@pmoses-s1/sentinelone-mcp 1.1.0 → 1.2.0

package/CHANGELOG.md

@@ -1,6 +1,22 @@
 # Changelog
 
-## 1.1.0 — 2026-05-28
+## 1.2.0 — 2026-06-11
+
+### Added
+- **`hec_ingest` tool** — raw-log/event ingestion into the Singularity Data Lake via the HEC (HTTP Event Collector) endpoint (`/services/collector/raw` and `/services/collector/event`). Supports `parser` (-> `?sourcetype=`), custom `fields` (query params), **required** `scope` (S1-Scope header), gzip compression, and `isParsed` (-> `?isParsed=true`, indexes already-structured JSON with no SDL parser). Replaces the removed `sdl_upload_logs`. Validated live across the full HEC matrix (both endpoints, gzip on/off, parser field extraction, multi-line, batched, reserved-field handling, scope enforcement, isParsed). Grounded in the S-26.1 HEC docs (p.4723-4726).
+
+### Removed
+- **`sdl_upload_logs` tool** plus the underlying SDL `uploadLogs`/`addEvents` library functions and `SDL_LOG_WRITE_KEY` plumbing. SDL raw-log ingestion moves to the HEC path (`hec_ingest`). The `sentinelone-sdl-api` skill is now query + configuration only; the `sentinelone-sdl-log-parser` validation loop uses HEC ingest.
+
+### Changed
+- Tool count unchanged at 26 (removed `sdl_upload_logs`, added `hec_ingest`).
+- Skill docs corrected: scheduled detection rules bind the Target Asset via `entityMappings` ("Entity column mapping"); the full scheduled-rule option set (UI <-> API) is catalogued in `sentinelone-powerquery/references/detection-rules.md`.
+
+
+## 1.1.0 — 2026-05-28 (rebuilt 2026-05-31)
+
+### Fixed (rebuild)
+- **`s1_api_get` now auto-injects `isLegacy=false` for `/cloud-detection/rules` listings.** Without `isLegacy=false` the S1 API silently omits `queryType="scheduled"` PowerQuery rules from the response — no error, no warning, the response just lies by omission. The handler now guards against this when the caller forgets, and the tool description loudly flags the requirement. This eliminates the "I see zero scheduled detections" failure mode that was producing wrong verdicts when listing Custom Detection rules. Same `1.1.0` version per the rebuild request.
 
 ### Added
 - **Streamable HTTP transport.** New `--transport http` mode (default stays `stdio`). Single-endpoint POST `/mcp` per the MCP 2024-11-05 spec, plus `/healthz` for load balancer probes. Implementation is pure `node:http`, no new dependencies.

package/README.md

@@ -31,7 +31,7 @@ See **[deploy/README.md](./deploy/README.md)** for the full deployment walkthrou
 | SDL API | `sdl_get_file` | sentinelone-sdl-api / sdl-dashboard / sdl-log-parser |
 | SDL API | `sdl_list_files` | sentinelone-sdl-api / sdl-dashboard / sdl-log-parser |
 | SDL API | `sdl_put_file` | sentinelone-sdl-api / sdl-dashboard / sdl-log-parser |
-| SDL API | `sdl_upload_logs` | sentinelone-sdl-api / sdl-log-parser |
+| SDL API | `hec_ingest` | sentinelone-sdl-api / sdl-log-parser |
 | Hyperautomation | `ha_archive_workflow` | sentinelone-hyperautomation |
 | Hyperautomation | `ha_export_workflow` | sentinelone-hyperautomation |
 | Hyperautomation | `ha_get_workflow` | sentinelone-hyperautomation |
@@ -52,9 +52,11 @@ See **[deploy/README.md](./deploy/README.md)** for the full deployment walkthrou
 
 ## Quick install
 
-Two paths, pick one:
+Three paths, pick the one that matches your setup:
 
-### Easiest: `npx` via Claude Desktop / Claude Code / Cowork
+### A. Local single-user via `npx` (Claude Desktop / Claude Code / Cowork)
+
+MCP runs as a subprocess on your machine, talking SentinelOne APIs directly. Credentials live in the Claude config `env` block.
 
