
          Note: product and vendor ONLY support STRING filters, NOT fulltext

        Boolean Filters (for exploited, KEV, fix available, etc.):
        - "boolean_equals": Exact match for single boolean. Requires "value" key.
          Example: {"fieldId": "cveExploitedInTheWild", "filterType": "boolean_equals", "value": true}
        - "boolean_in": Match any of multiple boolean values. Requires "values" key (list).
          Example: {"fieldId": "softwareFixVersionAvailable", "filterType": "boolean_in", "values": [true, null]}
          Note: Can include null to match missing/unset values

        DateTime Filters (for detectedAt, lastSeenAt):
        - "datetime_range": Range match using UNIX timestamps in milliseconds (UTC). Requires "start" and/or "end" keys.
          Optional: "startInclusive", "endInclusive" (default: true)

          IMPORTANT: All datetimes in the Vulnerability API are in UTC timezone.
          You MUST use the iso_to_unix_timestamp tool to convert ISO 8601 datetime strings
          to UNIX timestamps (milliseconds) before using them in datetime filters.

          IMPORTANT: Unless the user specifies a field to query a DateTime on, use detectedAt.

          The iso_to_unix_timestamp tool handles timezone conversion automatically.
          Provide datetimes in the user's preferred timezone (e.g., "2024-10-30T08:00:00-04:00" for Eastern Time)
          and the tool will convert to UTC milliseconds for the API.

          Example workflow:
          1. Call iso_to_unix_timestamp("2024-10-30T08:00:00-04:00") -> returns "1730289600000" (UTC)
          2. Use result in filter: {"fieldId": "detectedAt", "filterType": "datetime_range", "start": 1730289600000}

          Example: {"fieldId": "detectedAt", "filterType": "datetime_range", "start": 1730289600000}

        Fulltext Search (for name, CVE ID, software/asset names):
        - "fulltext": Single-value text search. Requires "values" key (list of search terms).
          Example: {"fieldId": "name", "filterType": "fulltext", "values": ["log4j"]}
        - "fulltext_in": Multi-value text search with partial matching. Requires "values" key (list).
          Example: {"fieldId": "assetName", "filterType": "fulltext_in", "values": ["server", "test", "web"]}

        Limits:
        - Maximum 50 filters per request
        - Maximum 100 values in "values" arrays

first: Number of vulnerabilities to retrieve (1-100, default: 10).
after: Cursor for pagination (optional).
fields: Optional JSON string containing an array of field names to return.
        If not specified, returns all default fields.
        See list_vulnerabilities for available fields and examples.

        Available fields:
        - Basic: "id", "name", "severity", "status"
        - Timing: "detectedAt", "lastSeenAt"
        - Context: "product", "vendor"
        - Analysis: "analystVerdict"
        - IDs: "exclusionPolicyId"
        - Nested objects: "cve", "software", "asset", "scope", "assignee"
          (See list_vulnerabilities for exact subfields returned)

        Examples:
        - Minimal for paging: '["id"]'
        - Summary: '["id", "severity", "status", "name", "detectedAt"]'
        - With CVE: '["id", "name", "cve", "software"]'

Performance Note: When paging through many results, use fields='["id"]' for intermediate pages to conserve context window space. Use totalCount to gauge result set size.

Returns: Filtered list of vulnerabilities in JSON format.

Raises: RuntimeError: If there's an error searching vulnerabilities. ValueError: If parameters are invalid.

Examples: CORRECT: filters=[ {"fieldId": "severity", "filterType": "string_equals", "value": "CRITICAL"}, {"fieldId": "cveExploitedInTheWild", "filterType": "boolean_equals", "value": true}, {"fieldId": "assetType", "filterType": "string_in", "values": ["SERVER", "WORKSTATION"]} ] WRONG: filters=[ {"fieldId": "cve.id", "filterType": "string_equals", "value": "CVE-2024-1234"}, # Use "cveId" not "cve.id" {"fieldId": "asset.name", "filterType": "fulltext", "values": ["test"]}, # Use "assetName" not "asset.name" {"fieldId": "severity", "filterType": "EQUALS", "value": "CRITICAL"} # Use "string_equals" not "EQUALS" ]

get_vulnerability_notesA

Get all notes and comments associated with a vulnerability.

