From sentinelone
Manages SentinelOne alerts across MSP environments: triage new alerts, investigate by severity/status, review timelines, and paginate with GraphQL filters.
How this skill is triggered — by the user, by Claude, or both
Slash command
/sentinelone:alertsWhen to use
When triaging new alerts, investigating specific alerts, searching by severity or status, reviewing alert timelines, and managing alert workflows across MSP client environments. Use when: sentinelone alert, sentinelone threat, sentinelone detection, sentinelone incident, alert triage, alert investigation, sentinelone severity, sentinelone critical, sentinelone high, alert management, sentinelone notification, or security alert.
The summary Claude sees in its skill listing — used to decide when to auto-load this skill
All alert tools are **read-only** — you can view, search, and investigate alerts but cannot modify status, assignments, or take response actions.
All alert tools are read-only — you can view, search, and investigate alerts but cannot modify status, assignments, or take response actions.
For full field definitions, response examples, and error details see REFERENCE.md.
Parameters: severity, status, viewType, limit, cursor, sortBy, sortOrder
list_alerts severity=CRITICAL status=NEW sortBy=detectedAt sortOrder=DESC limit=50
list_alerts viewType=CLOUD limit=50
Parameter: filters (array of {fieldId, filterType, values}), limit, cursor
search_alerts filters=[{"fieldId": "endpointName", "filterType": "CONTAINS", "values": ["workstation-01"]}]
search_alerts filters=[{"fieldId": "severity", "filterType": "IN", "values": ["CRITICAL", "HIGH"]}]
Filter types: EQUALS, NOT_EQUALS, CONTAINS, IN, NOT_IN. Add "isNegated": true to invert any filter.
get_alert alertId=1234567890
get_alert_notes alertId=1234567890
get_alert_history alertId=1234567890
Severity: CRITICAL | HIGH | MEDIUM | LOW | INFO | UNKNOWN
Status: NEW | IN_PROGRESS | RESOLVED | FALSE_POSITIVE
View types: ALL (default) | CLOUD | KUBERNETES | IDENTITY | INFRASTRUCTURE_AS_CODE | ADMISSION_CONTROLLER | OFFENSIVE_SECURITY | SECRET_SCANNING
Pagination: Pass limit on the first call, then pass the returned cursor to fetch subsequent pages until no results remain.
list_alerts with status=NEW, sortBy=severity, sortOrder=DESC, limit=50cursor — do not assume 50 covers everythingget_alert for full details, then get_alert_notes for prior contextget_alert returns not-found, the alert may have been merged or resolved — re-query list_alerts to confirmget_alert with the alertId
list_alerts or search_alerts — alert IDs can change after merge operationsget_alert_notes — check for existing analyst notes before duplicating workget_alert_history — review timeline of status changes and assignmentspurple_ai to investigate the threat described in the alertlist_inventory_items for affected asset contextsearch_alerts with filters=[{"fieldId": "severity", "filterType": "IN", "values": ["CRITICAL", "HIGH"]}]viewType to reduce noisesiteName to identify which clients need attention firstget_alert_notes to avoid duplicating prior analyst worksiteName filter when investigating a specific clientnpx claudepluginhub wyre-technology/msp-claude-plugins --plugin sentineloneLists, filters, acknowledges, and resolves SuperOps.ai RMM alerts by severity, status, and type. Useful for MSP technicians managing monitored asset alerts.
Unified SOC analyst workflow for CrowdStrike NGSIEM — triage alerts, investigate security events, hunt threats, and tune detections. Use when triaging alerts, investigating detections, running daily SOC review, or tuning for false positives.
Guides usage of SentinelOne Purple MCP tools: connection setup, Service User token auth, transport modes, dual GraphQL/REST API patterns, rate limits, and error handling.