 Add this to `claude_desktop_config.json` (or `.mcp.json` for Claude Code):
 
@@ -70,7 +72,6 @@ Add this to `claude_desktop_config.json` (or `.mcp.json` for Claude Code):
         "S1_HEC_INGEST_URL":    "https://ingest.us1.sentinelone.net",
         "SDL_XDR_URL":          "https://xdr.us1.sentinelone.net",
         "SDL_LOG_READ_KEY":     "...",
-        "SDL_LOG_WRITE_KEY":    "...",
         "SDL_CONFIG_READ_KEY":  "...",
         "SDL_CONFIG_WRITE_KEY": "..."
       }
@@ -81,21 +82,55 @@ Add this to `claude_desktop_config.json` (or `.mcp.json` for Claude Code):
 
 Restart Claude Desktop. `npx -y` caches the package on first launch.
 
-### Reproducible: install script
+### B. Reproducible: install script
 
 ```bash
 curl -fsSL https://raw.githubusercontent.com/pmoses-s1/claude-skills/main/sentinelone-mcp/deploy/install.sh | bash
 ```
 
-This sets up a per-user npm prefix if needed, installs the package, drops a credentials skeleton at `~/.config/sentinelone/credentials.json` (mode 0600), and prints the wiring instructions for Claude Desktop.
+Sets up a per-user npm prefix if needed, installs the package, drops a credentials skeleton at `~/.config/sentinelone/credentials.json` (mode 0600), and prints the wiring instructions for Claude Desktop.
 
 For VM deployments, the same script in `--server` mode does everything (system user, systemd unit, initial bearer token, service start). See [deploy/README.md](./deploy/README.md).
 
+### C. Claude Desktop connecting to a team VM (stdio bridge)
+
+When the MCP is running as a shared service on a Linux VM (deploy topology C in [deploy/README.md](./deploy/README.md)) and you're connecting from Claude Desktop, you need a small stdio↔HTTPS shim because Claude Desktop's stable build doesn't accept `type: "http"` configs. (Claude Cowork and Claude Code do; see "[Calling the HTTP endpoint directly](#calling-the-http-endpoint-directly)" for the native `type: "http"` form.)
+
+The bridge is a 40-line zero-dependency Node script shipped at [`deploy/bridge/sentinelone-mcp-bridge.mjs`](./deploy/bridge/sentinelone-mcp-bridge.mjs).
+
+Each team member installs the script once:
+
+```bash
+mkdir -p ~/.local/bin
+curl -fsSL https://raw.githubusercontent.com/pmoses-s1/claude-skills/main/sentinelone-mcp/deploy/bridge/sentinelone-mcp-bridge.mjs \
+  -o ~/.local/bin/sentinelone-mcp-bridge.mjs
+chmod +x ~/.local/bin/sentinelone-mcp-bridge.mjs
+```
+
+Then adds this block to `claude_desktop_config.json`:
+
+```json
+{
+  "mcpServers": {
+    "sentinelone-mcp": {
+      "command": "node",
+      "args": ["/Users/<you>/.local/bin/sentinelone-mcp-bridge.mjs"],
+      "env": {
+        "MCP_URL":    "https://mcp.example.internal:8764/mcp",
+        "MCP_BEARER": "<your personal bearer token>"
+      }
+    }
+  }
+}
+```
+
+Cmd+Q and reopen Claude Desktop. SentinelOne credentials live on the VM in `/etc/sentinelone-mcp/credentials.json` — only the bearer token sits in each user's local Claude config. Full setup + smoke-test instructions at [`deploy/bridge/README.md`](./deploy/bridge/README.md).
+
 ## Credentials
 
 `S1_CONSOLE_URL` and `S1_CONSOLE_API_TOKEN` are sufficient for the PowerQuery, Mgmt Console REST, Purple AI summary, and UAM tools (16 of the 26).
 
-`S1_HEC_INGEST_URL` is **required** for the three UAM Ingest tools (`uam_ingest_alert`, `uam_post_indicators`, `uam_post_alert`). Without it those tools error at call time, the rest still work.
+`S1_HEC_INGEST_URL` is **required** for the three UAM Ingest tools (`uam_ingest_alert`, `uam_post_indicators`, `uam_post_alert`) and for `hec_ingest`. Without it those tools error at call time; the rest still work.
 
