SentinelOne XSPM Vulnerability Management
Overview
Vulnerabilities in SentinelOne are tracked through the Extended Security Posture Management (XSPM) module. The platform identifies CVEs across managed endpoints, cloud workloads, and applications, enriching them with EPSS (Exploit Prediction Scoring System) scores, exploit maturity data, and remediation guidance. For MSPs, vulnerability management is a core service -- tracking which client endpoints have unpatched critical CVEs, prioritizing patches based on exploit likelihood, and reporting on vulnerability posture during quarterly business reviews.
All vulnerability tools are read-only. You can view, search, and report on vulnerabilities, but you cannot change vulnerability status, apply patches, or take remediation actions through the MCP tools.
MCP Tools
Available Tools
| Tool | Description | Key Parameters |
|---|---|---|
get_vulnerability | Get a single vulnerability by ID | vulnerabilityId (required) |
list_vulnerabilities | List vulnerabilities with filters | severity, status, limit, cursor, sortBy, sortOrder |
search_vulnerabilities | Search vulnerabilities with GraphQL filters | filters (array of fieldId/filterType/values), limit, cursor |
get_vulnerability_notes | Get notes on a vulnerability | vulnerabilityId (required) |
get_vulnerability_history | Get timeline of changes for a vulnerability | vulnerabilityId (required) |
List Vulnerabilities
Call list_vulnerabilities with optional parameters:
- Filter by severity: Set
severitytoCRITICAL,HIGH,MEDIUM,LOW, orINFO - Filter by status: Set
statusto one of the allowed values (see Status Values below) - Sort results: Set
sortBy(e.g.,severity,epssScore,detectedAt) andsortOrder(ASCorDESC) - Paginate: Set
limitand usecursorfrom the response for subsequent pages
Example: List all critical vulnerabilities:
list_vulnerabilitieswithseverity=CRITICAL,sortBy=epssScore,sortOrder=DESC
Example: List vulnerabilities awaiting patches:
list_vulnerabilitieswithstatus=TO_BE_PATCHED,limit=50
Search Vulnerabilities
Call search_vulnerabilities with a filters array for complex queries:
Example: Search for a specific CVE:
search_vulnerabilitieswithfilters=[{"fieldId": "cveId", "filterType": "EQUALS", "values": ["CVE-2024-1234"]}]
Example: Search for exploitable vulnerabilities:
search_vulnerabilitieswithfilters=[{"fieldId": "exploitMaturity", "filterType": "EQUALS", "values": ["ACTIVE"]}]
Get Vulnerability Details
Call get_vulnerability with the vulnerabilityId to retrieve full details including CVE information, EPSS score, affected assets, and remediation guidance.
Get Vulnerability Notes
Call get_vulnerability_notes with the vulnerabilityId to retrieve analyst comments and tracking notes.
Get Vulnerability History
Call get_vulnerability_history with the vulnerabilityId to retrieve the timeline of status changes and updates.