Retrieves all analyst notes, comments, and annotations attached to a specific vulnerability. Notes provide context, analysis findings, remediation steps, and collaboration history.

Args: vulnerability_id: The unique identifier of the vulnerability.

Returns: List of notes in JSON format, each containing: - id: Unique note identifier - vulnerabilityId: Associated vulnerability identifier - text: Note content/message - author: User information {id, email, fullName, deleted} - createdAt: ISO timestamp when note was created - updatedAt: ISO timestamp when note was last updated (if applicable)

Notes are typically ordered by creation time (newest first).

Common Use Cases: - Vulnerability analysis documentation - Tracking security team findings and decisions - Audit trail for vulnerability handling - Knowledge sharing between security analysts - Compliance and reporting requirements

Raises: RuntimeError: If there's an error retrieving vulnerability notes. ValueError: If vulnerability_id is invalid or empty.

get_vulnerability_historyA

Get the complete audit history and timeline for a vulnerability.

Retrieves a chronological record of all actions, status changes, and events related to a specific vulnerability. Provides full audit trail for compliance and investigation.

Args: vulnerability_id: The unique identifier of the vulnerability. first: Number of history events to retrieve (1-100, default: 10). after: Pagination cursor from previous response (optional).

Returns: Paginated chronological list in JSON format containing: - edges: Array of history events with: - eventType: Type of event (CREATION, STATUS, ANALYST_VERDICT, USER_ASSIGNMENT, NOTES, WORKFLOW_ACTION) - eventText: Human-readable description of the event - createdAt: ISO timestamp when event occurred - pageInfo: Pagination metadata (same structure as list_vulnerabilities)

Common Event Types: - CREATION: Vulnerability first detected - STATUS: Status changed (NEW → IN_PROGRESS, etc.) - ANALYST_VERDICT: Verdict updated (TRUE_POSITIVE/FALSE_POSITIVE) - USER_ASSIGNMENT: Assigned/unassigned to user - NOTES: Note or comment added - WORKFLOW_ACTION: Automated action or workflow step

Common Use Cases: - Compliance auditing and reporting - Investigation timeline reconstruction - Performance metrics and SLA tracking - Change management and accountability - Vulnerability lifecycle analysis

Raises: RuntimeError: If there's an error retrieving vulnerability history. ValueError: If parameters are invalid.

get_inventory_itemA

Get detailed information about a specific managed asset in SentinelOne by ID.

Use this tool to retrieve information about SentinelOne managed assets such as computers, servers, workstations, cloud resources, and network devices.

Args: item_id: The unique identifier of the inventory item. fetch_fields: Field filtering. Either: - Preset name: "MINIMAL", "STANDARD", or "ALL" (default: "ALL") * MINIMAL: 7 core fields (id, name, category, etc.) * STANDARD: 13 fields (MINIMAL + operational context) * ALL: All available fields (~200+ fields) - List of specific field names in camelCase: Examples: ["id", "name", "resourceType"] ["id", "osVersion", "ipAddress", "lastActiveDt"] Defaults to "ALL" to return complete asset information.

Returns: JSON string containing the requested fields (keys use camelCase format). Fields without values are excluded from the output.

Raises: ValueError: If item_id is invalid or empty, or fetch_fields is invalid. InventoryAuthenticationError: If authentication fails. InventoryNetworkError: If network operation fails. InventoryAPIError: If the API returns an error. InventoryClientError: For other client-level errors.

list_inventory_itemsA

List managed assets in SentinelOne with pagination and optional filtering.

Use this tool to browse SentinelOne managed assets including computers, servers, workstations, cloud resources, and network-discovered devices.

