Purple AI MCP Server
OfficialServer Configuration
Describes the environment variables required to run the server.
| Name | Required | Description | Default |
|---|---|---|---|
| PURPLEMCP_CONSOLE_TOKEN | Yes | Service user token (Account or Site level) | |
| PURPLEMCP_STATELESS_HTTP | No | Enable stateless HTTP mode for serverless deployments (e.g., Amazon Bedrock AgentCore) | false |
| PURPLEMCP_TRANSPORT_MODE | No | MCP transport mode: stdio (default), sse, or streamable-http | stdio |
| PURPLEMCP_CONSOLE_BASE_URL | Yes | Console URL (e.g., https://console.sentinelone.net) |
Capabilities
Features and capabilities supported by this server
| Capability | Details |
|---|---|
| tools | {
"listChanged": true
} |
| prompts | {
"listChanged": false
} |
| resources | {
"subscribe": false,
"listChanged": false
} |
| experimental | {} |
Tools
Functions exposed to the LLM to take actions
| Name | Description |
|---|---|
| purple_aiA | Interact with SentinelOne's Purple AI, a cybersecurity assistant that helps you investigate threats, generate PowerQueries, and answer questions about SentinelOne. Purple AI understands natural language and converts your questions into structured security queries, or answers in plain language. What Purple AI can do:
What Purple AI can't do:
How to ask good questions Purple AI works best when your questions are:
Example questions:
DO NOT instruct Purple AI to "Generate a Powerquery to ...". Instead, just say what you are looking for. Example: - GOOD: "Is APT-1337 in my environment?" - BAD: "Generate a PowerQuery to determine if APT-1337 is in my environment, including their typical tools, processes, and TTPs." Tips for writing questions
|
| powerqueryA | Execute advanced PowerQuery analytics on data in SentinelOne's Singularity Data Lake for complex threat hunting and data analysis. PowerQuery is SentinelOne's high-performance query language for searching, transforming, and aggregating telemetry and log data in the Scalyr and Singularity XDR platforms. It uses a pipeline-based syntax for filtering, grouping, computing, and summarizing large-scale unstructured data. SentinelOne PowerQuery is not the same as Microsoft PowerQuery. It also looks somewhat like Splunk SPL but is not the same language. IMPORTANT: You should ALWAYS use the purple_ai() tool to generate PowerQueries for this tool based on natural language. It is very unlikely you know how to write PowerQueries yourself. If a user gives you a specific PowerQuery that wasn't generated by Purple AI, run it EXACTLY as sent. DO NOT modify the user's input, pass it directly to this tool. Args: query: The PowerQuery string to execute start_datetime: Start time in ISO 8601 format. ISO 8601 is the international standard for datetime representation: YYYY-MM-DDTHH:MM:SS with timezone offset. MUST include timezone offset (Z for UTC or ±HH:MM for local time). Examples: "2024-01-15T10:30:00Z" (UTC/Zulu time), "2024-01-15T10:30:00+05:00" (UTC+5 hours, e.g., Asia/Karachi), "2024-01-15T10:30:00-08:00" (UTC-8 hours, e.g., US Pacific), "2024-01-15T10:30:00.123456+02:00" (with microseconds, UTC+2) end_datetime: End time in ISO 8601 format. Same format requirements as start_datetime. Must be later than start_datetime. Examples: "2024-01-15T11:30:00Z" (UTC), "2024-01-15T11:30:00+05:00" (UTC+5, same timezone as start), "2024-01-15T11:30:00-08:00" (UTC-8, same timezone as start) Time Range Guidelines:
Understanding Results:
|
| get_timestamp_rangeC | Generate time range timestamps for PowerQuery analytics in SentinelOne's Singularity Data Lake. |
| iso_to_unix_timestampA | Convert an ISO 8601 datetime string to a UNIX timestamp in milliseconds (UTC). This tool accepts datetime strings in ISO 8601 format and converts them to UNIX timestamps (milliseconds since epoch: January 1, 1970 00:00:00 UTC). This is essential for datetime filter queries in Purple Alert, Vulnerability, Misconfiguration, and Inventory searches. IMPORTANT: You should provide datetime inputs in the user's preferred timezone. This tool will automatically convert them to UTC timestamps for use in API queries. For example, if the user asks for "October 30, 2024 at 8 AM Eastern Time", you should submit "2024-10-30T08:00:00-04:00" (not convert it yourself to UTC). Args: iso_datetime (str): An ISO 8601 formatted datetime string. Examples: - "2025-10-30T12:00:00Z" (UTC with 'Z' suffix) - "2025-10-30T12:00:00+00:00" (UTC with explicit offset) - "2025-10-30T08:00:00-04:00" (Eastern Time with offset) - "2025-10-30T17:00:00+05:00" (IST/Pakistan Time with offset) - "2025-10-30T12:00:00" (no timezone - treated as UTC) Returns: str: The UNIX timestamp in milliseconds (UTC) as a JSON number string. Example: "1761825600000" Common Use Cases: - Converting user-friendly datetime inputs to UNIX timestamps for API queries - Handling datetimes across different time zones automatically - Preparing datetime filters for Alert, Vulnerability, Misconfiguration, and Inventory searches Examples: Input: "2025-10-30T12:00:00Z" (noon UTC) Output: "1761825600000" Raises: ValueError: If the input string is not a valid ISO 8601 datetime format. Notes: - All timestamps are returned in milliseconds (not seconds or nanoseconds) - All timestamps represent UTC time regardless of input timezone - If no timezone is specified in input, UTC is assumed - The tool handles timezone conversion automatically - provide times in the user's local timezone |
