Skip to main content
Glama
Sentinel-One

Purple AI MCP Server

Official
by Sentinel-One

powerquery

Execute advanced analytics on SentinelOne's Singularity Data Lake to hunt threats and analyze telemetry data using a high-performance query language.

Instructions

Execute advanced PowerQuery analytics on data in SentinelOne's Singularity Data Lake for complex threat hunting and data analysis.

PowerQuery is SentinelOne's high-performance query language for searching, transforming, and aggregating telemetry and log data in the Scalyr and Singularity XDR platforms. It uses a pipeline-based syntax for filtering, grouping, computing, and summarizing large-scale unstructured data. SentinelOne PowerQuery is not the same as Microsoft PowerQuery. It also looks somewhat like Splunk SPL but is not the same language.

IMPORTANT: You should ALWAYS use the purple_ai() tool to generate PowerQueries for this tool based on natural language. It is very unlikely you know how to write PowerQueries yourself.

If a user gives you a specific PowerQuery that wasn't generated by Purple AI, run it EXACTLY as sent. DO NOT modify the user's input, pass it directly to this tool.

Args: query: The PowerQuery string to execute start_datetime: Start time in ISO 8601 format. ISO 8601 is the international standard for datetime representation: YYYY-MM-DDTHH:MM:SS with timezone offset. MUST include timezone offset (Z for UTC or ±HH:MM for local time). Examples: "2024-01-15T10:30:00Z" (UTC/Zulu time), "2024-01-15T10:30:00+05:00" (UTC+5 hours, e.g., Asia/Karachi), "2024-01-15T10:30:00-08:00" (UTC-8 hours, e.g., US Pacific), "2024-01-15T10:30:00.123456+02:00" (with microseconds, UTC+2) end_datetime: End time in ISO 8601 format. Same format requirements as start_datetime. Must be later than start_datetime. Examples: "2024-01-15T11:30:00Z" (UTC), "2024-01-15T11:30:00+05:00" (UTC+5, same timezone as start), "2024-01-15T11:30:00-08:00" (UTC-8, same timezone as start)

Time Range Guidelines:

  • DEFAULT to a 24-hour search period unless the user specifies a different time range

  • Use get_timestamp_range(hours=24) to get the last 24 hours

  • Queries with longer time ranges may take longer to execute or timeout

  • The query timeout is 5 minutes; if exceeded, reduce the time range or simplify the query

Understanding Results:

  • Empty results (no data returned) are NORMAL and ACCEPTABLE. This means no records match your query criteria.

  • Empty results could indicate:

    • No matching data exists in the specified time range

    • The query conditions are too restrictive; remove filters to attempt to retrieve more results

    • The searched activity or behavior simply hasn't occurred

  • DO NOT repeatedly rephrase or retry queries that legitimately return no results

  • If you expect results but get none, consider adjusting the time range or query criteria rather than retrying the exact same query

Input Schema

TableJSON Schema
NameRequiredDescriptionDefault
queryYes
end_datetimeYes
start_datetimeYes

Output Schema

TableJSON Schema
NameRequiredDescriptionDefault
resultYes
Behavior5/5

Does the description disclose side effects, auth requirements, rate limits, or destructive behavior?

With no annotations provided, the description fully covers behavioral traits: it explains the query language, the need for exact execution, timeout of 5 minutes, default time range, and proper handling of empty results. This gives the agent comprehensive understanding of the tool's behavior beyond the schema.

Agents need to know what a tool does to the world before calling it. Descriptions should go beyond structured annotations to explain consequences.

Conciseness4/5

Is the description appropriately sized, front-loaded, and free of redundancy?

The description is verbose but well-structured: it starts with a clear purpose, explains the language, gives important usage notes, then parameter details and guidelines. While every sentence is informative, it could be slightly more concise without losing clarity. However, the structure is logical and easy to follow.

Shorter descriptions cost fewer tokens and are easier for agents to parse. Every sentence should earn its place.

Completeness5/5

Given the tool's complexity, does the description cover enough for an agent to succeed on first attempt?

Given the tool's complexity (a custom query language) and the lack of parameter descriptions in the schema, the description is exceptionally complete. It covers purpose, language distinction, parameter formatting, time range handling, error behaviors, and even references a sibling tool (purple_ai) for query generation. An output schema exists, so return values need not be described.

Complex tools with many parameters or behaviors need more documentation. Simple tools need less. This dimension scales expectations accordingly.

Parameters5/5

Does the description clarify parameter syntax, constraints, interactions, or defaults beyond what the schema provides?

The input schema has no descriptions for parameters (0% coverage), but the tool description provides extensive details: for query, it explains it is a PowerQuery string; for start_datetime and end_datetime, it gives ISO 8601 format with multiple examples and timezone requirements. It also provides time range guidance, which adds significant meaning beyond the raw schema.

Input schemas describe structure but not intent. Descriptions should explain non-obvious parameter relationships and valid value ranges.

Purpose5/5

Does the description clearly state what the tool does and how it differs from similar tools?

The description specifically states 'Execute advanced PowerQuery analytics on data in SentinelOne's Singularity Data Lake for complex threat hunting and data analysis,' clearly identifying the verb, resource, and scope. It also distinguishes PowerQuery from Microsoft PowerQuery and Splunk SPL, differentiating it from sibling tools like list_alerts or cve_search_by_id.

Agents choose between tools based on descriptions. A clear purpose with a specific verb and resource helps agents select the right tool.

Usage Guidelines5/5

Does the description explain when to use this tool, when not to, or what alternatives exist?

The description explicitly instructs to use purple_ai() to generate queries, advises to run user-provided queries exactly, and provides time range guidelines and empty result handling. This clearly indicates when to use this tool vs. alternatives and how to use it correctly.

Agents often have multiple tools that could apply. Explicit usage guidance like "use X instead of Y when Z" prevents misuse.

Install Server

Other Tools

Latest Blog Posts

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/Sentinel-One/purple-mcp'

If you have feedback or need assistance with the MCP directory API, please join our Discord server