Args: limit: Number of items to retrieve (1-1000, default: 50). skip: Number of items to skip for pagination (default: 0). surface: Optional surface filter: - "ENDPOINT": Endpoint assets (agents, workstations, servers, computers) - "CLOUD": Cloud resources (AWS, Azure, GCP) - "IDENTITY": Identity entities (AD, Entra ID) - "NETWORK_DISCOVERY": Network-discovered devices (Ranger) fetch_fields: Field filtering. Either: - Preset name: "MINIMAL", "STANDARD", or "ALL" (default: "MINIMAL") * MINIMAL: 7 core fields (id, name, category, etc.) - fastest * STANDARD: 13 fields (MINIMAL + operational context) * ALL: All available fields (~200+ fields) - slowest - List of specific field names in camelCase: Examples: ["id", "name", "category"] ["id", "resourceType", "assetStatus", "lastActiveDt"] Use fetch_fields="ALL" on a single item to discover all field names. Defaults to "MINIMAL" for optimal performance with list operations.

Returns: JSON string with paginated inventory items containing only requested fields. Field keys use camelCase format. Fields without values are excluded from the output. Includes pagination metadata.

Raises: ValueError: If parameters are invalid, or fetch_fields is invalid. InventoryAuthenticationError: If authentication fails. InventoryNetworkError: If network operation fails. InventoryAPIError: If the API returns an error. InventoryClientError: For other client-level errors.

search_inventory_itemsA

Search for managed assets in SentinelOne using REST API filters.

Use this tool to find specific SentinelOne managed assets such as computers, servers, workstations, cloud resources, and network devices by various criteria (name, type, status, tags, etc.). Multiple filters are combined with AND logic.

Note: For surface-specific filtering (ENDPOINT, CLOUD, IDENTITY, NETWORK_DISCOVERY), use the list_inventory_items tool instead, which supports surface filtering via GET.

Args: filters: JSON string containing filter dictionary (optional, default: {}). Use REST API filter format with field names in camelCase.

         Standard Filters (exact match - matches ANY value in list):
         - {"resourceType": ["Windows Server", "Linux Server"]}
         - {"assetStatus": ["Active", "Inactive"]}
         - {"category": ["Server", "Workstation"]}
         - {"infectionStatus": ["Infected", "Healthy"]}

         Contains Filters (partial match - case-insensitive):
         - {"name__contains": ["dev", "test"]}
         - {"cloudProviderAccountName__contains": ["testing"]}
         - {"osName__contains": ["Windows", "Ubuntu"]}

         Range Filters (date ranges - use ISO date strings or millisecond timestamps):
         - {"lastActiveDt__between": {"from": "2024-01-01", "to": "2024-12-31"}}
         - {"lastActiveDt__between": {"from": 1704067200000, "to": 1735689599000}}

         IMPORTANT: All datetimes in the Inventory API are in UTC timezone.
         For timestamp-based date filters, you can use the iso_to_unix_timestamp tool
         to convert ISO 8601 datetime strings to UNIX timestamps in milliseconds (UTC).

         The iso_to_unix_timestamp tool handles timezone conversion automatically.
         Provide datetimes in the user's preferred timezone (e.g., "2024-01-01T00:00:00-05:00" for Eastern Time)
         and the tool will convert to UTC milliseconds for the API.

         Example workflow for timestamp filters:
         1. Call iso_to_unix_timestamp("2024-01-01T00:00:00-05:00") -> returns "1704085200000" (UTC)
         2. Use in filter: {"lastActiveDt__between": {"from": 1704085200000, "to": 1735693199000}}

         ID Filters (exact ID matches):
         - {"id__in": ["uuid1", "uuid2", "uuid3"]}

         Negation Filters (exclude values):
         - {"assetStatus__nin": ["Decommissioned"]}
         - {"resourceType__nin": ["Unknown"]}

         Combining Filters (AND logic - all must match):
         - {"resourceType": ["Windows Server"], "assetStatus": ["Active"], "name__contains": ["test"]}