 `SDL_*` keys gate the SDL tools as follows:
 
@@ -103,10 +138,9 @@ For VM deployments, the same script in `--server` mode does everything (system u
 |----------|-------------|--------------|
 | `S1_CONSOLE_URL` | Console URL, e.g. `https://usea1-acme.sentinelone.net` | All Mgmt + PowerQuery tools |
 | `S1_CONSOLE_API_TOKEN` | Mgmt Console API token (Settings → Users → Service Users) | All Mgmt + PowerQuery + UAM tools |
-| `S1_HEC_INGEST_URL` | HEC ingest host, e.g. `https://ingest.us1.sentinelone.net` | `uam_ingest_alert`, `uam_post_indicators`, `uam_post_alert` |
+| `S1_HEC_INGEST_URL` | HEC ingest host, e.g. `https://ingest.us1.sentinelone.net` | `uam_ingest_alert`, `uam_post_indicators`, `uam_post_alert`, `hec_ingest` |
 | `SDL_XDR_URL` | SDL tenant URL, e.g. `https://xdr.us1.sentinelone.net` | All `sdl_*` tools and `powerquery_schema_discover` |
 | `SDL_LOG_READ_KEY` | SDL Log Read key | SDL query operations |
-| `SDL_LOG_WRITE_KEY` | SDL Log Write key (console JWT NOT accepted by this endpoint) | `sdl_upload_logs` |
 | `SDL_CONFIG_READ_KEY` | SDL Config Read key | `sdl_list_files`, `sdl_get_file` |
 | `SDL_CONFIG_WRITE_KEY` | SDL Config Write key | `sdl_put_file`, `sdl_delete_file` |
 