| get_alertA | Get detailed information about a specific alert by ID. Retrieves comprehensive alert data including metadata, timing information, severity, status, associated assets, and analyst findings. Args: alert_id: The unique identifier of the alert (string). Returns: Detailed alert information in JSON format containing: - id: Unique alert identifier - externalId: External system identifier (if any) - severity: CRITICAL, HIGH, MEDIUM, LOW, INFO, UNKNOWN - status: NEW, IN_PROGRESS, RESOLVED, FALSE_POSITIVE - name: Alert title/name - description: Detailed description of the alert - detectedAt: ISO timestamp when alert was first detected - firstSeenAt: ISO timestamp of first occurrence (if different) - lastSeenAt: ISO timestamp of most recent occurrence - analystVerdict: Expert analysis result (if available) - classification: Alert category/type - confidenceLevel: Detection confidence score - dataSources: List of data sources that contributed to detection - detectionSource: {product, vendor} information - asset: Associated asset information {id, name, type} - assignee: Assigned user information {userId, email, fullName} - noteExists: Boolean indicating if notes are attached - result: Investigation outcome - storylineId: Associated storyline identifier - ticketId: Associated ticket identifier Common Use Cases: - Incident investigation and triage - Alert enrichment with contextual data - Status and assignment tracking - Evidence collection for security workflows Raises: RuntimeError: If there's an error retrieving the alert. ValueError: If alert_id is invalid or empty. |
| list_alertsA | List alerts with pagination and filtering capabilities. Retrieves a paginated list of alerts with basic filtering by assignment status. For advanced filtering by severity, status, time ranges, etc., use search_alerts instead. Args: first: Number of alerts to retrieve (1-100, default: 10). after: Pagination cursor from previous response (optional). Use pageInfo.endCursor from previous response to get next page. view_type: Assignment filter with options: - "ALL": Show all alerts (default) - "ASSIGNED_TO_ME": Only alerts assigned to current user - "UNASSIGNED": Only unassigned alerts - "MY_TEAM": Only alerts assigned to user's team fields: Optional JSON string containing an array of field names to return. If not specified, returns all default fields (including dataSources). Use minimal fields like '["id"]' when paging through intermediate results. Returns: Paginated alert list in JSON format containing: - edges: Array of alert objects (with requested fields only) - pageInfo: Pagination metadata - hasNextPage: Boolean indicating more results available - hasPreviousPage: Boolean indicating previous page exists - startCursor: Cursor for first item in current page - endCursor: Cursor for last item (use for next page) - totalCount: Total number of matching alerts (if available) Common Use Cases: - Dashboard alert feeds and overviews - Assignment-based alert distribution - Bulk alert processing workflows - Alert queue management Pagination Example: 1. Call with first=20 to get first 20 alerts 2. Use pageInfo.endCursor as 'after' parameter for next 20 3. Continue until pageInfo.hasNextPage is false IMPORTANT Performance Notes: - Cursor pagination is SEQUENTIAL ONLY - you cannot skip to arbitrary positions (e.g., cannot jump directly to "the 1532nd alert") - When paging through many results to reach a specific position, use fields=["id"] for intermediate pages to conserve context window - Use the totalCount field to understand the full result set size Raises: RuntimeError: If there's an error listing alerts. ValueError: If parameters are invalid. |
| search_alertsA | Search alerts using advanced filters and criteria. If a user is asking a "how many" type query, set the "first" field to 1 - "totalCount" is returned for any query. Args: filters: JSON string containing an array of filter objects (optional). Each filter object must have: - fieldId: String field name (use flattened camelCase names below) - filterType: One of the supported filter types below - isNegated: Optional boolean to negate the filter (default: false) Performance Note: When paging through many results, use fields='["id"]' for intermediate pages to conserve context window space. Use totalCount to gauge result set size. Returns: Filtered list of alerts in JSON format. Raises: RuntimeError: If there's an error searching alerts. ValueError: If parameters are invalid. Examples: CORRECT: filters=[ {"fieldId": "severity", "filterType": "string_in", "values": ["CRITICAL", "HIGH"]}, {"fieldId": "status", "filterType": "string_equals", "value": "NEW"}, {"fieldId": "alertNoteExists", "filterType": "boolean_equals", "value": false} ] |
| get_alert_notesA | Get all notes and comments associated with an alert. Retrieves all analyst notes, comments, and annotations attached to a specific alert. Notes provide context, analysis findings, investigation steps, and collaboration history. Args: alert_id: The unique identifier of the alert. Returns: List of notes in JSON format, each containing: - id: Unique note identifier - text: Note content/message - createdAt: ISO timestamp when note was created - author: User information {userId, email, fullName} - alertId: Associated alert identifier Common Use Cases: - Investigation documentation and collaboration - Tracking analyst findings and decisions - Audit trail for alert handling - Knowledge sharing between team members - Compliance and reporting requirements Note: Returns empty array if no notes exist. Check alert.noteExists field from get_alert to avoid unnecessary calls. Raises: RuntimeError: If there's an error retrieving alert notes. ValueError: If alert_id is invalid or empty. |