         Common Examples:
         - Find testing servers: {"name__contains": ["test"], "resourceType": ["Windows Server", "Linux Server"]}
         - Find active AWS instances: {"cloudProvider": ["AWS"], "assetStatus": ["Active"]}
         - Find recently active endpoints: {"lastActiveDt__between": {"from": "2024-12-01", "to": "2024-12-31"}}

limit: Number of items to retrieve (1-1000, default: 50).
skip: Number of items to skip for pagination (default: 0).
fetch_fields: Field filtering. Either:
              - Preset name: "MINIMAL", "STANDARD", or "ALL" (default: "MINIMAL")
                * MINIMAL: 7 core fields (id, name, category, etc.) - fastest
                * STANDARD: 13 fields (MINIMAL + operational context)
                * ALL: All available fields (~200+ fields) - slowest
              - List of specific field names in camelCase:
                Examples: ["id", "name", "resourceType", "assetStatus"]
                          ["id", "category", "osVersion", "ipAddress"]
              Use fetch_fields="ALL" on a single item to discover all field names.
              Defaults to "MINIMAL" for optimal performance with search operations.

Returns: JSON string with filtered inventory items containing only requested fields. Field keys use camelCase format. Fields without values are excluded from the output. Includes pagination metadata. Returns empty list if no matches found.

Raises: ValueError: If filters JSON is invalid, parameters are out of range, or fetch_fields is invalid. InventoryAuthenticationError: If authentication fails. InventoryNetworkError: If network operation fails. InventoryAPIError: If the API returns an error. InventoryClientError: For other client-level errors.

threat_intel_by_hashA

Get threat intelligence for a file hash from VirusTotal/Google Threat Intelligence.

This tool queries VirusTotal's database to retrieve comprehensive threat intelligence about a file based on its cryptographic hash. The hash can be in MD5, SHA1, or SHA256 format.

What this tool provides:

  • Malware detection results from 70+ antivirus engines

  • File metadata (size, type, names, creation dates)

  • Behavioral analysis results

  • YARA rule matches

  • Crowdsourced threat intelligence

  • Relationships with other files, URLs, domains, and IPs

  • Community comments and votes

  • Signature information (digital signatures, if present)

Common Use Cases:

  • Incident response: Validate if a suspicious file is malicious

  • Threat hunting: Research known malware samples

  • Malware analysis: Get context about a file before deeper investigation

  • IOC enrichment: Add threat intelligence to indicators of compromise

Args: hash_value: File hash in MD5, SHA1, or SHA256 format (case-insensitive).

Returns: JSON string containing comprehensive threat intelligence data including: - Detection statistics (e.g., 45/70 engines detected as malicious) - File attributes and metadata - Last analysis date and statistics - Community reputation score - Related threat intelligence - MITRE ATT&CK techniques (if applicable)

Examples: MD5: "44d88612fea8a8f36de82e1278abb02f" SHA1: "3395856ce81f2b7382dee72602f798b642f14140" SHA256: "275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f"

Notes: - Requires a valid VirusTotal API key (PURPLEMCP_VT_API_KEY environment variable) - Results are cached by VirusTotal and may not reflect real-time scans - File must have been previously submitted to VirusTotal to have results - Private API keys have higher rate limits and additional features

Not Found Response: When a hash is not found, returns a JSON response with this structure: { "found": false, "resource": "hash_value", "resource_type": "file", "message": "File hash 'hash_value' was not found in VirusTotal's database..." }

Raises: ThreatIntelligenceClientError: If there's an error communicating with the API (not for not-found cases). RuntimeError: If the API key is not configured.

threat_intel_by_urlA

Get threat intelligence and reputation information for a URL from VirusTotal/Google Threat Intelligence.

This tool queries VirusTotal's database to retrieve comprehensive threat intelligence about a URL, including reputation scores, detection results, and historical data.