@@ -182,6 +216,221 @@ Every authenticated HTTP request emits a structured stderr line that systemd cap
 [audit] 2026-05-28T17:03:11.221Z | -     | -          | -                  | 401 unauthorized
 ```
 
+## Calling the HTTP endpoint directly
+
+You don't need an MCP client library. The HTTP transport is plain JSON-RPC 2.0 over `POST`, with bearer auth in the `Authorization` header. Any HTTP client works — `curl`, Python `requests`, Node `fetch`, Go `net/http`, etc. This is how you'd integrate from a custom script, a CI job, or a non-MCP tool that just needs to call SentinelOne via the same wrapped surface.
+
+> **Ready-made check:** [`scripts/smoke-test-http.sh`](./scripts/smoke-test-http.sh) runs the six contract checks documented below (healthz, initialize, tools/list, tools/call, bad-bearer 401, unknown-method JSON-RPC error) and prints PASS/FAIL. Run as `MCP_HOST=<host:port> MCP_BEARER=<token> bash sentinelone-mcp/scripts/smoke-test-http.sh`. Good for new-team-member onboarding and post-rotation validation.
+
+### Endpoint contract
+
+| Item | Value |
+|---|---|
+| Method | `POST` |
+| URL | `https://<host>:<port>/mcp` (path is `/mcp` by default; configurable with `--path`) |
+| `Content-Type` | `application/json` |
+| `Authorization` | `Bearer <token>` (one of the tokens in `MCP_BEARER_TOKENS_FILE`) |
+| Body | JSON-RPC 2.0 envelope |
+| Response | JSON-RPC 2.0 envelope (`result` on success, `error` on failure) |
+
+Health probe (no auth, no JSON): `GET /healthz` returns `200 ok`.
+
+### Initialize, then list tools, then call one (curl)
+
+```bash
+HOST=mcp.s1.internal
+TOKEN='your-bearer-token-here'
+
+# 1. initialize (required first call per spec; advertises protocol version and capabilities)
+curl -s -X POST "https://$HOST/mcp" \
+  -H "Authorization: Bearer $TOKEN" \
+  -H "Content-Type: application/json" \
+  -d '{
+        "jsonrpc": "2.0",
+        "id": 1,
+        "method": "initialize",
+        "params": {
+          "protocolVersion": "2024-11-05",
+          "capabilities": {},
+          "clientInfo": { "name": "my-script", "version": "1.0" }
+        }
+      }'
+# -> {"jsonrpc":"2.0","id":1,"result":{"protocolVersion":"2024-11-05","capabilities":{...},"serverInfo":{...}}}
+
+# 2. list every tool the server exposes
+curl -s -X POST "https://$HOST/mcp" \
+  -H "Authorization: Bearer $TOKEN" \
+  -H "Content-Type: application/json" \
+  -d '{"jsonrpc":"2.0","id":2,"method":"tools/list"}' \
+  | jq '.result.tools | length'
+# -> 26
+
+# 3. call a tool (here: list custom detection rules with the mandatory isLegacy=false)
+curl -s -X POST "https://$HOST/mcp" \
+  -H "Authorization: Bearer $TOKEN" \
+  -H "Content-Type: application/json" \
+  -d '{
+        "jsonrpc": "2.0",
+        "id": 3,
+        "method": "tools/call",
+        "params": {
+          "name": "s1_api_get",
+          "arguments": {
+            "path": "/web/api/v2.1/cloud-detection/rules",
+            "params": { "isLegacy": false, "limit": 50 }
+          }
+        }
+      }' \
+  | jq '.result.content[0].text | fromjson | .pagination.totalItems'
+```
+
+### Python (requests)
+
+```python
+import json
+import requests
+
+URL    = "https://mcp.s1.internal/mcp"
+TOKEN  = "your-bearer-token-here"
+HEADERS = {
+    "Authorization": f"Bearer {TOKEN}",
+    "Content-Type":  "application/json",
+}
+
+def rpc(method, params=None, id=1):
+    body = {"jsonrpc": "2.0", "id": id, "method": method}
+    if params is not None:
+        body["params"] = params
+    r = requests.post(URL, headers=HEADERS, json=body, timeout=30)
