sentinelone

This MCP server provides an integration layer for SentinelOne, enabling AI assistants to manage threats, inspect endpoints, query alerts, and perform Deep Visibility hunts. Tools exposed include threat management commands (list, inspect, mitigate actions like kill/quarantine/remediate/rollback), agent operations (list, get details, isolate, reconnect), unified alert queries, hash reputation lookups, and Deep Visibility queries with automated polling. To use it, configure your MCP client to point at the server entry point (the built dist/index.js) and supply your SentinelOne API token and base URL. Once configured, you can issue natural language or structured prompts through Claude Code (or other MCP clients) and the agent will map requests to the appropriate SentinelOne API calls, returning structured results and redacting sensitive API keys from error messages.

Prerequisites:

• Node.js and npm installed on your machine (recommended: LTS version)
• Git installed
• Access to SentinelOne API via an API token

1. Install dependencies and build

git clone https://github.com/c0tton-fluff/sentinelone-mcp-server.git
cd sentinelone-mcp-server
npm install
npm run build

2. Prepare configuration

• Obtain a SentinelOne API token from your SentinelOne console.
• Note your SentinelOne base URL (e.g., https://tenant.sentinelone.net).

3. Run the server (local development)

# Example using the built dist/index.js
node dist/index.js

4. Wire up MCP client configuration (example shown in README):

{
  "mcpServers": {
    "sentinelone": {
      "command": "node",
      "args": ["/path/to/sentinelone-mcp-server/dist/index.js"],
      "env": {
        "SENTINELONE_API_KEY": "your_api_token_here",
        "SENTINELONE_API_BASE": "https://your-tenant.sentinelone.net"
      }
    }
  }
}

5. Verify operation

• Ensure environment variables are accessible to the runtime process.
• Check logs under your MCP client’s log directory if issues arise.

Tips and considerations:

• Ensure the API token has the necessary permissions for the actions you intend to perform (threat management, agent operations, alerts, and DV queries).
• If you encounter configuration errors, verify that SENTINELONE_API_KEY and SENTINELONE_API_BASE are correctly set and reachable from the MCP server.
• The server supports redaction of API keys in error messages for security; if you see sensitive data leaking, review error handling and ensure proper env masking.
• When using Deep Visibility queries, expect automatic polling and pagination; tailor your queries to avoid overly broad date ranges to keep performance optimal.