| get_alert_historyA | Get the complete audit history and timeline for an alert. Retrieves a chronological record of all actions, status changes, and events related to a specific alert. Provides full audit trail for compliance and investigation. Args: alert_id: The unique identifier of the alert. first: Number of history events to retrieve (1-100, default: 10). after: Pagination cursor from previous response (optional). Returns: Paginated chronological list in JSON format containing: - edges: Array of history events with: - createdAt: ISO timestamp when the event was created - eventText: Human-readable description of the event - eventType: Type of event (STATUS_CHANGED, ASSIGNMENT_CHANGED, NOTE_ADDED, etc.) - reportUrl: Optional URL to mitigation action report (if applicable) - historyItemCreator: Creator/author of the event (may be null for system events): - userId: User identifier - userType: Type of user (MDR, CONSOLE_USER, etc.) - pageInfo: Pagination metadata (same structure as list_alerts) Common Event Types: - status_change: Alert status modified (NEW → IN_PROGRESS, etc.) - assignment: Alert assigned/unassigned to user or team - severity_change: Severity level modified - note_added: Analyst note or comment added - verdict_change: Analyst verdict updated - escalation: Alert escalated to higher priority - integration_action: External system actions (ticket creation, etc.) Common Use Cases: - Compliance auditing and reporting - Investigation timeline reconstruction - Performance metrics and SLA tracking - Change management and accountability - Forensic analysis of alert handling Raises: RuntimeError: If there's an error retrieving alert history. ValueError: If parameters are invalid. |
| get_alert_investigation_reportA | Get the agentic auto-investigation report associated with an alert. Retrieves the comprehensive investigation report generated by Purple AI's Auto Investigations for a specific alert. This report includes analysis findings, evidence, conclusions, recommended actions, and a final verdict. Args: alert_id: The unique identifier of the alert. Returns: The agentic auto-investigation report in markdown format and the verdict. Common use cases: - Reviewing the auto-investigation summary - Understanding the final verdict and recommendations on an alert - Retrieving previous report to review detailed analysis and evidence Note: Returns None if no report exists. Raises: RuntimeError: If there's an error retrieving the alert report. ValueError: If alert_id is invalid or empty. |
| get_misconfigurationA | Get detailed information about a specific misconfiguration by ID. Retrieves comprehensive misconfiguration data including metadata, severity, affected assets, compliance information, remediation steps, and MITRE ATT&CK mappings. Args: misconfiguration_id: The unique identifier of the misconfiguration (string). Returns: Detailed misconfiguration information in JSON format containing: - id: Unique misconfiguration identifier - externalId: External system identifier - name: Misconfiguration title/name - description: Detailed description of the issue - severity: CRITICAL, HIGH, MEDIUM, LOW, INFO, UNKNOWN - status: NEW, IN_PROGRESS, ON_HOLD, RESOLVED, RISK_ACKED, SUPPRESSED, TO_BE_PATCHED - detectedAt: ISO timestamp when misconfiguration was detected - eventTime: ISO timestamp of the event - environment: Environment where detected (e.g., cloud, kubernetes) - product: Detection source product name - vendor: Detection source vendor name - asset: Associated asset information {id, name, type, category, cloudInfo, etc.} - scope: Organizational scope {account, site, group} - scopeLevel: account/site/group - analystVerdict: TRUE_POSITIVE or FALSE_POSITIVE - assignee: Assigned user information {id, email, fullName} - compliance: Compliance standards and requirements - remediation: Remediation steps and references - failedRules: List of failed security rules - findingData: Additional context and properties - mitreAttacks: MITRE ATT&CK technique mappings - cnapp: Cloud-native application protection details - evidence: Evidence data (files, IPs, ports, secrets, etc.) Common Use Cases: - Security posture assessment - Compliance auditing and reporting - Vulnerability management workflows - Cloud security remediation - Risk assessment and prioritization Raises: RuntimeError: If there's an error retrieving the misconfiguration. ValueError: If misconfiguration_id is invalid or empty. |
| list_misconfigurationsA | List misconfigurations with pagination and view filtering. Retrieves a paginated list of misconfigurations with filtering by environment type. For advanced filtering by severity, status, compliance, etc., use search_misconfigurations instead. Args: first: Number of misconfigurations to retrieve (1-100, default: 10). after: Pagination cursor from previous response (optional). Use pageInfo.endCursor from previous response to get next page. view_type: Environment filter with options: - "ALL": Show all misconfigurations (default) - "CLOUD": Cloud environment only - "KUBERNETES": Kubernetes environment only - "IDENTITY": Identity-related misconfigurations - "INFRASTRUCTURE_AS_CODE": IaC misconfigurations - "ADMISSION_CONTROLLER": Admission controller findings - "OFFENSIVE_SECURITY": Offensive security findings - "SECRET_SCANNING": Secret scanning findings fields: Optional JSON string containing an array of field names to return. If not specified, returns all default fields. Use minimal fields like '["id"]' when paging through intermediate results. Returns: Paginated misconfiguration list in JSON format containing: - edges: Array of misconfiguration objects - pageInfo: Pagination metadata - hasNextPage: Boolean indicating more results available - hasPreviousPage: Boolean indicating previous page exists - startCursor: Cursor for first item in current page - endCursor: Cursor for last item (use for next page) - totalCount: Total number of matching misconfigurations Common Use Cases: - Security dashboard feeds - Environment-specific security reviews - Bulk remediation workflows - Compliance reporting by scope - Cloud security posture management Pagination Example: 1. Call with first=20 to get first 20 misconfigurations 2. Use pageInfo.endCursor as 'after' parameter for next 20 3. Continue until pageInfo.hasNextPage is false Raises: RuntimeError: If there's an error listing misconfigurations. ValueError: If parameters are invalid. |
