SentinelOne Purple MCP server
Query Purple AI, run PowerQuery analytics, and triage SentinelOne alerts, vulnerabilities, and misconfigurations.
About
Connect Tracecat to SentinelOne Purple to triage alerts and run analytics from agents working alongside SOC analysts and SecOps engineers. You can pick up a Singularity alert and run PowerQuery directly against event data to pivot through related processes without writing queries by hand. From there, agents can ask Purple AI natural language questions, check the affected asset's vulnerabilities and misconfigurations, and hand enriched context to the rest of your stack with the service user's scope enforced throughout.
Setup
- 1
Create an API key
The Purple MCP server authenticates with a SentinelOne service user token scoped at the Account or Site level. The token is created from the SentinelOne management console and inherits the role of the service user.
- 2
Select the
SentinelOne Purpletile in the Tracecat MCP catalogOpen the
MCP catalogin your workspace, select theSentinelOne Purpletile, and paste your API key. - 3
Enable
SentinelOne Purplein your agentIn your
ai.agentaction orAgents→toolstab, selectSentinelOne Purplefrom theMCP integrationsdropdown.
Tools
purple_aiSend natural language security questions to SentinelOne Purple AI.
powerqueryRun PowerQuery analytics across event data with a start and end time.
list_alertsList recent alerts with pagination and view type filters.
search_alertsSearch alerts using structured filters.
get_alertRetrieve full details, notes, and history for a single alert.
list_vulnerabilitiesList recent CVE findings discovered by SentinelOne.
search_vulnerabilitiesFilter vulnerabilities by severity, asset, CVE, and exploitability.
list_misconfigurationsList recent misconfigurations across your SentinelOne-managed estate.
search_inventory_itemsSearch asset inventory by attack surface and other filters.
get_inventory_itemRetrieve detailed asset information for a single inventory item.