What this tool provides:

  • URL reputation and detection status from 90+ security vendors

  • Historical analysis results

  • Associated files and malware

  • Redirection chains

  • SSL certificate information

  • WHOIS data for the domain

  • Related IPs and domains

  • Community comments and votes

  • Threat categories (phishing, malware, etc.)

Common Use Cases:

  • Email security: Check if URLs in emails are malicious

  • Web filtering: Validate URL safety before allowing access

  • Incident response: Investigate suspicious URLs from logs

  • Phishing detection: Identify phishing sites

  • Threat hunting: Research known malicious infrastructure

Args: url: The URL to query (must be a valid HTTP/HTTPS URL).

Returns: JSON string containing comprehensive threat intelligence data including: - Detection statistics from security vendors - URL categories and tags - Last analysis timestamp - Reputation score - Related files and domains - SSL certificate details - Redirection information

Examples: "https://example.com/suspicious-page" "http://malicious-domain.test/payload.exe" "https://phishing-site.example/login"

Notes: - Requires a valid VirusTotal API key (PURPLEMCP_VT_API_KEY environment variable) - VirusTotal may scan the URL if it hasn't been analyzed recently - Results include historical data and may not reflect current state - Scanning a URL will visit the site, which may have privacy implications - Private API keys have higher rate limits and additional features - When a URL is not found, returns a structured JSON response with found=false

Raises: ThreatIntelligenceClientError: If there's an error communicating with the API. RuntimeError: If the API key is not configured.

threat_intel_by_domainA

Get threat intelligence for a domain from VirusTotal/Google Threat Intelligence.

This tool queries VirusTotal's database to retrieve comprehensive threat intelligence about a domain name, including reputation, detection results, WHOIS data, and relationships.

What this tool provides:

  • Domain reputation and detection status from 90+ security vendors

  • WHOIS registration information

  • DNS resolution history

  • Associated files, URLs, and IP addresses

  • SSL certificates

  • Subdomains discovered

  • Threat categories (malware, phishing, etc.)

  • Historical analysis data

  • Community reputation scores

Common Use Cases:

  • Investigate suspicious domains from email headers or logs

  • Research command & control infrastructure

  • Validate domain reputation before allowing access

  • Identify malicious infrastructure in incident response

  • Threat hunting for known bad actor domains

Args: domain: The domain name to query (e.g., "example.com").

Returns: JSON string containing comprehensive threat intelligence data including: - Detection statistics from security vendors - WHOIS registration details - DNS records and resolution history - Related malware, IPs, and URLs - Reputation score and categories - SSL certificate information

Examples: "google.com" "malicious-c2.example.com" "phishing-site.test"

Notes: - Requires a valid VirusTotal API key (PURPLEMCP_VT_API_KEY environment variable) - Results include historical data aggregated over time - Private API keys have higher rate limits - When a domain is not found, returns a structured JSON response with found=false

Raises: ThreatIntelligenceClientError: If there's an error communicating with the API. RuntimeError: If the API key is not configured.

threat_intel_by_ipA

Get threat intelligence for an IP address from VirusTotal/Google Threat Intelligence.

This tool queries VirusTotal's database to retrieve comprehensive threat intelligence about an IP address, including reputation, geolocation, ASN data, and relationships.

What this tool provides:

  • IP reputation and detection status from 90+ security vendors

  • Geolocation data (country, city, coordinates)

  • ASN (Autonomous System Number) and network owner

  • Associated files, URLs, and domains

  • Passive DNS data

  • Historical analysis results

  • Open ports and services (if available)

  • Threat categories and tags

  • Community reputation scores

Common Use Cases:

  • Investigate suspicious IPs from firewall logs

  • Research malware C2 servers

  • Validate IP reputation before allowing connections

  • Identify attacker infrastructure in incident response

  • Threat hunting for known malicious IPs

  • Network forensics and attribution

Args: ip_address: The IP address to query (IPv4 or IPv6).