| search_misconfigurationsA | Search misconfigurations using advanced filters and criteria. Args: filters: JSON string containing an array of filter objects (optional). Each filter object must have: - fieldId: String field name - MUST use flattened camelCase names (see Valid Field Names below) - filterType: One of the supported filter types below - isNegated: Optional boolean to negate the filter (default: false) Performance Note: When paging through many results, use fields='["id"]' for intermediate pages to conserve context window space. Use totalCount to gauge result set size. Returns: Filtered list of misconfigurations in JSON format. Raises: RuntimeError: If there's an error searching misconfigurations. ValueError: If parameters are invalid. Examples: CORRECT: filters=[ {"fieldId": "severity", "filterType": "string_equals", "value": "CRITICAL"}, {"fieldId": "status", "filterType": "string_in", "values": ["NEW", "IN_PROGRESS"]}, {"fieldId": "assetCloudRegion", "filterType": "string_in", "values": ["us-east-1", "us-west-2"]} ] WRONG: filters=[ {"fieldId": "asset.name", "filterType": "fulltext", "values": ["test"]}, # Use "assetName" not "asset.name" {"fieldId": "evidence.secret.hash", "filterType": "string_equals", "value": "abc123"}, # Use "secretHash" not "evidence.secret.hash" {"fieldId": "severity", "filterType": "EQUALS", "value": "CRITICAL"} # Use "string_equals" not "EQUALS" ] |
| get_misconfiguration_notesA | Get all notes and comments associated with a misconfiguration. Retrieves all analyst notes, comments, and annotations attached to a specific misconfiguration. Notes provide context, analysis findings, remediation steps, and collaboration history. Args: misconfiguration_id: The unique identifier of the misconfiguration. Returns: List of notes in JSON format, each containing: - id: Unique note identifier - misconfigurationId: Associated misconfiguration identifier - text: Note content/message - author: User information {id, email, fullName, deleted} - createdAt: ISO timestamp when note was created - updatedAt: ISO timestamp when note was last updated (if applicable) Common Use Cases: - Remediation documentation and collaboration - Tracking analyst findings and decisions - Audit trail for security issue handling - Knowledge sharing between security teams - Compliance and reporting requirements Raises: RuntimeError: If there's an error retrieving misconfiguration notes. ValueError: If misconfiguration_id is invalid or empty. |
| get_misconfiguration_historyA | Get the complete audit history and timeline for a misconfiguration. Retrieves a chronological record of all actions, status changes, and events related to a specific misconfiguration. Provides full audit trail for compliance and investigation. Args: misconfiguration_id: The unique identifier of the misconfiguration. first: Number of history events to retrieve (1-100, default: 10). after: Pagination cursor from previous response (optional). Returns: Paginated chronological list in JSON format containing: - edges: Array of history events with: - eventType: Type of event (CREATION, STATUS, ANALYST_VERDICT, USER_ASSIGNMENT, NOTES, WORKFLOW_ACTION) - eventText: Human-readable description of the event - createdAt: ISO timestamp when event occurred - pageInfo: Pagination metadata (same structure as list_misconfigurations) Common Event Types: - CREATION: Misconfiguration first detected - STATUS: Status changed (NEW → IN_PROGRESS, etc.) - ANALYST_VERDICT: Verdict updated (TRUE_POSITIVE/FALSE_POSITIVE) - USER_ASSIGNMENT: Assigned/unassigned to user - NOTES: Note or comment added - WORKFLOW_ACTION: Automated action or workflow step Common Use Cases: - Compliance auditing and reporting - Investigation timeline reconstruction - Performance metrics and SLA tracking - Change management and accountability - Security posture trend analysis Raises: RuntimeError: If there's an error retrieving misconfiguration history. ValueError: If parameters are invalid. |
| get_vulnerabilityA | Get detailed information about a specific vulnerability by ID. Retrieves comprehensive vulnerability data including CVE details, affected assets, risk scores, EPSS metrics, exploit maturity, and remediation information. Args: vulnerability_id: The unique identifier of the vulnerability (string). Returns: Detailed vulnerability information in JSON format containing: - id: Unique vulnerability identifier - externalId: External system identifier - name: Vulnerability title/name - severity: CRITICAL, HIGH, MEDIUM, LOW, UNKNOWN - status: NEW, IN_PROGRESS, ON_HOLD, RESOLVED, RISK_ACKED, SUPPRESSED, TO_BE_PATCHED - detectedAt: ISO timestamp when vulnerability was detected - lastSeenAt: ISO timestamp of most recent occurrence - updatedAt: ISO timestamp of last update - product: Detection source product name - vendor: Detection source vendor name - asset: Associated asset information {id, name, type, category, cloudInfo, etc.} - scope: Organizational scope {account, site, group} - scopeLevel: account/site/group - cve: CVE details including: - id: CVE identifier (CVE-YYYY-NNNN) - description: CVE description - nvdBaseScore: NVD base score - riskScore: SentinelOne risk score - publishedDate: Publication date - epssScore: EPSS probability score - epssPercentile: EPSS percentile - exploitMaturity: Exploit code maturity level - exploitedInTheWild: Boolean indicating active exploitation - kevAvailable: CISA KEV catalog availability - s1BaseValues: CVSS vector components - riskIndicators: Additional risk indicators - timeline: CVE timeline events - software: Affected software {name, version, fixVersion, type, vendor} - findingData: Additional context and properties - paidScope: Whether under paid scope - remediationInsightsAvailable: Remediation insights availability - selfLink: Link to the vulnerability details - analystVerdict: TRUE_POSITIVE or FALSE_POSITIVE - assignee: Assigned user information {id, email, fullName} - exclusionPolicyId: Exclusion policy identifier if applicable Common Use Cases: - Vulnerability assessment and prioritization - CVE research and analysis - Risk scoring and exposure analysis - Patch management workflows - Compliance reporting Raises: RuntimeError: If there's an error retrieving the vulnerability. ValueError: If vulnerability_id is invalid or empty. |
