MCP server for SentinelOne Core + Deep Visibility APIs
Config is the same across clients — only the file and path differ.
{
"mcpServers": {
"sentinelone": {
"env": {
"SENTINELONE_API_KEY": "your_api_token_here",
"SENTINELONE_API_BASE": "https://your-tenant.sentinelone.net"
},
"command": "/path/to/sentinelone-mcp-server"
}
}
}Are you the author?
Add this badge to your README to show your security score and help users find safe servers.
A Model Context Protocol server that connects AI assistants to your SentinelOne tenant. Manage threats, investigate endpoints, hunt with Deep Visibility, and triage alerts -- all from natural language.
No automated test available for this server. Check the GitHub README for setup instructions.
Five weighted categories — click any category to see the underlying evidence.
No known CVEs.
No package registry to scan.
Click any tool to inspect its schema.
Be the first to review
Have you used this server?
Share your experience — it helps other developers decide.
Sign in to write a review.
Others in security
AI-powered reverse engineering assistant that bridges IDA Pro with language models through MCP.
Proof primitive for AI agents on MultiversX. Anchor file hashes on-chain as verifiable proofs.
Model Context Protocol for WinDBG
Security scanner for GitHub repos, Agent Skills, Plugins, and MCP servers. 18 scanners. Zero dependencies.
MCP Security Weekly
Get CVE alerts and security updates for Sentinelone Mcp Server and similar servers.
Start a conversation
Ask a question, share a tip, or report an issue.
Sign in to join the discussion.
A Model Context Protocol server that connects AI assistants to your SentinelOne tenant. Manage threats, investigate endpoints, hunt with Deep Visibility, and triage alerts -- all from natural language.
Zero dependencies. Stdlib-only Go binary. No runtime requirements. Just copy and run.
git clone https://github.com/c0tton-fluff/sentinelone-mcp-server.git
cd sentinelone-mcp-server
go build -o sentinelone-mcp-server .
S1 Console > Profile (top right) > My Profile > Actions > API token operations > Regenerate API token
Add to ~/.mcp.json:
{
"mcpServers": {
"sentinelone": {
"command": "/path/to/sentinelone-mcp-server",
"env": {
"SENTINELONE_API_KEY": "your_api_token_here",
"SENTINELONE_API_BASE": "https://your-tenant.sentinelone.net"
}
}
}
}
"List all unmitigated threats"
"Investigate threat 1234567890"
"Show infected agents"
"Hunt for PowerShell processes in the last 24 hours"
"What's the reputation of this SHA256?"
"Create an exclusion for /opt/myapp on Linux"
"What applications are installed on Benedict's laptop?"
| Tool | What it does |
|---|---|
s1_list_threats | List threats with classification, status, and endpoint filters |
s1_get_threat | Full threat details -- hashes, file path, storyline |
s1_mitigate_threat | Kill, quarantine, un-quarantine, remediate, or rollback |
s1_investigate_threat | One-call investigation: threat + correlated alerts + timeline |
s1_set_analyst_verdict | Set verdict: true_positive, false_positive, suspicious, undefined |
s1_set_incident_status | Set status (with optional verdict in the same call) |
| Tool | What it does |
|---|---|
s1_list_agents | List agents with OS, status, infection filters, and count-by grouping |
s1_get_agent | Agent details -- version, site, network info, account ID |
s1_isolate_agent | Network isolate an endpoint (maintains S1 comms) |
s1_reconnect_agent | Remove network isolation |
| Tool | What it does |
|---|---|
s1_list_alerts | Query unified alerts via GraphQL with severity, verdict, and status filters |
s1_set_alert_verdict | Bulk set analyst verdict on matching alerts |
s1_set_alert_status | Bulk set incident status (with optional verdict) |
| Tool | What it does |
|---|---|
s1_dv_query | Run a threat hunting query with automatic polling |
s1_dv_get_events | Retrieve events from a completed query |
| Tool | What it does |
|---|---|
s1_hash_reputation | Hash verdict + fleet-wide hunt via Deep Visibility |
| Tool | What it does |
|---|---|
s1_list_exclusions | List exclusions (path, hash, certificate, browser, file type) |
s1_create_exclusion | Create an exclusion to suppress false-positive detections |
s1_delete_exclusion | Delete exclusions by ID |
| Tool | What it does |
|---|---|
s1_create_star_rule | Create a custom detection rule from a Deep Visibility query |
| Tool | What it does |
|---|---|
s1_list_applications | List installed software on endpoints by name or computer |