sentinelone

Triage new and unresolved SentinelOne alerts by severity

Asset inventory summary by surface type across managed environments

Threat hunting via Purple AI and PowerQuery execution

Deep investigation of a specific SentinelOne alert with timeline and context

Cloud security posture review with compliance gap analysis

Use this skill when working with SentinelOne alerts - triaging new alerts, investigating specific alerts, searching by severity or status, reviewing alert timelines, and managing alert workflows across MSP client environments. Covers all alert tools, severity levels, status values, view types, GraphQL filter syntax, and cursor-based pagination.

Use this skill when working with the SentinelOne Purple MCP tools - available tools, connection setup, uvx-based installation, Service User token authentication, transport modes, dual API architecture (GraphQL and REST), rate limits, error handling, and best practices. Covers all 23 Purple MCP tools organized by domain.

Use this skill when working with SentinelOne unified asset inventory - endpoints, cloud resources, identities, and network-discovered devices. Covers inventory tools, surface types, REST API with offset-based pagination, filter types, asset fields, and inventory audit workflows for MSP client environments.

Use this skill when working with SentinelOne XSPM misconfigurations - cloud security posture management across AWS, Azure, GCP, Kubernetes, identity, and infrastructure-as-code. Covers misconfiguration detection, compliance standards, MITRE ATT&CK mappings, remediation steps, evidence details, and posture review workflows for MSP clients.

Use this skill when working with SentinelOne Purple AI - natural language cybersecurity investigation, threat hunting, behavioral anomaly analysis, MITRE ATT&CK TTP mapping, and PowerQuery generation. Covers the purple_ai tool, best practices for prompting, common investigation queries, and integration with PowerQuery execution.