SentinelOne Misconfigurations

SentinelOne XSPM Cloud Security Posture Management

Overview

Misconfigurations in SentinelOne are tracked through the Extended Security Posture Management (XSPM) module. The platform detects security configuration gaps across cloud environments (AWS, Azure, GCP), Kubernetes clusters, identity providers (Active Directory, Entra ID), and infrastructure-as-code templates. Each misconfiguration includes compliance standard mappings, MITRE ATT&CK technique mappings, remediation steps, and evidence showing the specific resource, file, IP, port, or secret involved.

For MSPs, misconfiguration detection is essential for maintaining client security posture -- identifying exposed S3 buckets, overly permissive firewall rules, unrotated service account keys, and Kubernetes workloads running as root. These findings directly support compliance audits and QBR security reporting.

All misconfiguration tools are read-only. You can view, search, and report on misconfigurations, but you cannot remediate them through the MCP tools.

MCP Tools

Available Tools

Tool	Description	Key Parameters
get_misconfiguration	Get a single misconfiguration by ID	misconfigurationId (required)
list_misconfigurations	List misconfigurations with filters	severity, status, viewType, limit, cursor, sortBy, sortOrder
search_misconfigurations	Search misconfigurations with GraphQL filters	filters (array of fieldId/filterType/values), limit, cursor
get_misconfiguration_notes	Get notes on a misconfiguration	misconfigurationId (required)
get_misconfiguration_history	Get timeline of changes for a misconfiguration	misconfigurationId (required)

List Misconfigurations

Call list_misconfigurations with optional parameters:

• Filter by severity: Set severity to CRITICAL, HIGH, MEDIUM, LOW, or INFO
• Filter by status: Set status to NEW, IN_PROGRESS, RESOLVED, RISK_ACKED, or SUPPRESSED
• Filter by view type: Set viewType to scope the detection domain (see View Types below)
• Sort results: Set sortBy and sortOrder
• Paginate: Set limit and use cursor for subsequent pages

Example: List critical cloud misconfigurations:

• list_misconfigurations with severity=CRITICAL, viewType=CLOUD, sortOrder=DESC

Example: List Kubernetes misconfigurations:

• list_misconfigurations with viewType=KUBERNETES, limit=50

Search Misconfigurations

Call search_misconfigurations with a filters array:

Example: Search for misconfigurations in a client's environment:

• search_misconfigurations with filters=[{"fieldId": "siteName", "filterType": "EQUALS", "values": ["Acme Corporation"]}]

Example: Search for a specific compliance standard:

• search_misconfigurations with filters=[{"fieldId": "complianceStandard", "filterType": "CONTAINS", "values": ["CIS"]}]

Get Misconfiguration Details

Call get_misconfiguration with the misconfigurationId to retrieve full details including compliance mappings, evidence, and remediation steps.

Get Misconfiguration Notes

Call get_misconfiguration_notes with the misconfigurationId to retrieve analyst comments and tracking notes.

Get Misconfiguration History

Call get_misconfiguration_history with the misconfigurationId to retrieve the timeline of status changes and updates.

Key Concepts

View Types

View Type	Description	Example Findings
CLOUD	Cloud infrastructure (AWS, Azure, GCP)	Public S3 buckets, open security groups, unencrypted storage
KUBERNETES	Kubernetes clusters and workloads	Containers running as root, missing network policies, exposed dashboards
IDENTITY	Identity providers (AD, Entra ID)	Stale accounts, excessive permissions, missing MFA
INFRASTRUCTURE_AS_CODE	IaC templates (Terraform, CloudFormation)	Hardcoded secrets, missing encryption, overly permissive policies
ADMISSION_CONTROLLER	Kubernetes admission policies	Policy violations in pod deployments
SECRET_SCANNING	Exposed secrets and credentials	API keys in code, hardcoded passwords, leaked tokens

Compliance Standards

Misconfigurations are mapped to industry compliance standards:

Standard	Description
CIS Benchmarks	Center for Internet Security configuration benchmarks
SOC 2	Service Organization Control Type 2
PCI DSS	Payment Card Industry Data Security Standard
HIPAA	Health Insurance Portability and Accountability Act
NIST 800-53	National Institute of Standards and Technology
ISO 27001	International information security standard
GDPR	General Data Protection Regulation
AWS Well-Architected	AWS security best practices
Azure Security Benchmark	Azure security best practices

MITRE ATT&CK Mappings

Misconfigurations are mapped to MITRE ATT&CK techniques they could enable:

Misconfiguration Type	MITRE Technique
Public cloud storage	T1530 - Data from Cloud Storage
Excessive IAM permissions	T1078 - Valid Accounts
Missing MFA	T1078.004 - Cloud Accounts
Open management ports	T1133 - External Remote Services
Unencrypted data at rest	T1565 - Data Manipulation
Exposed secrets	T1552 - Unsecured Credentials

Evidence

Each misconfiguration includes evidence showing the specific resource affected:

Evidence Type	Description
files	Affected files or IaC templates
ips	IP addresses or CIDR ranges
ports	Open ports or port ranges
secrets	Exposed credentials or API keys (redacted)
resources	Cloud resource ARNs or identifiers
policies	IAM policies or security group rules

