Purple AI MCP Server

Official

Overview Schema Related Servers Score Discussions

powerquery

Execute PowerQuery analytics on SentinelOne's Singularity Data Lake for threat hunting and data analysis using pipeline-based queries.

Instructions

Execute advanced PowerQuery analytics on data in SentinelOne's Singularity Data Lake for complex threat hunting and data analysis.

PowerQuery is SentinelOne's high-performance query language for searching, transforming, and aggregating telemetry and log data in the Scalyr and Singularity XDR platforms. It uses a pipeline-based syntax for filtering, grouping, computing, and summarizing large-scale unstructured data. SentinelOne PowerQuery is not the same as Microsoft PowerQuery. It also looks somewhat like Splunk SPL but is not the same language.

IMPORTANT: You should ALWAYS use the purple_ai() tool to generate PowerQueries for this tool based on natural language. It is very unlikely you know how to write PowerQueries yourself.

If a user gives you a specific PowerQuery that wasn't generated by Purple AI, run it EXACTLY as sent. DO NOT modify the user's input, pass it directly to this tool.

Time Range Guidelines:

DEFAULT to a 24-hour search period unless the user specifies a different time range
Use get_timestamp_range(hours=24) to get the last 24 hours
Queries with longer time ranges may take longer to execute or timeout
The query timeout is 5 minutes; if exceeded, reduce the time range or simplify the query

Understanding Results:

Empty results (no data returned) are NORMAL and ACCEPTABLE. This means no records match your query criteria.
Empty results could indicate:
- No matching data exists in the specified time range
- The query conditions are too restrictive
- The searched activity or behavior simply hasn't occurred
DO NOT repeatedly rephrase or retry queries that legitimately return no results
If you expect results but get none, consider adjusting the time range or query criteria rather than retrying the exact same query

Input Schema

TableJSON Schema

Name	Required	Description	Default
`query`	Yes
`start_datetime`	Yes
`end_datetime`	Yes

Output Schema

TableJSON Schema

Name	Required	Description	Default
`result`	Yes

Tool Definition Quality

A4.3/5.0

Behavior4/5

Does the description disclose side effects, auth requirements, rate limits, or destructive behavior?

With no annotations, the description covers behavioral cues: it executes queries (read operation implied), timeout handling, empty result handling. It doesn't explicitly state it's non-destructive but is clear from context. Could add that it does not modify data.

Agents need to know what a tool does to the world before calling it. Descriptions should go beyond structured annotations to explain consequences.

Conciseness4/5

Is the description appropriately sized, front-loaded, and free of redundancy?

The description is relatively long but well-structured with sections for purpose, usage guidelines, time range, and understanding results. It front-loads key info. Could be more concise but remains effective.

Shorter descriptions cost fewer tokens and are easier for agents to parse. Every sentence should earn its place.

Completeness4/5

Given the tool's complexity, does the description cover enough for an agent to succeed on first attempt?

Given the complexity of a PowerQuery tool with 3 params and output schema, the description adequately covers tool purpose, how to generate queries, time handling, and result interpretation. It doesn't detail the output schema but that is covered by schema. Missing explicit parameter format, but overall complete enough for correct use.

Complex tools with many parameters or behaviors need more documentation. Simple tools need less. This dimension scales expectations accordingly.

Parameters3/5

Does the description clarify parameter syntax, constraints, interactions, or defaults beyond what the schema provides?

Schema coverage is 0% but description mentions query is a PowerQuery string and time range parameters, referencing get_timestamp_range. However, it does not specify datetime format or describe the output schema. The description provides context but lacks detailed parameter semantics.

Input schemas describe structure but not intent. Descriptions should explain non-obvious parameter relationships and valid value ranges.

Purpose5/5

Does the description clearly state what the tool does and how it differs from similar tools?

The description clearly states the tool executes PowerQuery analytics on SentinelOne's Singularity Data Lake for threat hunting. It distinguishes itself by noting it is not Microsoft PowerQuery nor Splunk SPL, and it's the only tool that runs PowerQuery queries among siblings.

Agents choose between tools based on descriptions. A clear purpose with a specific verb and resource helps agents select the right tool.

Usage Guidelines5/5

Does the description explain when to use this tool, when not to, or what alternatives exist?

Provides explicit guidance: use purple_ai() to generate queries, don't modify user-supplied queries, default time range to 24 hours, timeout of 5 minutes, and acceptable empty results. It tells when to retry and when not to.

Agents often have multiple tools that could apply. Explicit usage guidance like "use X instead of Y when Z" prevents misuse.

Install Server

Latest Blog Posts

Lightport: Open-Sourcing Glama's AI Gateway
By punkpeye on April 27, 2026.
open source
OpenAI
Tool Definition Quality Score (TDQS)
By punkpeye on April 3, 2026.
mcp
The Hackers Who Tracked My Sleep Cycle
By punkpeye on March 26, 2026.
security

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/Sentinel-One/purple-mcp'

If you have feedback or need assistance with the MCP directory API, please join our Discord server