sentinelone-skills

SentinelOne AI Analyst: Claude Skills

A full-stack AI analyst for SentinelOne, built as a set of Claude skills, three MCP servers, and an operating persona (CLAUDE.md). Install once and Claude can hunt threats, triage alerts, write detections, deploy dashboards, author parsers, and build automation workflows, entirely from natural language.

Fastest way to get started: Docker install. One image bundles all three MCPs, no host-level Node, Python, or uv required. Pull, paste a config block, install the plugin, done.

New here? Start with the Zero to Hero guide: a 20-minute onboarding walkthrough for customers and partners new to Claude Skills.

• Architecture overview
• What's included
• PrincipalSOCAnalyst Project
  • What it delivers
  • Setting up the PrincipalSOCAnalyst project
  • How to activate in other environments
  • What happens in a session
• What you can do
• Behavioral baselining + anomaly detection
• Example questions
• Installing, upgrading, and configuration
• Team VM deployment (sentinelone-mcp)
• Windsurf
• Documentation

---

Architecture overview

Three layers work together in every session:

CLAUDE.md            SOC Analyst persona: session protocol, evidence rules,
                     investigation workflow, classification gates
       │
       ▼
MCP Servers          Live API access, outside the Cowork sandbox proxy
  sentinelone-mcp    26 tools: PowerQuery, SDL, Mgmt Console REST, UAM, Hyperautomation
  purple-mcp         Alert triage, Purple AI NLQ, Deep Visibility, assets, vulnerabilities
  threat-intel-mcp   External IOC enrichment (required for CRITICAL classification)
       │
       ▼
Skills (SKILL.md)    Procedural knowledge: confirmed API schemas, field requirements, usage patterns
  sentinelone-mgmt-console-api   Mgmt Console REST + UAM + Purple AI + HA
  sentinelone-powerquery          PowerQuery authoring and execution
  sentinelone-sdl-api             SDL log ingest and config file ops
  sentinelone-sdl-dashboard       Dashboard JSON authoring and deployment
  sentinelone-sdl-log-parser      Parser authoring and validation
  sentinelone-hyperautomation     Workflow JSON authoring and import
  sentinelone-sdl-solutions       Repeatable SDL solution deployment (onboarding, enrichment)

Skills encode confirmed API behavior, including field schemas and usage patterns validated against live tenants, so Claude doesn't guess field names. MCP servers bypass the Cowork sandbox proxy to reach *.sentinelone.net directly. CLAUDE.md defines the operating persona that instructs how to investigate, what evidence to gather, and how to classify findings.

Full architecture details: docs/architecture.md

---

What's included

The plugin bundles every skill; installing it is sufficient. No individual skill setup needed.

Skill	What it does
sentinelone-mgmt-console-api	Query and act on the Management Console: threats, alerts, agents, sites, RemoteOps, Deep Visibility, Hyperautomation, Purple AI, UAM. Includes the source-agnostic behavioral baselining + anomaly detection pipeline (baseline_anomaly.py)
sentinelone-powerquery	Write, debug, and run PowerQuery for threat hunting, STAR detection rules, SDL dashboards, and statistical baseline / anomaly detection rule bodies
sentinelone-sdl-api	Ingest events, run queries, and manage configuration files (parsers, dashboards, lookups) via the Singularity Data Lake API
sentinelone-sdl-dashboard	Design, author, and deploy SDL dashboards: panels, tabs, parameters, and full dashboard JSON. See docs/sdl-dashboard.md for all supported panel types
sentinelone-sdl-log-parser	Author and validate SDL log parsers for any log format, with OCSF field mapping by default
sentinelone-hyperautomation	Design and generate Hyperautomation workflow JSON, with optional live console import
sentinelone-sdl-solutions	Deploy packaged, repeatable SDL solutions into a customer site from one short prompt: data source onboarding (raw stream to OCSF + enrichment + dashboard + MITRE detections + threat-response flow) and asset enrichment of raw logs (device/user context from the Asset Inventory). Orchestrates the skills above

---

PrincipalSOCAnalyst Project