From sentinelone
Works with SentinelOne unified asset inventory: endpoints, cloud resources, identities, network-discovered devices. Lists inventory items, searches with filters, retrieves details via REST API. Useful for MSP client security coverage audits.
How this skill is triggered — by the user, by Claude, or both
Slash command
/sentinelone:inventoryWhen to use
When working with endpoints, cloud resources, identities, and network-discovered devices in SentinelOne unified asset inventory. Use when: sentinelone inventory, sentinelone asset, sentinelone endpoint, sentinelone agent, sentinelone device, sentinelone workstation, sentinelone server, asset inventory, endpoint health, sentinelone cloud resource, sentinelone identity, sentinelone ranger, or network discovery.
The summary Claude sees in its skill listing — used to decide when to auto-load this skill
The SentinelOne unified asset inventory provides a single view of all assets across an organization's environment. Assets are categorized by surface type -- endpoints with SentinelOne agents, cloud resources in AWS/Azure/GCP, identity accounts from Active Directory and Entra ID, and network-discovered devices found by Ranger. For MSPs, the inventory is the foundation for security coverage -- en...
The SentinelOne unified asset inventory provides a single view of all assets across an organization's environment. Assets are categorized by surface type -- endpoints with SentinelOne agents, cloud resources in AWS/Azure/GCP, identity accounts from Active Directory and Entra ID, and network-discovered devices found by Ranger. For MSPs, the inventory is the foundation for security coverage -- ensuring every client device has an active agent, tracking cloud resource sprawl, and identifying unmanaged devices on client networks.
The inventory uses the REST API (not GraphQL), with offset-based pagination and direct filter parameters. All inventory tools are read-only.
| Tool | Description | Key Parameters |
|---|---|---|
get_inventory_item | Get a single inventory item by ID | itemId (required) |
list_inventory_items | List inventory items with filters | surface, limit, offset, sortBy, sortOrder |
search_inventory_items | Search inventory with REST filters | filters, surface, limit, offset |
Call list_inventory_items with optional parameters:
surface to ENDPOINT, CLOUD, IDENTITY, or NETWORK_DISCOVERYlimit (results per page) and offset (skip N results)sortBy and sortOrderExample: List all endpoints:
list_inventory_items with surface=ENDPOINT, limit=100Example: List cloud resources:
list_inventory_items with surface=CLOUD, limit=100Example: List network-discovered devices:
list_inventory_items with surface=NETWORK_DISCOVERY, limit=100Call search_inventory_items with filters for targeted queries:
Example: Search for a specific endpoint by name:
search_inventory_items with surface=ENDPOINT, filters={"name__contains": "workstation-01"}Example: Search for Windows servers:
search_inventory_items with surface=ENDPOINT, filters={"osType": "WINDOWS", "machineType": "SERVER"}Call get_inventory_item with the itemId to retrieve full details including agent status, OS information, network details, and security posture.
| Surface | Description | Data Sources |
|---|---|---|
ENDPOINT | Managed endpoints with SentinelOne agents | Workstations, servers, laptops, VMs |
CLOUD | Cloud infrastructure resources | AWS EC2, Azure VMs, GCP instances, S3 buckets, etc. |
IDENTITY | User and service accounts | Active Directory, Entra ID (Azure AD), Okta |
NETWORK_DISCOVERY | Network-discovered devices (Ranger) | Switches, printers, IoT, unmanaged devices |
| Type | Description |
|---|---|
WORKSTATION | Desktop or laptop workstation |
SERVER | Server (physical or virtual) |
LAPTOP | Laptop (may overlap with WORKSTATION) |
VIRTUAL_MACHINE | Cloud or on-premises VM |
CONTAINER | Container workload |
| Status | Description |
|---|---|
ACTIVE | Agent is running and communicating |
INACTIVE | Agent installed but not communicating |
DISCONNECTED | Agent has lost connection to the console |
DECOMMISSIONED | Agent has been decommissioned |
PENDING | Agent installation in progress |
The inventory uses offset-based pagination (unlike the cursor-based GraphQL tools):
| Parameter | Description | Default |
|---|---|---|
limit | Results per page | 50 |
offset | Number of results to skip | 0 |
To iterate through all results:
offset=0, limit=100offset=100, limit=100| Filter Type | Syntax | Description |
|---|---|---|
| Exact match | fieldName=value | Direct value comparison |
| Contains | fieldName__contains=value | Substring matching |