Field Reference

Core Misconfiguration Fields

Field	Type	Description
misconfigurationId	string	Unique misconfiguration identifier
name	string	Misconfiguration name/title
severity	string	CRITICAL/HIGH/MEDIUM/LOW/INFO
status	string	NEW/IN_PROGRESS/RESOLVED/RISK_ACKED/SUPPRESSED
viewType	string	Detection domain (CLOUD, KUBERNETES, etc.)
detectedAt	datetime	When the misconfiguration was first detected
siteName	string	SentinelOne site (MSP client)
complianceStandards	array	Mapped compliance standards
mitreAttackTechniques	array	MITRE ATT&CK technique IDs
remediationSteps	string	Step-by-step remediation guidance
evidence	object	Evidence details (files, IPs, ports, secrets)
resourceType	string	Type of affected resource
resourceName	string	Name of affected resource
cloudProvider	string	AWS/AZURE/GCP (for cloud findings)
region	string	Cloud region (for cloud findings)

Common Workflows

Cloud Security Posture Review

1. Call list_misconfigurations with viewType=CLOUD, severity=CRITICAL, sortOrder=DESC
2. Group by cloud provider (AWS/Azure/GCP) and region
3. For each critical finding, call get_misconfiguration for full details and remediation steps
4. Identify patterns (e.g., multiple public S3 buckets, widespread missing encryption)
5. Build a remediation priority list

Compliance Audit

1. Call search_misconfigurations filtered by compliance standard (e.g., CIS, SOC 2, HIPAA)
2. Group by severity and status
3. Calculate compliance score: (resolved / total) * 100
4. Identify gap areas where critical misconfigurations are open
5. Generate a compliance report with remediation timelines

Client Security Assessment

1. Call search_misconfigurations filtered by siteName for the client
2. Aggregate by view type: cloud, Kubernetes, identity, IaC
3. Count by severity: CRITICAL, HIGH, MEDIUM, LOW
4. Highlight misconfigurations with MITRE ATT&CK mappings
5. Provide remediation guidance for the top findings

Kubernetes Security Review

1. Call list_misconfigurations with viewType=KUBERNETES, limit=100
2. Focus on containers running as root, missing network policies, and exposed services
3. Cross-reference with any related alerts
4. Generate a Kubernetes hardening checklist

Identity Posture Review

1. Call list_misconfigurations with viewType=IDENTITY
2. Focus on stale accounts, excessive permissions, and missing MFA
3. Group by identity provider (Active Directory, Entra ID)
4. Generate identity hygiene recommendations

Response Examples

Misconfiguration Detail:

{
  "misconfigurationId": "misconfig-xyz-789",
  "name": "S3 Bucket Public Access Enabled",
  "severity": "CRITICAL",
  "status": "NEW",
  "viewType": "CLOUD",
  "detectedAt": "2026-02-24T04:30:00.000Z",
  "siteName": "Acme Corporation",
  "cloudProvider": "AWS",
  "region": "us-east-1",
  "resourceType": "S3 Bucket",
  "resourceName": "acme-backup-2026",
  "complianceStandards": ["CIS AWS 1.5", "SOC 2", "PCI DSS 3.2.1"],
  "mitreAttackTechniques": ["T1530"],
  "remediationSteps": "1. Navigate to S3 > acme-backup-2026 > Permissions\n2. Enable 'Block all public access'\n3. Verify no bucket policies grant public access\n4. Enable S3 access logging",
  "evidence": {
    "resources": ["arn:aws:s3:::acme-backup-2026"],
    "policies": ["PublicRead ACL enabled"]
  }
}

Error Handling

Common Errors

Error	Cause	Resolution
Misconfiguration not found	Invalid misconfigurationId	Verify the ID with list_misconfigurations
Invalid severity filter	Wrong severity value	Use CRITICAL, HIGH, MEDIUM, LOW, or INFO
Invalid view type	Wrong viewType value	Use CLOUD, KUBERNETES, IDENTITY, etc.
Empty results	No matching misconfigurations	Widen filters or check scope
Authentication error	Invalid token	Verify Service User token is Account or Site level

Best Practices

1. Prioritize by severity - Focus on CRITICAL and HIGH misconfigurations first
2. Use view types - Scope reviews to specific domains (cloud, Kubernetes, identity)
3. Map to compliance - Track which compliance standards are impacted by open findings
4. Follow remediation steps - SentinelOne provides step-by-step guidance for each finding
5. Review evidence - Check the specific resource, policy, or file involved before remediating
6. Track progress - Monitor status transitions from NEW to RESOLVED
7. Aggregate for QBRs - Build posture summaries by client for quarterly reviews
8. Cross-reference with alerts - Check if any misconfiguration has been exploited
9. Focus on patterns - Multiple similar misconfigurations suggest a systemic issue
10. Scope to clients - Always filter by site when reviewing a specific client's posture

Related Skills

• Alerts - Alerts triggered by misconfiguration exploitation
• Vulnerabilities - Vulnerabilities that compound misconfiguration risk
• Inventory - Asset context for misconfigured resources
• API Patterns - MCP tools reference and connection info
• Purple AI - Investigate potential exploitation of misconfigurations