Returns: JSON string containing comprehensive threat intelligence data including: - Detection statistics from security vendors - Geolocation and network information - ASN and owner details - Related malware, domains, and URLs - Reputation score and categories - Historical connection data

Examples: "8.8.8.8" "192.168.1.1" "2001:4860:4860::8888"

Notes: - Requires a valid VirusTotal API key (PURPLEMCP_VT_API_KEY environment variable) - Results include historical data aggregated over time - Private/internal IPs may have limited or no data - Private API keys have higher rate limits - When an IP is not found, returns a structured JSON response with found=false

Raises: ThreatIntelligenceClientError: If there's an error communicating with the API. RuntimeError: If the API key is not configured.

threat_intel_get_file_relationshipsA

Get relationships for a file hash from VirusTotal (network IOCs and related files).

This tool extracts relationship data from a file's VirusTotal analysis, revealing network infrastructure (domains, IPs, URLs) contacted by the file, as well as related files. This is essential for pivoting from files to network indicators and building comprehensive threat intelligence profiles.

Available relationship types:

  • contacted_domains: Domains contacted during execution

  • contacted_ips: IP addresses contacted during execution

  • contacted_urls: URLs contacted during execution

  • similar_files: Files with similar characteristics

  • execution_parents: Files that executed this file

  • bundled_files: Files bundled/dropped by this file

  • compressed_parents: Archives containing this file

  • overlay_parents: Parent files with overlays

What this tool provides:

  • Network infrastructure IOCs (domains, IPs, URLs)

  • File lineage and relationships

  • Dropped/bundled files

  • Similar malware samples

  • Execution chain information

Common Use Cases:

  • Extract network IOCs from malware samples

  • Build threat intelligence from file analysis

  • Pivot from files to domains/IPs for blocking

  • Identify related malware families

  • Map malware infrastructure and campaigns

  • Enrich incident response with related indicators

Args: hash_value: The file hash (MD5, SHA1, or SHA256) to query. relationship_type: The type of relationship to retrieve (e.g., 'contacted_domains').

Returns: JSON string containing: - relationships: Array of related objects with full details (up to 100) - count: Number of relationships found

Examples: hash_value="275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f", relationship_type="contacted_domains"

hash_value="44d88612fea8a8f36de82e1278abb02f",
relationship_type="contacted_ips"

Notes: - Requires a valid VirusTotal API key (PURPLEMCP_VT_API_KEY environment variable) - Returns up to 100 relationships (the API maximum) - Not all files have all relationship types - Relationship data comes from sandbox execution - Private API keys have access to more relationship types - When a hash or relationship is not found, returns a structured JSON response with found=false - IMPORTANT: Do NOT call this tool repeatedly with the same parameters. It returns the same data each time, not additional results.

Raises: ThreatIntelligenceClientError: If there's an error communicating with the API. RuntimeError: If the API key is not configured.

threat_intel_searchA

Search VirusTotal Intelligence with advanced queries for threat hunting.

This tool allows searching the entire VirusTotal dataset using powerful query syntax to find files matching specific criteria. Essential for proactive threat hunting, malware research, and discovering related samples.

Query Syntax Examples:

  • File type: type:peexe type:pdf type:apk

  • Size: size:90kb+ size:1mb-5mb

  • Detections: positives:5+ engines:kaspersky

  • Time: fs:2024-01-01+ ls:7d-

  • Behavior: behavior:"contacts C2"

  • Tags: tag:ransomware tag:trojan

  • Strings: content:"malicious string"

  • Imports: imports:CreateRemoteThread

  • Certificates: signature:"Company Name"

What this tool provides:

  • Search results matching your criteria

  • File metadata and detection statistics

  • Comprehensive threat intelligence per result

  • Ability to hunt for specific malware characteristics

  • IOC discovery and threat research capabilities

Common Use Cases:

  • Threat hunting: Find files with specific behaviors or characteristics

  • Malware research: Discover related samples and families

  • IOC expansion: Find files using known infrastructure

  • Campaign tracking: Identify malware from specific actors

  • Signature development: Research samples for detection rules

  • Incident response: Find similar threats in your environment

Args: query: VT Intelligence search query using the VirusTotal query syntax.

