From sentinelone
Tracks SentinelOne XSPM vulnerabilities: CVEs, EPSS scores, exploit maturity, status management, patch prioritization, and MSP client reports using read-only tools.
npx claudepluginhub wyre-technology/msp-claude-plugins --plugin sentineloneThis skill uses the workspace's default tool permissions.
Vulnerabilities in SentinelOne are tracked through the Extended Security Posture Management (XSPM) module. The platform identifies CVEs across managed endpoints, cloud workloads, and applications, enriching them with EPSS (Exploit Prediction Scoring System) scores, exploit maturity data, and remediation guidance. For MSPs, vulnerability management is a core service -- tracking which client endp...
Provides UI/UX resources: 50+ styles, color palettes, font pairings, guidelines, charts for web/mobile across React, Next.js, Vue, Svelte, Tailwind, React Native, Flutter. Aids planning, building, reviewing interfaces.
Fetches up-to-date documentation from Context7 for libraries and frameworks like React, Next.js, Prisma. Use for setup questions, API references, and code examples.
Calculates TAM/SAM/SOM using top-down, bottom-up, and value theory methodologies for market sizing, revenue estimation, and startup validation.
Vulnerabilities in SentinelOne are tracked through the Extended Security Posture Management (XSPM) module. The platform identifies CVEs across managed endpoints, cloud workloads, and applications, enriching them with EPSS (Exploit Prediction Scoring System) scores, exploit maturity data, and remediation guidance. For MSPs, vulnerability management is a core service -- tracking which client endpoints have unpatched critical CVEs, prioritizing patches based on exploit likelihood, and reporting on vulnerability posture during quarterly business reviews.
All vulnerability tools are read-only. You can view, search, and report on vulnerabilities, but you cannot change vulnerability status, apply patches, or take remediation actions through the MCP tools.
| Tool | Description | Key Parameters |
|---|---|---|
get_vulnerability | Get a single vulnerability by ID | vulnerabilityId (required) |
list_vulnerabilities | List vulnerabilities with filters | severity, status, limit, cursor, sortBy, sortOrder |
search_vulnerabilities | Search vulnerabilities with GraphQL filters | filters (array of fieldId/filterType/values), limit, cursor |
get_vulnerability_notes | Get notes on a vulnerability | vulnerabilityId (required) |
get_vulnerability_history | Get timeline of changes for a vulnerability | vulnerabilityId (required) |
Call list_vulnerabilities with optional parameters:
severity to CRITICAL, HIGH, MEDIUM, LOW, or INFOstatus to one of the allowed values (see Status Values below)sortBy (e.g., severity, epssScore, detectedAt) and sortOrder (ASC or DESC)limit and use cursor from the response for subsequent pagesExample: List all critical vulnerabilities:
list_vulnerabilities with severity=CRITICAL, sortBy=epssScore, sortOrder=DESCExample: List vulnerabilities awaiting patches:
list_vulnerabilities with status=TO_BE_PATCHED, limit=50Call search_vulnerabilities with a filters array for complex queries:
Example: Search for a specific CVE:
search_vulnerabilities with filters=[{"fieldId": "cveId", "filterType": "EQUALS", "values": ["CVE-2024-1234"]}]Example: Search for exploitable vulnerabilities:
search_vulnerabilities with filters=[{"fieldId": "exploitMaturity", "filterType": "EQUALS", "values": ["ACTIVE"]}]Call get_vulnerability with the vulnerabilityId to retrieve full details including CVE information, EPSS score, affected assets, and remediation guidance.
Call get_vulnerability_notes with the vulnerabilityId to retrieve analyst comments and tracking notes.
Call get_vulnerability_history with the vulnerabilityId to retrieve the timeline of status changes and updates.