| list_vulnerabilitiesA | List vulnerabilities with pagination. Retrieves a paginated list of vulnerabilities in the environment. For advanced filtering by severity, CVE, asset type, etc., use search_vulnerabilities instead. Args: first: Number of vulnerabilities to retrieve (1-100, default: 10). after: Pagination cursor from previous response (optional). Use pageInfo.endCursor from previous response to get next page. fields: Optional JSON string containing an array of field names to return. If not specified, returns all default fields. Use minimal fields like '["id"]' when paging through intermediate results. Returns: Paginated vulnerability list in JSON format containing: - edges: Array of vulnerability objects - pageInfo: Pagination metadata - hasNextPage: Boolean indicating more results available - hasPreviousPage: Boolean indicating previous page exists - startCursor: Cursor for first item in current page - endCursor: Cursor for last item (use for next page) - totalCount: Total number of matching vulnerabilities Common Use Cases: - Vulnerability dashboard feeds - Security posture overview - Bulk vulnerability processing - Patch priority queues - Compliance reporting Pagination Example: 1. Call with first=20 to get first 20 vulnerabilities 2. Use pageInfo.endCursor as 'after' parameter for next 20 3. Continue until pageInfo.hasNextPage is false Raises: RuntimeError: If there's an error listing vulnerabilities. ValueError: If parameters are invalid. |
| search_vulnerabilitiesA | Search vulnerabilities using advanced filters and criteria. Args: filters: JSON string containing an array of filter objects (optional). Each filter object must have: - fieldId: String field name - MUST use flattened camelCase names (see Valid Field Names below) - filterType: One of the supported filter types below - isNegated: Optional boolean to negate the filter (default: false) Performance Note: When paging through many results, use fields='["id"]' for intermediate pages to conserve context window space. Use totalCount to gauge result set size. Returns: Filtered list of vulnerabilities in JSON format. Raises: RuntimeError: If there's an error searching vulnerabilities. ValueError: If parameters are invalid. Examples: CORRECT: filters=[ {"fieldId": "severity", "filterType": "string_equals", "value": "CRITICAL"}, {"fieldId": "cveExploitedInTheWild", "filterType": "boolean_equals", "value": true}, {"fieldId": "assetType", "filterType": "string_in", "values": ["SERVER", "WORKSTATION"]} ] WRONG: filters=[ {"fieldId": "cve.id", "filterType": "string_equals", "value": "CVE-2024-1234"}, # Use "cveId" not "cve.id" {"fieldId": "asset.name", "filterType": "fulltext", "values": ["test"]}, # Use "assetName" not "asset.name" {"fieldId": "severity", "filterType": "EQUALS", "value": "CRITICAL"} # Use "string_equals" not "EQUALS" ] |
| get_vulnerability_notesA | Get all notes and comments associated with a vulnerability. Retrieves all analyst notes, comments, and annotations attached to a specific vulnerability. Notes provide context, analysis findings, remediation steps, and collaboration history. Args: vulnerability_id: The unique identifier of the vulnerability. Returns: List of notes in JSON format, each containing: - id: Unique note identifier - vulnerabilityId: Associated vulnerability identifier - text: Note content/message - author: User information {id, email, fullName, deleted} - createdAt: ISO timestamp when note was created - updatedAt: ISO timestamp when note was last updated (if applicable) Common Use Cases: - Vulnerability analysis documentation - Tracking security team findings and decisions - Audit trail for vulnerability handling - Knowledge sharing between security analysts - Compliance and reporting requirements Raises: RuntimeError: If there's an error retrieving vulnerability notes. ValueError: If vulnerability_id is invalid or empty. |
| get_vulnerability_historyA | Get the complete audit history and timeline for a vulnerability. Retrieves a chronological record of all actions, status changes, and events related to a specific vulnerability. Provides full audit trail for compliance and investigation. Args: vulnerability_id: The unique identifier of the vulnerability. first: Number of history events to retrieve (1-100, default: 10). after: Pagination cursor from previous response (optional). Returns: Paginated chronological list in JSON format containing: - edges: Array of history events with: - eventType: Type of event (CREATION, STATUS, ANALYST_VERDICT, USER_ASSIGNMENT, NOTES, WORKFLOW_ACTION) - eventText: Human-readable description of the event - createdAt: ISO timestamp when event occurred - pageInfo: Pagination metadata (same structure as list_vulnerabilities) Common Event Types: - CREATION: Vulnerability first detected - STATUS: Status changed (NEW → IN_PROGRESS, etc.) - ANALYST_VERDICT: Verdict updated (TRUE_POSITIVE/FALSE_POSITIVE) - USER_ASSIGNMENT: Assigned/unassigned to user - NOTES: Note or comment added - WORKFLOW_ACTION: Automated action or workflow step Common Use Cases: - Compliance auditing and reporting - Investigation timeline reconstruction - Performance metrics and SLA tracking - Change management and accountability - Vulnerability lifecycle analysis Raises: RuntimeError: If there's an error retrieving vulnerability history. ValueError: If parameters are invalid. |