Returns: JSON string containing: - results: Array of matching files with full details (up to 10) - count: Number of results returned - query: The search query used

Examples: query="type:peexe size:90kb+ positives:10+" query="behavior_network:C2 tag:ransomware" query="signature:'Microsoft Corporation' positives:0"

Notes: - Requires a valid VirusTotal API key (PURPLEMCP_VT_API_KEY environment variable) - Intelligence search requires a VirusTotal Premium/Enterprise API key - Returns up to 10 results per query - Complex queries may take longer to execute - Query syntax documentation: https://docs.virustotal.com/docs/intelligence-search - IMPORTANT: Do NOT call this tool repeatedly with the same parameters. It returns the same data each time, not additional results. Use different search queries to find different files.

Raises: ThreatIntelligenceClientError: If there's an error communicating with the API. RuntimeError: If the API key is not configured or lacks Intelligence access.

threat_intel_get_file_behaviorA

Get detailed behavioral analysis report for a file from VirusTotal sandboxes.

This tool retrieves sandbox execution reports that show what a file does when run, including process activity, network connections, file operations, registry changes, and MITRE ATT&CK techniques. Essential for understanding malware capabilities and identifying detection opportunities.

What this tool provides:

  • Process tree and execution flow

  • Network connections (IPs, domains, URLs contacted)

  • File system operations (files created, modified, deleted)

  • Registry modifications

  • MITRE ATT&CK TTPs (Tactics, Techniques, Procedures)

  • API calls and system interactions

  • Behavioral signatures matched

  • Mutex/synchronization objects

  • Memory operations

Common Use Cases:

  • Malware analysis: Understand what a file does when executed

  • Detection engineering: Identify behavioral indicators for rules

  • Incident response: Determine malware capabilities and impact

  • Threat intelligence: Extract TTPs for threat profiling

  • IOC extraction: Get network and file system indicators

  • Attribution: Identify techniques used by specific threat actors

Args: hash_value: The file hash (SHA256 preferred) to query. sandbox: Optional specific sandbox name (e.g., 'VirusTotal Jujubox', 'C2AE'). If not specified, returns the default/first available report.

Returns: JSON string containing detailed behavioral analysis (up to 50 reports) including: - Processes created and their relationships - Network activity (DNS, HTTP, TCP/IP) - File system operations - Registry operations - MITRE ATT&CK techniques - Behavioral signatures - Sandbox metadata (environment, time)

Examples: hash_value="275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f" hash_value="44d88612fea8a8f36de82e1278abb02f", sandbox="VirusTotal Jujubox"

Notes: - Requires a valid VirusTotal API key (PURPLEMCP_VT_API_KEY environment variable) - Only SHA256 hashes are supported for behavior reports - Returns up to 50 behavior reports - Not all files have behavioral analysis (requires sandbox execution) - Multiple sandbox environments may have analyzed the same file - Reports reflect behavior in a controlled sandbox environment - Private API keys have access to more detailed reports - When no behavior report is found, returns a structured JSON response with found=false - IMPORTANT: Do NOT call this tool repeatedly with the same parameters. It returns the same data each time, not additional results.

Raises: ThreatIntelligenceClientError: If there's an error communicating with the API. RuntimeError: If the API key is not configured.

cve_search_by_idA

Get detailed information about a specific CVE by its identifier.

This tool queries the CVE database to retrieve comprehensive vulnerability information including description, CVSS scores, affected products, references, and remediation guidance.

