> ## Documentation Index > Fetch the complete documentation index at: https://docs.tracecat.com/llms.txt > Use this file to discover all available pages before exploring further. # SentinelOne > Reference for the Tracecat SentinelOne integration: registered actions, required secrets, expected inputs, and example workflow usage. ## Abort scan Action ID: `tools.sentinel_one.abort_scan` Abort a running scan on SentinelOne agents. Reference: [https://github.com/Sentinel-One/purple-mcp](https://github.com/Sentinel-One/purple-mcp) ### Secrets Required secrets: * `sentinel_one`: required values `SENTINEL_ONE_API_TOKEN`. ### Input fields ID of the agent/device to abort scan on. SentinelOne tenant URL. Default: `null`. ## Disable agent Action ID: `tools.sentinel_one.disable_agent` Disable a SentinelOne agent. Reference: [https://github.com/Sentinel-One/purple-mcp](https://github.com/Sentinel-One/purple-mcp) ### Secrets Required secrets: * `sentinel_one`: required values `SENTINEL_ONE_API_TOKEN`. ### Input fields ID of the agent to disable. SentinelOne tenant URL. Default: `null`. Whether the agent should reboot after disabling. Default: `false`. ## Enable agent Action ID: `tools.sentinel_one.enable_agent` Enable a SentinelOne agent. Reference: [https://github.com/Sentinel-One/purple-mcp](https://github.com/Sentinel-One/purple-mcp) ### Secrets Required secrets: * `sentinel_one`: required values `SENTINEL_ONE_API_TOKEN`. ### Input fields ID of the agent to enable. SentinelOne tenant URL. Default: `null`. Whether the agent should reboot after enabling. Default: `false`. ## Initiate scan Action ID: `tools.sentinel_one.initiate_scan` Initiate a scan on SentinelOne agents. Reference: [https://github.com/Sentinel-One/purple-mcp](https://github.com/Sentinel-One/purple-mcp) ### Secrets Required secrets: * `sentinel_one`: required values `SENTINEL_ONE_API_TOKEN`. ### Input fields ID of the agent/device to scan. SentinelOne tenant URL. Default: `null`. ## Isolate endpoint Action ID: `tools.sentinel_one.disconnect_device` Disconnect a SentinelOne agent from the network. Reference: [https://github.com/Sentinel-One/purple-mcp](https://github.com/Sentinel-One/purple-mcp) ### Secrets Required secrets: * `sentinel_one`: required values `SENTINEL_ONE_API_TOKEN`. ### Input fields ID of the endpoint/agent to disconnect. SentinelOne tenant URL. Default: `null`. ## List agent IDs Action ID: `tools.sentinel_one.list_agent_ids` Get a simple list of SentinelOne agent IDs. Reference: [https://github.com/Sentinel-One/purple-mcp](https://github.com/Sentinel-One/purple-mcp) ### Secrets Required secrets: * `sentinel_one`: required values `SENTINEL_ONE_API_TOKEN`. ### Input fields SentinelOne tenant URL. Default: `null`. The maximum number of agents to return. Default: `1000`. ## List alerts Action ID: `tools.sentinel_one.list_alerts` Query for SentinelOne alerts. Reference: [https://github.com/Sentinel-One/purple-mcp](https://github.com/Sentinel-One/purple-mcp) ### Secrets Required secrets: * `sentinel_one`: required values `SENTINEL_ONE_API_TOKEN`. ### Input fields End time for the query (exclusive). Start time for the query (inclusive). SentinelOne tenant URL. Default: `null`. Maximum number of alerts to return. Default: `100`. SentinelOne search query. Default: `null`. ## List threats Action ID: `tools.sentinel_one.list_threats` Query for SentinelOne threats. Reference: [https://github.com/Sentinel-One/purple-mcp](https://github.com/Sentinel-One/purple-mcp) ### Secrets Required secrets: * `sentinel_one`: required values `SENTINEL_ONE_API_TOKEN`. ### Input fields End time for the query (exclusive). Start time for the query (inclusive). SentinelOne tenant URL. Default: `null`. Maximum number of alerts to return. Default: `100`. SentinelOne search query. Default: `null`. ## Lookup agents by account ID Action ID: `tools.sentinel_one.lookup_agent_account_id` Find all SentinelOne agents in a specific account. Reference: [https://github.com/Sentinel-One/purple-mcp](https://github.com/Sentinel-One/purple-mcp) ### Secrets Required secrets: * `sentinel_one`: required values `SENTINEL_ONE_API_TOKEN`. ### Input fields Account ID to filter agents by. SentinelOne tenant URL. Default: `null`. The maximum number of agents to return. Default: `100`. ## Lookup agents by email Action ID: `tools.sentinel_one.lookup_agent_email` Find all SentinelOne agents associated with a user email address. Reference: [https://github.com/Sentinel-One/purple-mcp](https://github.com/Sentinel-One/purple-mcp) ### Secrets Required secrets: * `sentinel_one`: required values `SENTINEL_ONE_API_TOKEN`. ### Input fields Email address to search for in agent user fields. SentinelOne tenant URL. Default: `null`. The