SentinelOne Purple MCP server
Query Purple AI, run PowerQuery analytics, and triage SentinelOne alerts, vulnerabilities, and misconfigurations.
About
Connect Tracecat to SentinelOne Purple to triage alerts and run analytics from agents working alongside SOC analysts and SecOps engineers. You can pick up a Singularity alert and run PowerQuery directly against event data to pivot through related processes without writing queries by hand. From there, agents can ask Purple AI natural language questions, check the affected asset's vulnerabilities and misconfigurations, and hand enriched context to the rest of your stack with the service user's scope enforced throughout.
Setup
- 1
Create an API key
The Purple MCP server authenticates with a SentinelOne service user token scoped at the Account or Site level. The token is created from the SentinelOne management console and inherits the role of the service user.
- 2
Select the
SentinelOne Purpletile in the Tracecat MCP catalogOpen the
MCP catalogin your workspace, select theSentinelOne Purpletile, and paste your API key. - 3
Enable
SentinelOne Purplein your agentIn your
ai.agentaction orAgents→toolstab, selectSentinelOne Purplefrom theMCP integrationsdropdown.
Tools
purple_ai | Send natural language security questions to SentinelOne Purple AI. |
powerquery | Run PowerQuery analytics across event data with a start and end time. |
list_alerts | List recent alerts with pagination and view type filters. |
search_alerts | Search alerts using structured filters. |
get_alert | Retrieve full details, notes, and history for a single alert. |
list_vulnerabilities | List recent CVE findings discovered by SentinelOne. |
search_vulnerabilities | Filter vulnerabilities by severity, asset, CVE, and exploitability. |
list_misconfigurations | List recent misconfigurations across your SentinelOne-managed estate. |
search_inventory_items | Search asset inventory by attack surface and other filters. |
get_inventory_item | Retrieve detailed asset information for a single inventory item. |