| Greater than or equal | fieldName__gte=value | Minimum value (dates, numbers) |
| Less than or equal | fieldName__lte=value | Maximum value (dates, numbers) |
| Not equal | fieldName__ne=value | Exclude matches |
| In list | ids=id1,id2,id3 | Match multiple IDs |
| Field | Type | Description |
|---|---|---|
itemId | string | Unique inventory item identifier |
name | string | Asset name/hostname |
surface | string | ENDPOINT/CLOUD/IDENTITY/NETWORK_DISCOVERY |
siteName | string | SentinelOne site (MSP client) |
accountName | string | SentinelOne account |
lastSeen | datetime | Last communication timestamp |
| Field | Type | Description |
|---|---|---|
osType | string | WINDOWS/MACOS/LINUX |
osName | string | Full OS name (e.g., "Windows 11 Enterprise") |
osVersion | string | OS version string |
machineType | string | WORKSTATION/SERVER/LAPTOP/VIRTUAL_MACHINE |
agentVersion | string | SentinelOne agent version |
agentStatus | string | ACTIVE/INACTIVE/DISCONNECTED |
isUpToDate | boolean | Whether agent is on the latest version |
externalIp | string | External/public IP address |
internalIp | string | Internal/private IP address |
domain | string | AD domain membership |
lastLoggedInUser | string | Last logged-in user |
encryptionStatus | string | Disk encryption status |
firewallStatus | string | Firewall enabled/disabled |
| Field | Type | Description |
|---|---|---|
cloudProvider | string | AWS/AZURE/GCP |
region | string | Cloud region |
resourceType | string | Resource type (EC2, VM, S3, etc.) |
resourceId | string | Cloud resource identifier |
tags | object | Cloud resource tags |
| Field | Type | Description |
|---|---|---|
identityProvider | string | AD/ENTRA_ID/OKTA |
email | string | User email address |
department | string | Department |
lastLogin | datetime | Last login timestamp |
mfaEnabled | boolean | Whether MFA is enabled |
accountStatus | string | Active/Disabled/Locked |
| Field | Type | Description |
|---|---|---|
deviceType | string | Discovered device type |
manufacturer | string | Device manufacturer |
macAddress | string | MAC address |
ipAddress | string | Discovered IP address |
managed | boolean | Whether a SentinelOne agent is installed |
firstSeen | datetime | When Ranger first discovered the device |
list_inventory_items with surface=ENDPOINT, limit=100offsetlist_inventory_items with surface=ENDPOINTisUpToDate=falseagentStatus=DISCONNECTEDlist_inventory_items with surface=CLOUDlist_inventory_items with surface=NETWORK_DISCOVERYmanaged=false to find devices without SentinelOne agentslist_inventory_items with surface=IDENTITYEndpoint Inventory Item:
{
"itemId": "inv-endpoint-001",
"name": "ACME-WS-042",
"surface": "ENDPOINT",
"siteName": "Acme Corporation",
"osType": "WINDOWS",
"osName": "Windows 11 Enterprise",
"osVersion": "23H2",
"machineType": "WORKSTATION",
"agentVersion": "24.1.2.345",
"agentStatus": "ACTIVE",
"isUpToDate": true,
"externalIp": "203.0.113.10",
"internalIp": "192.168.1.42",
"domain": "acme.local",
"lastLoggedInUser": "jsmith",
"lastSeen": "2026-02-24T10:00:00.000Z",
"encryptionStatus": "ENCRYPTED",
"firewallStatus": "ENABLED"
}
Network Discovery Item:
{
"itemId": "inv-ranger-005",
"name": "Unknown Device",
"surface": "NETWORK_DISCOVERY",
"siteName": "Acme Corporation",
"deviceType": "Network Printer",
"manufacturer": "HP",
"macAddress": "AA:BB:CC:DD:EE:FF",
"ipAddress": "192.168.1.200",
"managed": false,
"firstSeen": "2026-02-20T14:00:00.000Z",
"lastSeen": "2026-02-24T09:30:00.000Z"
}
| Error | Cause | Resolution |
|---|---|---|
| Item not found | Invalid itemId | Verify the ID with list_inventory_items |
| Invalid surface filter | Wrong surface value | Use ENDPOINT, CLOUD, IDENTITY, or NETWORK_DISCOVERY |
| Empty results | No matching assets | Widen filters or check scope |
| Authentication error | Invalid token | Verify Service User token is Account or Site level |
| Timeout | Query too broad | Add surface or site filters to reduce result set |
npx claudepluginhub wyre-technology/msp-claude-plugins --plugin sentineloneQueries and inspects Liongard systems, system details, dataprints for JMESPath evaluation, and asset inventory. Covers discovered systems from inspections, system detail data, dataprint extraction, and identity/device profiles.
Queries and reports on SentinelOne XSPM misconfigurations across AWS, Azure, GCP, Kubernetes, identity, and IaC. Includes compliance mappings, MITRE ATT&CK, remediation steps, and evidence details.
Tracks LimaCharlie sensor coverage across orgs, detects gaps like stale/silent endpoints and Shadow IT, calculates risk scores, validates telemetry health, and inventories assets. Use for fleet health checks and compliance audits.