+    r.raise_for_status()
+    return r.json()
+
+# initialize once per session
+rpc("initialize", {
+    "protocolVersion": "2024-11-05",
+    "capabilities": {},
+    "clientInfo": {"name": "python-client", "version": "1.0"},
+}, id=0)
+
+# list tools
+tools = rpc("tools/list", id=1)["result"]["tools"]
+print(f"{len(tools)} tools available")
+
+# call a tool
+resp = rpc("tools/call", {
+    "name": "powerquery_run",
+    "arguments": {
+        "query": "dataSource.name=* | group count=count() by dataSource.name | sort -count | limit 10",
+        "hours": 24,
+    },
+}, id=2)
+
+# Tool results live in result.content[0].text as a JSON string.
+payload = json.loads(resp["result"]["content"][0]["text"])
+print(json.dumps(payload, indent=2))
+```
+
+### Node (built-in fetch, Node 18+)
+
+```javascript
+const URL    = 'https://mcp.s1.internal/mcp';
+const TOKEN  = process.env.MCP_BEARER;
+
+async function rpc(method, params, id = 1) {
+  const body = { jsonrpc: '2.0', id, method };
+  if (params !== undefined) body.params = params;
+  const res = await fetch(URL, {
+    method:  'POST',
+    headers: {
+      'Authorization': `Bearer ${TOKEN}`,
+      'Content-Type':  'application/json',
+    },
+    body: JSON.stringify(body),
+  });
+  if (!res.ok) throw new Error(`HTTP ${res.status}: ${await res.text()}`);
+  return res.json();
+}
+
+await rpc('initialize', {
+  protocolVersion: '2024-11-05',
+  capabilities: {},
+  clientInfo: { name: 'node-client', version: '1.0' },
+}, 0);
+
+const { result } = await rpc('tools/list', null, 1);
+console.log(`${result.tools.length} tools available`);
+
+const call = await rpc('tools/call', {
+  name: 'uam_list_alerts',
+  arguments: { first: 20, status: 'NEW' },
+}, 2);
+console.log(JSON.parse(call.result.content[0].text));
+```
+
+### JSON-RPC envelope shapes
+
+**Success response:**
+
+```json
+{
+  "jsonrpc": "2.0",
+  "id": 2,
+  "result": { ... method-specific payload ... }
+}
+```
+
+**Error response:**
+
+```json
+{
+  "jsonrpc": "2.0",
+  "id": 2,
+  "error": {
+    "code": -32602,
+    "message": "Tool not found: bad_tool_name"
+  }
+}
+```
+
+**Notifications** (one-way messages with no `id`, e.g. `notifications/initialized`):
+
+```bash
+curl -i -s -X POST "https://$HOST/mcp" \
+  -H "Authorization: Bearer $TOKEN" \
+  -H "Content-Type: application/json" \
+  -d '{"jsonrpc":"2.0","method":"notifications/initialized"}'
+# -> HTTP/2 202 (no body, per JSON-RPC spec)
+```
+
+### Error codes you'll actually see
+
+| HTTP | JSON-RPC code | Meaning |
+|---|---|---|
+| 200 | (none, has `result`) | Success |
+| 200 | `-32601` | Method not found (e.g. typo in method name) |
+| 200 | `-32602` | Invalid params (tool not found, missing required arg) |
+| 200 | `-32603` | Tool handler threw — upstream S1 API error usually |
+| 400 | `-32700` | Parse error (malformed JSON body) |
+| 400 | `-32600` | Invalid request (e.g. JSON-RPC batch — not supported) |
+| 401 | `-32001` | Missing or invalid bearer token |
+| 405 | (none) | Wrong HTTP method on `/mcp` (only POST is accepted) |
+| 413 | `-32600` | Body exceeds 4 MB |
+
+### Tool inputs and outputs
+
+Every tool's input schema is documented in the `tools/list` response (look at the `inputSchema` JSON Schema on each tool). The response shape is always:
+
+```json
+{
+  "content": [
+    { "type": "text", "text": "<JSON-encoded result>" }
+  ],
+  "isError": false
+}
+```
+
+Parse `content[0].text` as JSON to get the actual data the tool returned. Tool-level errors set `isError: true` and put the error text in the same field.
+
 ## CLI reference
 
