Skip to main content
Glama
Sentinel-One

Purple AI MCP Server

Official
by Sentinel-One

search_inventory_items

Search and filter SentinelOne managed assets by criteria such as name, type, status, or tags. Combine multiple filters with AND logic for precise results.

Instructions

Search for managed assets in SentinelOne using REST API filters.

Use this tool to find specific SentinelOne managed assets such as computers, servers, workstations, cloud resources, and network devices by various criteria (name, type, status, tags, etc.). Multiple filters are combined with AND logic.

Note: For surface-specific filtering (ENDPOINT, CLOUD, IDENTITY, NETWORK_DISCOVERY), use the list_inventory_items tool instead, which supports surface filtering via GET.

Args: filters: JSON string containing filter dictionary (optional, default: {}). Use REST API filter format with field names in camelCase.

         Standard Filters (exact match - matches ANY value in list):
         - {"resourceType": ["Windows Server", "Linux Server"]}
         - {"assetStatus": ["Active", "Inactive"]}
         - {"category": ["Server", "Workstation"]}
         - {"infectionStatus": ["Infected", "Healthy"]}

         Contains Filters (partial match - case-insensitive):
         - {"name__contains": ["dev", "test"]}
         - {"cloudProviderAccountName__contains": ["testing"]}
         - {"osName__contains": ["Windows", "Ubuntu"]}

         Range Filters (date ranges - use ISO date strings or millisecond timestamps):
         - {"lastActiveDt__between": {"from": "2024-01-01", "to": "2024-12-31"}}
         - {"lastActiveDt__between": {"from": 1704067200000, "to": 1735689599000}}

         IMPORTANT: All datetimes in the Inventory API are in UTC timezone.
         For timestamp-based date filters, you can use the iso_to_unix_timestamp tool
         to convert ISO 8601 datetime strings to UNIX timestamps in milliseconds (UTC).

         The iso_to_unix_timestamp tool handles timezone conversion automatically.
         Provide datetimes in the user's preferred timezone (e.g., "2024-01-01T00:00:00-05:00" for Eastern Time)
         and the tool will convert to UTC milliseconds for the API.

         Example workflow for timestamp filters:
         1. Call iso_to_unix_timestamp("2024-01-01T00:00:00-05:00") -> returns "1704085200000" (UTC)
         2. Use in filter: {"lastActiveDt__between": {"from": 1704085200000, "to": 1735693199000}}

         ID Filters (exact ID matches):
         - {"id__in": ["uuid1", "uuid2", "uuid3"]}

         Negation Filters (exclude values):
         - {"assetStatus__nin": ["Decommissioned"]}
         - {"resourceType__nin": ["Unknown"]}

         Combining Filters (AND logic - all must match):
         - {"resourceType": ["Windows Server"], "assetStatus": ["Active"], "name__contains": ["test"]}

         Common Examples:
         - Find testing servers: {"name__contains": ["test"], "resourceType": ["Windows Server", "Linux Server"]}
         - Find active AWS instances: {"cloudProvider": ["AWS"], "assetStatus": ["Active"]}
         - Find recently active endpoints: {"lastActiveDt__between": {"from": "2024-12-01", "to": "2024-12-31"}}

limit: Number of items to retrieve (1-1000, default: 50).
skip: Number of items to skip for pagination (default: 0).
fetch_fields: Field filtering. Either:
              - Preset name: "MINIMAL", "STANDARD", or "ALL" (default: "MINIMAL")
                * MINIMAL: 7 core fields (id, name, category, etc.) - fastest
                * STANDARD: 13 fields (MINIMAL + operational context)
                * ALL: All available fields (~200+ fields) - slowest
              - List of specific field names in camelCase:
                Examples: ["id", "name", "resourceType", "assetStatus"]
                          ["id", "category", "osVersion", "ipAddress"]
              Use fetch_fields="ALL" on a single item to discover all field names.
              Defaults to "MINIMAL" for optimal performance with search operations.

Returns: JSON string with filtered inventory items containing only requested fields. Field keys use camelCase format. Fields without values are excluded from the output. Includes pagination metadata. Returns empty list if no matches found.

Raises: ValueError: If filters JSON is invalid, parameters are out of range, or fetch_fields is invalid. InventoryAuthenticationError: If authentication fails. InventoryNetworkError: If network operation fails. InventoryAPIError: If the API returns an error. InventoryClientError: For other client-level errors.

Input Schema

TableJSON Schema
NameRequiredDescriptionDefault
skipNo
limitNo
filtersNo
fetch_fieldsNoMINIMAL

Output Schema

TableJSON Schema
NameRequiredDescriptionDefault
resultYes
Behavior4/5

Does the description disclose side effects, auth requirements, rate limits, or destructive behavior?

No annotations are provided, so the description carries the full burden. It discloses AND logic for filters, field case and omission, pagination via skip/limit, and raises specific exceptions. It does not mention rate limits or auth requirements beyond error types, but the behavioral traits are well-covered for a search tool.

Agents need to know what a tool does to the world before calling it. Descriptions should go beyond structured annotations to explain consequences.

Conciseness4/5

Is the description appropriately sized, front-loaded, and free of redundancy?

The description is long but well-structured with clear sections (Args, Returns, Raises) and bullet points. It is front-loaded with the purpose and direct URL, making key info accessible. While some details could be trimmed, the organization compensates for length.

Shorter descriptions cost fewer tokens and are easier for agents to parse. Every sentence should earn its place.

Completeness5/5

Given the tool's complexity, does the description cover enough for an agent to succeed on first attempt?

Given the tool has 4 parameters with 0% schema coverage, a complex filters parameter, and an output schema that likely describes return fields, the description provides sufficient context: filter syntax, pagination, field presets, error types, and a workflow for date conversion. It is complete for an agent to invoke the tool correctly.

Complex tools with many parameters or behaviors need more documentation. Simple tools need less. This dimension scales expectations accordingly.

Parameters5/5

Does the description clarify parameter syntax, constraints, interactions, or defaults beyond what the schema provides?

Schema description coverage is 0%, so the description must add all meaning. It does so comprehensively: filters parameter is explained with multiple filter types (standard, contains, range, ID, negation, combination) and examples. limit, skip, and fetch_fields are detailed with presets and custom lists, plus a timestamp conversion workflow. This far exceeds the schema's null/default information.

Input schemas describe structure but not intent. Descriptions should explain non-obvious parameter relationships and valid value ranges.

Purpose5/5

Does the description clearly state what the tool does and how it differs from similar tools?

The description clearly states the tool searches for managed assets in SentinelOne using REST API filters. It specifies the resource type (managed assets) and distinguishes from sibling tool list_inventory_items by noting the latter supports surface-specific filtering. The verb 'Search' and the target domain 'inventory items' are unambiguous.

Agents choose between tools based on descriptions. A clear purpose with a specific verb and resource helps agents select the right tool.

Usage Guidelines4/5

Does the description explain when to use this tool, when not to, or what alternatives exist?

The description explicitly guides when to use this tool vs. the sibling list_inventory_items for surface-specific filtering. It provides extensive filter examples and workflow for timestamp conversion, but does not explicitly state when not to use it or list all alternatives. However, the guidance is clear and actionable.

Agents often have multiple tools that could apply. Explicit usage guidance like "use X instead of Y when Z" prevents misuse.

Install Server

Other Tools

Latest Blog Posts

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/Sentinel-One/purple-mcp'

If you have feedback or need assistance with the MCP directory API, please join our Discord server