Key Concepts
Vulnerability Status Values
| Status | Description |
|---|---|
NEW | Vulnerability detected and not yet reviewed |
IN_PROGRESS | Vulnerability is being investigated or remediated |
ON_HOLD | Remediation paused (e.g., waiting for vendor patch) |
RESOLVED | Vulnerability has been remediated |
RISK_ACKED | Risk acknowledged -- vulnerability accepted without remediation |
SUPPRESSED | Vulnerability suppressed from reporting (e.g., false positive) |
TO_BE_PATCHED | Vulnerability queued for patching |
Severity Levels
| Severity | CVSS Range | Description |
|---|---|---|
CRITICAL | 9.0 - 10.0 | Immediate remediation required |
HIGH | 7.0 - 8.9 | Remediate within days |
MEDIUM | 4.0 - 6.9 | Remediate within weeks |
LOW | 0.1 - 3.9 | Remediate during maintenance windows |
INFO | 0.0 | Informational, no action required |
EPSS Scores
The Exploit Prediction Scoring System (EPSS) provides a probability score (0.0 to 1.0) indicating how likely a vulnerability is to be exploited in the next 30 days:
| EPSS Range | Interpretation | Priority |
|---|---|---|
| 0.9 - 1.0 | Near-certain exploitation | Immediate |
| 0.7 - 0.9 | Very high likelihood | Within 24 hours |
| 0.4 - 0.7 | Moderate likelihood | Within 1 week |
| 0.1 - 0.4 | Low likelihood | Within 30 days |
| 0.0 - 0.1 | Very unlikely | Standard maintenance |
Exploit Maturity
| Maturity | Description |
|---|---|
ACTIVE | Exploit is actively being used in the wild |
WEAPONIZED | Exploit code is publicly available and weaponized |
POC | Proof-of-concept exists but not widely used |
NONE | No known exploit code |
GraphQL Filter Syntax
Search tools use GraphQL filters:
{
"fieldId": "severity",
"filterType": "EQUALS",
"values": ["CRITICAL"]
}
Common filter fields: cveId, severity, status, epssScore, exploitMaturity, siteName, endpointName, applicationName, detectedAt.
Field Reference
Core Vulnerability Fields
| Field | Type | Description |
|---|---|---|
vulnerabilityId | string | Unique vulnerability identifier |
cveId | string | CVE identifier (e.g., CVE-2024-1234) |
name | string | Vulnerability name/title |
severity | string | CRITICAL/HIGH/MEDIUM/LOW/INFO |
status | string | Current status (NEW, IN_PROGRESS, etc.) |
cvssScore | float | CVSS v3 base score |
epssScore | float | EPSS probability score (0.0 - 1.0) |
exploitMaturity | string | ACTIVE/WEAPONIZED/POC/NONE |
detectedAt | datetime | When the vulnerability was first detected |
siteName | string | SentinelOne site (MSP client) |
endpointName | string | Affected endpoint hostname |
applicationName | string | Vulnerable application name |
applicationVersion | string | Vulnerable application version |
remediationSteps | string | Recommended remediation actions |
fixVersion | string | Application version that fixes the vulnerability |
affectedAssets | array | List of affected assets |
Common Workflows
Critical Vulnerability Review
- Call
list_vulnerabilitieswithseverity=CRITICAL,status=NEW,sortBy=epssScore,sortOrder=DESC - Review each vulnerability's EPSS score and exploit maturity
- For high-EPSS vulnerabilities, call
get_vulnerabilityfor full details - Group by client (siteName) to identify which clients are most exposed
- Prioritize remediation based on EPSS score and exploit maturity
Vulnerability Audit by Client
- Call
search_vulnerabilitieswithfilters=[{"fieldId": "siteName", "filterType": "EQUALS", "values": ["Client Name"]}] - Aggregate by severity: count CRITICAL, HIGH, MEDIUM, LOW
- Identify top CVEs by EPSS score
- Check for any actively exploited vulnerabilities (
exploitMaturity=ACTIVE) - Generate a client-specific vulnerability report
Patch Prioritization
- Call
list_vulnerabilitieswithstatus=TO_BE_PATCHED,sortBy=epssScore,sortOrder=DESC - Focus on vulnerabilities with
exploitMaturityofACTIVEorWEAPONIZED - Group by application to identify which patches address the most vulnerabilities
- Generate a prioritized patch list by client
Vulnerability Trending
- Call
list_vulnerabilitiesfor the current period - Compare with previous period to identify new vulnerabilities
- Calculate remediation rates (resolved / total)
- Track EPSS score distribution changes
- Report on vulnerability posture improvement or degradation
QBR Vulnerability Report
- Call
search_vulnerabilitiesfiltered by client site - Count by severity and status
- Highlight CRITICAL and HIGH with ACTIVE exploit maturity
- Show remediation progress (resolved vs. new over the period)
- List top