| get_inventory_itemA | Get detailed information about a specific managed asset in SentinelOne by ID. Use this tool to retrieve information about SentinelOne managed assets such as computers, servers, workstations, cloud resources, and network devices. Args: item_id: The unique identifier of the inventory item. fetch_fields: Field filtering. Either: - Preset name: "MINIMAL", "STANDARD", or "ALL" (default: "ALL") * MINIMAL: 7 core fields (id, name, category, etc.) * STANDARD: 13 fields (MINIMAL + operational context) * ALL: All available fields (~200+ fields) - List of specific field names in camelCase: Examples: ["id", "name", "resourceType"] ["id", "osVersion", "ipAddress", "lastActiveDt"] Defaults to "ALL" to return complete asset information. Returns: JSON string containing the requested fields (keys use camelCase format). Fields without values are excluded from the output. Raises: ValueError: If item_id is invalid or empty, or fetch_fields is invalid. InventoryAuthenticationError: If authentication fails. InventoryNetworkError: If network operation fails. InventoryAPIError: If the API returns an error. InventoryClientError: For other client-level errors. |
| list_inventory_itemsA | List managed assets in SentinelOne with pagination and optional filtering. Use this tool to browse SentinelOne managed assets including computers, servers, workstations, cloud resources, and network-discovered devices. Args: limit: Number of items to retrieve (1-1000, default: 50). skip: Number of items to skip for pagination (default: 0). surface: Optional surface filter: - "ENDPOINT": Endpoint assets (agents, workstations, servers, computers) - "CLOUD": Cloud resources (AWS, Azure, GCP) - "IDENTITY": Identity entities (AD, Entra ID) - "NETWORK_DISCOVERY": Network-discovered devices (Ranger) fetch_fields: Field filtering. Either: - Preset name: "MINIMAL", "STANDARD", or "ALL" (default: "MINIMAL") * MINIMAL: 7 core fields (id, name, category, etc.) - fastest * STANDARD: 13 fields (MINIMAL + operational context) * ALL: All available fields (~200+ fields) - slowest - List of specific field names in camelCase: Examples: ["id", "name", "category"] ["id", "resourceType", "assetStatus", "lastActiveDt"] Use fetch_fields="ALL" on a single item to discover all field names. Defaults to "MINIMAL" for optimal performance with list operations. Returns: JSON string with paginated inventory items containing only requested fields. Field keys use camelCase format. Fields without values are excluded from the output. Includes pagination metadata. Raises: ValueError: If parameters are invalid, or fetch_fields is invalid. InventoryAuthenticationError: If authentication fails. InventoryNetworkError: If network operation fails. InventoryAPIError: If the API returns an error. InventoryClientError: For other client-level errors. |
| search_inventory_itemsA | Search for managed assets in SentinelOne using REST API filters. Use this tool to find specific SentinelOne managed assets such as computers, servers, workstations, cloud resources, and network devices by various criteria (name, type, status, tags, etc.). Multiple filters are combined with AND logic. Note: For surface-specific filtering (ENDPOINT, CLOUD, IDENTITY, NETWORK_DISCOVERY), use the list_inventory_items tool instead, which supports surface filtering via GET. Args: filters: JSON string containing filter dictionary (optional, default: {}). Use REST API filter format with field names in camelCase. Returns: JSON string with filtered inventory items containing only requested fields. Field keys use camelCase format. Fields without values are excluded from the output. Includes pagination metadata. Returns empty list if no matches found. Raises: ValueError: If filters JSON is invalid, parameters are out of range, or fetch_fields is invalid. InventoryAuthenticationError: If authentication fails. InventoryNetworkError: If network operation fails. InventoryAPIError: If the API returns an error. InventoryClientError: For other client-level errors. |
| threat_intel_by_hashA | Get threat intelligence for a file hash from VirusTotal/Google Threat Intelligence. This tool queries VirusTotal's database to retrieve comprehensive threat intelligence about a file based on its cryptographic hash. The hash can be in MD5, SHA1, or SHA256 format. What this tool provides:
Common Use Cases:
Args: hash_value: File hash in MD5, SHA1, or SHA256 format (case-insensitive). Returns: JSON string containing comprehensive threat intelligence data including: - Detection statistics (e.g., 45/70 engines detected as malicious) - File attributes and metadata - Last analysis date and statistics - Community reputation score - Related threat intelligence - MITRE ATT&CK techniques (if applicable) Examples: MD5: "44d88612fea8a8f36de82e1278abb02f" SHA1: "3395856ce81f2b7382dee72602f798b642f14140" SHA256: "275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f" Notes: - Requires a valid VirusTotal API key (PURPLEMCP_VT_API_KEY environment variable) - Results are cached by VirusTotal and may not reflect real-time scans - File must have been previously submitted to VirusTotal to have results - Private API keys have higher rate limits and additional features Not Found Response: When a hash is not found, returns a JSON response with this structure: { "found": false, "resource": "hash_value", "resource_type": "file", "message": "File hash 'hash_value' was not found in VirusTotal's database..." } Raises: ThreatIntelligenceClientError: If there's an error communicating with the API (not for not-found cases). RuntimeError: If the API key is not configured. |
| threat_intel_by_urlA | Get threat intelligence and reputation information for a URL from VirusTotal/Google Threat Intelligence. This tool queries VirusTotal's database to retrieve comprehensive threat intelligence about a URL, including reputation scores, detection results, and historical data. What this tool provides:
Common Use Cases:
Args: url: The URL to query (must be a valid HTTP/HTTPS URL). Returns: JSON string containing comprehensive threat intelligence data including: - Detection statistics from security vendors - URL categories and tags - Last analysis timestamp - Reputation score - Related files and domains - SSL certificate details - Redirection information Examples: "https://example.com/suspicious-page" "http://malicious-domain.test/payload.exe" "https://phishing-site.example/login" Notes: - Requires a valid VirusTotal API key (PURPLEMCP_VT_API_KEY environment variable) - VirusTotal may scan the URL if it hasn't been analyzed recently - Results include historical data and may not reflect current state - Scanning a URL will visit the site, which may have privacy implications - Private API keys have higher rate limits and additional features - When a URL is not found, returns a structured JSON response with found=false Raises: ThreatIntelligenceClientError: If there's an error communicating with the API. RuntimeError: If the API key is not configured. |