What this tool provides:

  • CVE description and summary

  • CVSS v2 and v3 scores with vector strings

  • Affected products and versions (CPE format)

  • References to advisories, patches, and exploits

  • CWE (Common Weakness Enumeration) mappings

  • Publication and modification timestamps

  • Impact ratings and severity

Common Use Cases:

  • Security research and vulnerability assessment

  • Incident response investigations

  • Patch management prioritization

  • Security advisory creation

  • Compliance reporting

Args: cve_id: The CVE identifier in the format CVE-YYYY-NNNNN (e.g., CVE-2024-47176, CVE-2023-12345)

Returns: JSON string containing comprehensive CVE details including: - id: CVE identifier - summary: Vulnerability description - cvss: CVSS v2 score - cvss3: CVSS v3 score with full metrics - vulnerable_configuration: List of affected CPEs - references: Links to advisories and patches - cwe: Common Weakness Enumeration identifier - Published: Publication timestamp - Modified: Last modification timestamp

Examples: "CVE-2024-47176" - Recent vulnerability "CVE-2023-12345" - Search any CVE from any year "CVE-2021-44228" - Log4Shell vulnerability

Notes: - Data sourced from cve-search.org (CIRCL.LU) - No API key required - Database updated regularly from NVD and other sources - Returns detailed CAPEC, CWE, and CPE expansions

Not Found Response: When a CVE is not found, returns a JSON response with this structure: { "found": false, "resource": "CVE-YYYY-NNNNN", "resource_type": "cve", "message": "CVE-YYYY-NNNNN not found in the CVE database." }

Raises: CVEClientError: If there's an error communicating with the API (not for not-found cases).

cve_search_by_vendorA

Search for CVEs by vendor name and optionally filter by product.

This tool searches the CVE database for vulnerabilities affecting specific vendors and their products. Can be used to browse available products or get a comprehensive list of CVEs for a vendor/product combination.

What this tool provides:

  • List of CVEs for a specific vendor/product

  • Available products for a vendor (when product not specified)

  • Complete CVE details for each result

  • Sorted by severity and recency

Common Use Cases:

  • Asset vulnerability scanning

  • Vendor risk assessment

  • Product-specific security monitoring

  • Patch management planning

  • Security posture evaluation

Args: vendor: The vendor name (case-insensitive, use lowercase). Examples: 'microsoft', 'apache', 'cisco', 'linux', 'oracle' product: Optional product name (case-insensitive, use lowercase). Examples: 'office', 'httpd', 'ios', 'kernel', 'database' If omitted, returns list of available products for the vendor.

Returns: When product is specified: - JSON string containing array of CVE objects with full details

When product is omitted:
- JSON string containing array of available product names for that vendor

Examples: Search CVEs: vendor="microsoft", product="windows" Search CVEs: vendor="apache", product="httpd" List products: vendor="cisco" (product omitted) List products: vendor="linux" (product omitted)

Notes: - Vendor/product names should be lowercase - Use underscores or hyphens as they appear in CPE names - Product browsing helps discover correct product names - Results may include multiple product versions - No API key required - When vendor/product is not found, returns a structured JSON response with found=false

Raises: CVEClientError: If there's an error communicating with the API.

cve_database_statusA

Get information about the CVE database status and last update time.

This tool provides metadata about the CVE database including when it was last updated and how many CVEs it contains. Useful for determining data freshness and database health.

What this tool provides:

  • Last database update timestamp

  • Total CVE count in database

  • Database version information

  • Data source information

Common Use Cases:

  • Verify data freshness

  • Check database health

  • Compliance documentation

  • Data quality assurance

  • Integration monitoring

Returns: JSON string containing database metadata: - Last update timestamp (ISO 8601 format) - Total number of CVEs - Database version - Data sources

Notes: - Database typically updates multiple times daily - Sources include NVD, vendor advisories, and community feeds - No API key required

Raises: CVEClientError: If there's an error communicating with the API.

Prompts

Interactive templates invoked by user choice

NameDescription

No prompts

Resources

Contextual data attached and managed by the client

NameDescription

No resources

Latest Blog Posts

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/Sentinel-One/purple-mcp'

If you have feedback or need assistance with the MCP directory API, please join our Discord server