maximum number of agents to return. Default: `100`. ## Lookup agents by file hash Action ID: `tools.sentinel_one.lookup_agent_hash` Find all SentinelOne agents that have encountered threats with a specific file hash. Reference: [https://github.com/Sentinel-One/purple-mcp](https://github.com/Sentinel-One/purple-mcp) ### Secrets Required secrets: * `sentinel_one`: required values `SENTINEL_ONE_API_TOKEN`. ### Input fields File hash (MD5, SHA1, SHA256) to search for in agent threats. SentinelOne tenant URL. Default: `null`. The maximum number of agents to return. Default: `100`. ## Lookup agents by group ID Action ID: `tools.sentinel_one.lookup_agent_groupid` Find all SentinelOne agents in a specific group. Reference: [https://github.com/Sentinel-One/purple-mcp](https://github.com/Sentinel-One/purple-mcp) ### Secrets Required secrets: * `sentinel_one`: required values `SENTINEL_ONE_API_TOKEN`. ### Input fields Group ID to filter agents by. SentinelOne tenant URL. Default: `null`. The maximum number of agents to return. Default: `100`. ## Lookup agents by hostname Action ID: `tools.sentinel_one.lookup_agent_hostname` Find all SentinelOne agents by hostname/computer name. Reference: [https://github.com/Sentinel-One/purple-mcp](https://github.com/Sentinel-One/purple-mcp) ### Secrets Required secrets: * `sentinel_one`: required values `SENTINEL_ONE_API_TOKEN`. ### Input fields Hostname/computer name to search for (supports partial matches). SentinelOne tenant URL. Default: `null`. The maximum number of agents to return. Default: `100`. ## Lookup agents by IP address Action ID: `tools.sentinel_one.lookup_agent_ip` Find all SentinelOne agents by IP address (external IP, network interface, or gateway). Reference: [https://github.com/Sentinel-One/purple-mcp](https://github.com/Sentinel-One/purple-mcp) ### Secrets Required secrets: * `sentinel_one`: required values `SENTINEL_ONE_API_TOKEN`. ### Input fields IP address to search for (supports partial matches). SentinelOne tenant URL. Default: `null`. The maximum number of agents to return. Default: `100`. ## Lookup agents by MAC address Action ID: `tools.sentinel_one.lookup_agent_mac_address` Find all SentinelOne agents by MAC address (network interface physical address or gateway MAC). Reference: [https://github.com/Sentinel-One/purple-mcp](https://github.com/Sentinel-One/purple-mcp) ### Secrets Required secrets: * `sentinel_one`: required values `SENTINEL_ONE_API_TOKEN`. ### Input fields MAC address to search for (supports partial matches, e.g., "aa:0f" or "41:") SentinelOne console base URL (e.g., [https://your-tenant.sentinelone.net](https://your-tenant.sentinelone.net)) Default: `null`. Maximum number of agents to return (1-1000) Default: `100`. Whether to also search gateway MAC addresses Default: `false`. ## Lookup agents by machine type Action ID: `tools.sentinel_one.lookup_agent_machine_type` Find all SentinelOne agents filtered by machine type (laptop, desktop, server, etc.). Reference: [https://github.com/Sentinel-One/purple-mcp](https://github.com/Sentinel-One/purple-mcp) ### Secrets Required secrets: * `sentinel_one`: required values `SENTINEL_ONE_API_TOKEN`. ### Input fields Machine types to include (e.g., laptop, desktop, server) SentinelOne console base URL (e.g., [https://your-tenant.sentinelone.net](https://your-tenant.sentinelone.net)) Default: `null`. Machine types to exclude (optional) Default: `[]`. Maximum number of agents to return (1-1000) Default: `100`. ## Lookup agents by operating system Action ID: `tools.sentinel_one.lookup_agent_os` Find all SentinelOne agents filtered by operating system type, name, revision, and version information. Reference: [https://github.com/Sentinel-One/purple-mcp](https://github.com/Sentinel-One/purple-mcp) ### Secrets Required secrets: * `sentinel_one`: required values `SENTINEL_ONE_API_TOKEN`. ### Input fields OS types to include (e.g., windows, linux, macos, windows\_legacy) SentinelOne console base URL (e.g., [https://your-tenant.sentinelone.net](https://your-tenant.sentinelone.net)) Default: `null`. Maximum number of agents to return (1-1000) Default: `100`. Free-text filter by OS full name (optional) Default: `""`. OS revision filter (optional) Default: `""`. Free-text filter by OS full name and version (supports multiple values) Default: `[]`. ## Unisolate endpoint Action ID: `tools.sentinel_one.connect_to_network` Connect a SentinelOne agent to the network. Reference: [https://github.com/Sentinel-One/purple-mcp](https://github.com/Sentinel-One/purple-mcp) ### Secrets Required secrets: * `sentinel_one`: required values `SENTINEL_ONE_API_TOKEN`. ### Input fields ID of the endpoint/agent to connect. SentinelOne tenant URL. Default: `null`.