| Status | Description |
|---|---|
NEW | Vulnerability detected and not yet reviewed |
IN_PROGRESS | Vulnerability is being investigated or remediated |
ON_HOLD | Remediation paused (e.g., waiting for vendor patch) |
RESOLVED | Vulnerability has been remediated |
RISK_ACKED | Risk acknowledged -- vulnerability accepted without remediation |
SUPPRESSED | Vulnerability suppressed from reporting (e.g., false positive) |
TO_BE_PATCHED | Vulnerability queued for patching |
| Severity | CVSS Range | Description |
|---|---|---|
CRITICAL | 9.0 - 10.0 | Immediate remediation required |
HIGH | 7.0 - 8.9 | Remediate within days |
MEDIUM | 4.0 - 6.9 | Remediate within weeks |
LOW | 0.1 - 3.9 | Remediate during maintenance windows |
INFO | 0.0 | Informational, no action required |
The Exploit Prediction Scoring System (EPSS) provides a probability score (0.0 to 1.0) indicating how likely a vulnerability is to be exploited in the next 30 days:
| EPSS Range | Interpretation | Priority |
|---|---|---|
| 0.9 - 1.0 | Near-certain exploitation | Immediate |
| 0.7 - 0.9 | Very high likelihood | Within 24 hours |
| 0.4 - 0.7 | Moderate likelihood | Within 1 week |
| 0.1 - 0.4 | Low likelihood | Within 30 days |
| 0.0 - 0.1 | Very unlikely | Standard maintenance |
| Maturity | Description |
|---|---|
ACTIVE | Exploit is actively being used in the wild |
WEAPONIZED | Exploit code is publicly available and weaponized |
POC | Proof-of-concept exists but not widely used |
NONE | No known exploit code |
Search tools use GraphQL filters:
{
"fieldId": "severity",
"filterType": "EQUALS",
"values": ["CRITICAL"]
}
Common filter fields: cveId, severity, status, epssScore, exploitMaturity, siteName, endpointName, applicationName, detectedAt.
| Field | Type | Description |
|---|---|---|
vulnerabilityId | string | Unique vulnerability identifier |
cveId | string | CVE identifier (e.g., CVE-2024-1234) |
name | string | Vulnerability name/title |
severity | string | CRITICAL/HIGH/MEDIUM/LOW/INFO |
status | string | Current status (NEW, IN_PROGRESS, etc.) |
cvssScore | float | CVSS v3 base score |
epssScore | float | EPSS probability score (0.0 - 1.0) |
exploitMaturity | string | ACTIVE/WEAPONIZED/POC/NONE |
detectedAt | datetime | When the vulnerability was first detected |
siteName | string | SentinelOne site (MSP client) |
endpointName | string | Affected endpoint hostname |
applicationName | string | Vulnerable application name |
applicationVersion | string | Vulnerable application version |
remediationSteps | string | Recommended remediation actions |
fixVersion | string | Application version that fixes the vulnerability |
affectedAssets | array | List of affected assets |
list_vulnerabilities with severity=CRITICAL, status=NEW, sortBy=epssScore, sortOrder=DESCget_vulnerability for full detailssearch_vulnerabilities with filters=[{"fieldId": "siteName", "filterType": "EQUALS", "values": ["Client Name"]}]exploitMaturity=ACTIVE)list_vulnerabilities with status=TO_BE_PATCHED, sortBy=epssScore, sortOrder=DESCexploitMaturity of ACTIVE or WEAPONIZEDlist_vulnerabilities for the current periodsearch_vulnerabilities filtered by client siteVulnerability Detail:
{
"vulnerabilityId": "vuln-abc-123",
"cveId": "CVE-2024-21887",
"name": "Ivanti Connect Secure Authentication Bypass",
"severity": "CRITICAL",
"status": "NEW",
"cvssScore": 9.1,
"epssScore": 0.97,
"exploitMaturity": "ACTIVE",
"detectedAt": "2026-02-24T06:00:00.000Z",
"siteName": "Acme Corporation",
"endpointName": "ACME-VPN-01",
"applicationName": "Ivanti Connect Secure",
"applicationVersion": "9.1R17",
"remediationSteps": "Upgrade to version 9.1R18 or later. Apply vendor mitigation XML as interim measure.",
"fixVersion": "9.1R18"
}
| Error | Cause | Resolution |
|---|---|---|
| Vulnerability not found | Invalid vulnerabilityId | Verify the ID with list_vulnerabilities |
| Invalid severity filter | Wrong severity value | Use CRITICAL, HIGH, MEDIUM, LOW, or INFO |
| Invalid status filter | Wrong status value | Use NEW, IN_PROGRESS, ON_HOLD, RESOLVED, RISK_ACKED, SUPPRESSED, or TO_BE_PATCHED |
| Empty results | No matching vulnerabilities | Widen filters or check scope |
| Authentication error | Invalid token | Verify Service User token is Account or Site level |