| threat_intel_by_domainA | Get threat intelligence for a domain from VirusTotal/Google Threat Intelligence. This tool queries VirusTotal's database to retrieve comprehensive threat intelligence about a domain name, including reputation, detection results, WHOIS data, and relationships. What this tool provides:
Common Use Cases:
Args: domain: The domain name to query (e.g., "example.com"). Returns: JSON string containing comprehensive threat intelligence data including: - Detection statistics from security vendors - WHOIS registration details - DNS records and resolution history - Related malware, IPs, and URLs - Reputation score and categories - SSL certificate information Examples: "google.com" "malicious-c2.example.com" "phishing-site.test" Notes: - Requires a valid VirusTotal API key (PURPLEMCP_VT_API_KEY environment variable) - Results include historical data aggregated over time - Private API keys have higher rate limits - When a domain is not found, returns a structured JSON response with found=false Raises: ThreatIntelligenceClientError: If there's an error communicating with the API. RuntimeError: If the API key is not configured. |
| threat_intel_by_ipA | Get threat intelligence for an IP address from VirusTotal/Google Threat Intelligence. This tool queries VirusTotal's database to retrieve comprehensive threat intelligence about an IP address, including reputation, geolocation, ASN data, and relationships. What this tool provides:
Common Use Cases:
Args: ip_address: The IP address to query (IPv4 or IPv6). Returns: JSON string containing comprehensive threat intelligence data including: - Detection statistics from security vendors - Geolocation and network information - ASN and owner details - Related malware, domains, and URLs - Reputation score and categories - Historical connection data Examples: "8.8.8.8" "192.168.1.1" "2001:4860:4860::8888" Notes: - Requires a valid VirusTotal API key (PURPLEMCP_VT_API_KEY environment variable) - Results include historical data aggregated over time - Private/internal IPs may have limited or no data - Private API keys have higher rate limits - When an IP is not found, returns a structured JSON response with found=false Raises: ThreatIntelligenceClientError: If there's an error communicating with the API. RuntimeError: If the API key is not configured. |
| threat_intel_get_file_relationshipsA | Get relationships for a file hash from VirusTotal (network IOCs and related files). This tool extracts relationship data from a file's VirusTotal analysis, revealing network infrastructure (domains, IPs, URLs) contacted by the file, as well as related files. This is essential for pivoting from files to network indicators and building comprehensive threat intelligence profiles. Available relationship types:
What this tool provides:
Common Use Cases:
Args: hash_value: The file hash (MD5, SHA1, or SHA256) to query. relationship_type: The type of relationship to retrieve (e.g., 'contacted_domains'). Returns: JSON string containing: - relationships: Array of related objects with full details (up to 100) - count: Number of relationships found Examples: hash_value="275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f", relationship_type="contacted_domains" Notes: - Requires a valid VirusTotal API key (PURPLEMCP_VT_API_KEY environment variable) - Returns up to 100 relationships (the API maximum) - Not all files have all relationship types - Relationship data comes from sandbox execution - Private API keys have access to more relationship types - When a hash or relationship is not found, returns a structured JSON response with found=false - IMPORTANT: Do NOT call this tool repeatedly with the same parameters. It returns the same data each time, not additional results. Raises: ThreatIntelligenceClientError: If there's an error communicating with the API. RuntimeError: If the API key is not configured. |
| threat_intel_searchA | Search VirusTotal Intelligence with advanced queries for threat hunting. This tool allows searching the entire VirusTotal dataset using powerful query syntax to find files matching specific criteria. Essential for proactive threat hunting, malware research, and discovering related samples. Query Syntax Examples:
What this tool provides:
Common Use Cases:
Args: query: VT Intelligence search query using the VirusTotal query syntax. Returns: JSON string containing: - results: Array of matching files with full details (up to 10) - count: Number of results returned - query: The search query used Examples: query="type:peexe size:90kb+ positives:10+" query="behavior_network:C2 tag:ransomware" query="signature:'Microsoft Corporation' positives:0" Notes: - Requires a valid VirusTotal API key (PURPLEMCP_VT_API_KEY environment variable) - Intelligence search requires a VirusTotal Premium/Enterprise API key - Returns up to 10 results per query - Complex queries may take longer to execute - Query syntax documentation: https://docs.virustotal.com/docs/intelligence-search - IMPORTANT: Do NOT call this tool repeatedly with the same parameters. It returns the same data each time, not additional results. Use different search queries to find different files. Raises: ThreatIntelligenceClientError: If there's an error communicating with the API. RuntimeError: If the API key is not configured or lacks Intelligence access. |
