Security ๐งช Community โ Claude Code โ Claude Desktop โข SentinelOne
SentinelOne
SentinelOne XDR - threat detection, incident response, and endpoint agent management via the Purple AI MCP server
Installation
Install this plugin individually:
/plugin marketplace add wyre-technology/msp-claude-plugins --plugin sentinelone Or install all MSP plugins at once:
/plugin marketplace add wyre-technology/msp-claude-plugins Features
- Alert Handling
- Asset Inventory
- Cloud Security Posture
- Purple AI Threat Hunting
- PowerQuery Analytics
- Vulnerability Management
Skills
This plugin provides 7 skills that teach Claude about SentinelOne:
| Skill | Description |
|---|---|
alerts | Use this skill when working with SentinelOne alerts - triaging new alerts, investigating specific alerts, searching by severity or status, reviewing alert timelines, and managing alert workflows across MSP client environments. |
inventory | Use this skill when working with SentinelOne unified asset inventory - endpoints, cloud resources, identities, and network-discovered devices. |
misconfigurations | Use this skill when working with SentinelOne XSPM misconfigurations - cloud security posture management across AWS, Azure, GCP, Kubernetes, identity, and infrastructure-as-code. |
purple-ai | Use this skill when working with SentinelOne Purple AI - natural language cybersecurity investigation, threat hunting, behavioral anomaly analysis, MITRE ATT&CK TTP mapping, and PowerQuery generation. |
threat-hunting | Use this skill when working with SentinelOne PowerQuery and the Singularity Data Lake - executing threat hunting queries, understanding PowerQuery pipeline syntax, managing time ranges, and analyzing query results. |
vulnerabilities | Use this skill when working with SentinelOne XSPM vulnerabilities - tracking CVEs, reviewing EPSS scores, assessing exploit maturity, managing vulnerability status, prioritizing patches, and generating vulnerability reports across MSP client environments. |
api-patterns | Use this skill when working with the SentinelOne Purple MCP tools - available tools, connection setup, uvx-based installation, Service User token authentication, transport modes, dual API architecture (GraphQL and REST), rate limits, error handling, and best practices. |
Agents
This plugin provides 2 agents for autonomous task execution:
| Agent | Description |
|---|---|
endpoint-hardening-auditor | Use this agent when an MSP needs to audit and harden SentinelOne endpoint configuration across client sites โ not to investigate active threats, but to proactively identify gaps before attackers can exploit them. |
threat-hunter | Use this agent when an MSP needs to autonomously hunt for threats across client endpoints using SentinelOne. |
Commands
Available slash commands:
| Command | Description |
|---|---|
/alert-triage | Triage new and unresolved SentinelOne alerts by severity |
/asset-inventory | Asset inventory summary by surface type across managed environments |
/hunt-threat | Threat hunting via Purple AI and PowerQuery execution |
/investigate-alert | Deep investigation of a specific SentinelOne alert with timeline and context |
/posture-review | Cloud security posture review with compliance gap analysis |
/vuln-report | Generate a vulnerability summary report with severity breakdown and top CVEs |
API Reference
| Base URL | |
| Authentication | |
| Rate Limit | |
| Documentation |
Example Usage
Triage new and unresolved SentinelOne alerts by severity
/alert-triageAsset inventory summary by surface type across managed environments
/asset-inventoryThreat hunting via Purple AI and PowerQuery execution
/hunt-threatDeep investigation of a specific SentinelOne alert with timeline and context
/investigate-alertCloud security posture review with compliance gap analysis
/posture-reviewGenerate a vulnerability summary report with severity breakdown and top CVEs
/vuln-reportUsing Skills
/skill sentinelone:alerts
Use this skill when working with SentinelOne alerts - triaging new alerts, investigating specific alerts, searching by severity or status, reviewing alert timelines, and managing alert workflows across MSP client environments.