SentinelOne Unified Alert Management
All alert tools are read-only — you can view, search, and investigate alerts but cannot modify status, assignments, or take response actions.
For full field definitions, response examples, and error details see REFERENCE.md.
MCP Tools
list_alerts — List alerts with filters
Parameters: severity, status, viewType, limit, cursor, sortBy, sortOrder
list_alerts severity=CRITICAL status=NEW sortBy=detectedAt sortOrder=DESC limit=50
list_alerts viewType=CLOUD limit=50
search_alerts — GraphQL filter search
Parameter: filters (array of {fieldId, filterType, values}), limit, cursor
search_alerts filters=[{"fieldId": "endpointName", "filterType": "CONTAINS", "values": ["workstation-01"]}]
search_alerts filters=[{"fieldId": "severity", "filterType": "IN", "values": ["CRITICAL", "HIGH"]}]
Filter types: EQUALS, NOT_EQUALS, CONTAINS, IN, NOT_IN. Add "isNegated": true to invert any filter.
get_alert — Full alert details
get_alert alertId=1234567890
get_alert_notes / get_alert_history
get_alert_notes alertId=1234567890
get_alert_history alertId=1234567890
Key Concepts
Severity: CRITICAL | HIGH | MEDIUM | LOW | INFO | UNKNOWN
Status: NEW | IN_PROGRESS | RESOLVED | FALSE_POSITIVE
View types: ALL (default) | CLOUD | KUBERNETES | IDENTITY | INFRASTRUCTURE_AS_CODE | ADMISSION_CONTROLLER | OFFENSIVE_SECURITY | SECRET_SCANNING
Pagination: Pass limit on the first call, then pass the returned cursor to fetch subsequent pages until no results remain.
Workflows
Triage New Alerts
list_alertswithstatus=NEW,sortBy=severity,sortOrder=DESC,limit=50- If results hit the limit, page through with
cursor— do not assume 50 covers everything - For each CRITICAL/HIGH alert:
get_alertfor full details, thenget_alert_notesfor prior context - If
get_alertreturns not-found, the alert may have been merged or resolved — re-querylist_alertsto confirm - Build triage summary: alert name, severity, client (siteName), endpoint, detection time
Investigate a Specific Alert
get_alertwith thealertId- If not found: verify the ID via
list_alertsorsearch_alerts— alert IDs can change after merge operations
- If not found: verify the ID via
get_alert_notes— check for existing analyst notes before duplicating workget_alert_history— review timeline of status changes and assignments- Use
purple_aito investigate the threat described in the alert - Cross-reference with
list_inventory_itemsfor affected asset context
Search Across Clients
search_alertswithfilters=[{"fieldId": "severity", "filterType": "IN", "values": ["CRITICAL", "HIGH"]}]- If results are large, add a time-range filter or narrow by
viewTypeto reduce noise - Group by
siteNameto identify which clients need attention first
Best Practices
- Triage CRITICAL/HIGH first — always sort by severity descending during triage
- Check notes before investigating — call
get_alert_notesto avoid duplicating prior analyst work - Paginate large result sets — never assume a single page contains all matching alerts; always check for a returned cursor
- Scope by site for client work — use site/account filters or GraphQL
siteNamefilter when investigating a specific client
Related Skills
- Purple AI — Natural language investigation of alert threats
- Threat Hunting — PowerQuery execution for deep analysis
- API Patterns — MCP tools reference and connection info
- Inventory — Asset context for affected endpoints
- Vulnerabilities — Vulnerability context for compromised assets