| threat_intel_get_file_behaviorA | Get detailed behavioral analysis report for a file from VirusTotal sandboxes. This tool retrieves sandbox execution reports that show what a file does when run, including process activity, network connections, file operations, registry changes, and MITRE ATT&CK techniques. Essential for understanding malware capabilities and identifying detection opportunities. What this tool provides:
Common Use Cases:
Args: hash_value: The file hash (SHA256 preferred) to query. sandbox: Optional specific sandbox name (e.g., 'VirusTotal Jujubox', 'C2AE'). If not specified, returns the default/first available report. Returns: JSON string containing detailed behavioral analysis (up to 50 reports) including: - Processes created and their relationships - Network activity (DNS, HTTP, TCP/IP) - File system operations - Registry operations - MITRE ATT&CK techniques - Behavioral signatures - Sandbox metadata (environment, time) Examples: hash_value="275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f" hash_value="44d88612fea8a8f36de82e1278abb02f", sandbox="VirusTotal Jujubox" Notes: - Requires a valid VirusTotal API key (PURPLEMCP_VT_API_KEY environment variable) - Only SHA256 hashes are supported for behavior reports - Returns up to 50 behavior reports - Not all files have behavioral analysis (requires sandbox execution) - Multiple sandbox environments may have analyzed the same file - Reports reflect behavior in a controlled sandbox environment - Private API keys have access to more detailed reports - When no behavior report is found, returns a structured JSON response with found=false - IMPORTANT: Do NOT call this tool repeatedly with the same parameters. It returns the same data each time, not additional results. Raises: ThreatIntelligenceClientError: If there's an error communicating with the API. RuntimeError: If the API key is not configured. |
| cve_search_by_idA | Get detailed information about a specific CVE by its identifier. This tool queries the CVE database to retrieve comprehensive vulnerability information including description, CVSS scores, affected products, references, and remediation guidance. What this tool provides:
Common Use Cases:
Args: cve_id: The CVE identifier in the format CVE-YYYY-NNNNN (e.g., CVE-2024-47176, CVE-2023-12345) Returns: JSON string containing comprehensive CVE details including: - id: CVE identifier - summary: Vulnerability description - cvss: CVSS v2 score - cvss3: CVSS v3 score with full metrics - vulnerable_configuration: List of affected CPEs - references: Links to advisories and patches - cwe: Common Weakness Enumeration identifier - Published: Publication timestamp - Modified: Last modification timestamp Examples: "CVE-2024-47176" - Recent vulnerability "CVE-2023-12345" - Search any CVE from any year "CVE-2021-44228" - Log4Shell vulnerability Notes: - Data sourced from cve-search.org (CIRCL.LU) - No API key required - Database updated regularly from NVD and other sources - Returns detailed CAPEC, CWE, and CPE expansions Not Found Response: When a CVE is not found, returns a JSON response with this structure: { "found": false, "resource": "CVE-YYYY-NNNNN", "resource_type": "cve", "message": "CVE-YYYY-NNNNN not found in the CVE database." } Raises: CVEClientError: If there's an error communicating with the API (not for not-found cases). |
| cve_search_by_vendorA | Search for CVEs by vendor name and optionally filter by product. This tool searches the CVE database for vulnerabilities affecting specific vendors and their products. Can be used to browse available products or get a comprehensive list of CVEs for a vendor/product combination. What this tool provides:
Common Use Cases:
Args: vendor: The vendor name (case-insensitive, use lowercase). Examples: 'microsoft', 'apache', 'cisco', 'linux', 'oracle' product: Optional product name (case-insensitive, use lowercase). Examples: 'office', 'httpd', 'ios', 'kernel', 'database' If omitted, returns list of available products for the vendor. Returns: When product is specified: - JSON string containing array of CVE objects with full details Examples: Search CVEs: vendor="microsoft", product="windows" Search CVEs: vendor="apache", product="httpd" List products: vendor="cisco" (product omitted) List products: vendor="linux" (product omitted) Notes: - Vendor/product names should be lowercase - Use underscores or hyphens as they appear in CPE names - Product browsing helps discover correct product names - Results may include multiple product versions - No API key required - When vendor/product is not found, returns a structured JSON response with found=false Raises: CVEClientError: If there's an error communicating with the API. |
| cve_database_statusA | Get information about the CVE database status and last update time. This tool provides metadata about the CVE database including when it was last updated and how many CVEs it contains. Useful for determining data freshness and database health. What this tool provides:
Common Use Cases:
Returns: JSON string containing database metadata: - Last update timestamp (ISO 8601 format) - Total number of CVEs - Database version - Data sources Notes: - Database typically updates multiple times daily - Sources include NVD, vendor advisories, and community feeds - No API key required Raises: CVEClientError: If there's an error communicating with the API. |
Prompts
Interactive templates invoked by user choice
| Name | Description |
|---|---|
No prompts | |
Resources
Contextual data attached and managed by the client
| Name | Description |
|---|---|
No resources | |
Latest Blog Posts
- Your AI Chatbot Just Exposed Your CEO's Salary to an InternBy Om-Shree-0709 on .Agent IdentityMCP SecurityOAuth Delegation
- Why MCP Servers Need Execution Sandboxing (And Why Your Current Stack Isn't Enough)By Om-Shree-0709 on .Agentic AiPrompt InjectionWebAssembly
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/Sentinel-One/purple-mcp'
If you have feedback or need assistance with the MCP directory API, please join our Discord server