 ```
@@ -208,7 +457,7 @@ sentinelone-mcp/
     auth.js                   Bearer token allowlist with SIGHUP reload
     credentials.js            S1 + SDL credential resolution
     s1.js                     Mgmt REST + LRQ PowerQuery + Purple AI + UAM GraphQL
-    sdl.js                    SDL config files + V1 query + uploadLogs
+    sdl.js                    SDL config files + V1 query
     uam-ingest.js             HEC alert/indicator ingestion
   tools/
     powerquery.js             PowerQuery enumerate/run/schema-discover
@@ -236,7 +485,6 @@ sentinelone-mcp/
 | UAM GraphQL | `Authorization: ApiToken <jwt>` | `S1_CONSOLE_API_TOKEN` |
 | UAM HEC ingest | `Authorization: Bearer <jwt>` | `S1_CONSOLE_API_TOKEN` |
 | SDL config ops | `Authorization: Bearer <key>` | `SDL_CONFIG_WRITE_KEY` or console JWT |
-| SDL uploadLogs | `Authorization: Bearer <key>` | `SDL_LOG_WRITE_KEY` only (console JWT rejected) |
 
 ## Testing
 

package/deploy/README.md

@@ -28,7 +28,6 @@ Then edit `~/.config/sentinelone/credentials.json` with your real values:
   "S1_HEC_INGEST_URL":    "https://ingest.us1.sentinelone.net",
   "SDL_XDR_URL":          "https://xdr.us1.sentinelone.net",
   "SDL_LOG_READ_KEY":     "...",
-  "SDL_LOG_WRITE_KEY":    "...",
   "SDL_CONFIG_READ_KEY":  "...",
   "SDL_CONFIG_WRITE_KEY": "..."
 }
@@ -256,6 +255,96 @@ curl -s http://127.0.0.1:8765/healthz   # behind the proxy
 curl -s https://mcp.s1.internal/healthz # in front of the proxy
 ```
 
+## Connecting Claude Desktop to a remote MCP
+
+Claude Desktop's `claude_desktop_config.json` only accepts stdio-based MCP servers in current stable builds; the `type: "http"` form gets rejected with "not valid MCP server configuration" on load. To connect Claude Desktop to your VM's HTTPS endpoint, use the bridge script shipped in this repo at [`bridge/sentinelone-mcp-bridge.mjs`](./bridge/sentinelone-mcp-bridge.mjs) — a 40-line zero-dependency Node script that translates Claude Desktop's stdio into POST requests against the MCP HTTP endpoint.
+
+Each team member drops the script anywhere on their machine (typically `~/.local/bin/sentinelone-mcp-bridge.mjs`) and points Claude Desktop at it:
+
+```json
+{
+  "mcpServers": {
+    "sentinelone-mcp": {
+      "command": "node",
+      "args": ["/Users/<you>/.local/bin/sentinelone-mcp-bridge.mjs"],
+      "env": {
+        "MCP_URL":    "https://mcp.s1.internal/mcp",
+        "MCP_BEARER": "<your personal bearer token>"
+      }
+    }
+  }
+}
+```
+
+Then Cmd+Q and reopen Claude Desktop. See [`bridge/README.md`](./bridge/README.md) for install, smoke-test, and troubleshooting steps. Claude Cowork users can keep using the native `type: "http"` config (it supports remote HTTP MCPs in current builds) — only Claude Desktop needs the bridge.
+
+## AWS-specific gotchas
+
+Five things that bit during real deployment to an EC2 instance. None are blockers, but knowing them up front saves hours.
+
+### EC2 public DNS is unstable without an Elastic IP
+
+Stopping and starting an instance assigns a new public IPv4 address and a new public DNS name (`ec2-<new-ip>.<region>.compute.amazonaws.com`). Every ACME-issued cert, every `claude_desktop_config.json`, and every Caddyfile that referenced the old hostname breaks. Allocate an Elastic IP in EC2 → Elastic IPs → Allocate → Associate before issuing certs. Free while attached to a running instance.
+
+The instance's `*.compute.internal` DNS name (e.g. `ip-172-31-7-227.ap-southeast-2.compute.internal`) is the VPC-internal name and is **not** reachable from outside the VPC. It can't be used for ACME validation or for clients on the public internet.
+
+### Let's Encrypt refuses `*.amazonaws.com` by policy
+
+If you try to issue a cert for the EC2 public DNS, LE returns:
+
+```
+HTTP 400 urn:ietf:params:acme:error:rejectedIdentifier
+The ACME server refuses to issue a certificate for this domain name, because it is forbidden by policy
+```
+
+Caddy auto-falls back to **ZeroSSL** (also free, also publicly trusted, no policy block on `amazonaws.com`). Use the email-shorthand form `tls <email>` and Caddy handles the fallback transparently. The right end state is a cert with `issuer=ZeroSSL ECC DV SSL CA 2` — verify with:
+
+```bash
+echo | openssl s_client -connect $HOST:8764 -servername $HOST 2>/dev/null \
+  | grep -E "^(issuer=|verify return code)"
+```
+
+For long-term peace of mind, use a real domain instead (Route 53 A record pointing at the Elastic IP) — both LE and ZeroSSL issue without restriction and the hostname survives instance replacement.
+
+### Caddyfile: don't mix `tls` shorthand with `issuer acme` block
+
+```caddyfile
+# WRONG — Caddy errors: "cannot mix issuer subdirective with other issuer-specific subdirectives"
+tls prithvi@example.com {
+    issuer acme {
+        disable_http_challenge
+    }
+}
+```
+
+The shorthand `tls <email>` implicitly configures an ACME issuer. Combining it with an explicit `issuer acme { ... }` block conflicts. Pick one form:
+
+```caddyfile
+# Form 1: shorthand (requires port 80 open for HTTP-01)
+tls prithvi@example.com
+
+# Form 2: explicit block (gives you knobs like disable_http_challenge)
+tls {
+    issuer acme {
+        email prithvi@example.com
+        disable_http_challenge
+    }
+}
+```
+
+### `tls internal` produces a Caddy CA cert, not a public one
+
+If you see ACME succeed in milliseconds rather than ~10-30 seconds, look at the cert: it was likely issued by Caddy's local CA, not by an external ACME server. The give-aways are an instant log line and `no OCSP server specified in certificate` warnings (public CAs always embed OCSP URLs). `tls internal` is fine for private-network deployments with cert distribution to clients, but doesn't help when you want public trust.
+
+### systemd hardening that breaks Node V8 JIT
+
+The hardened service file we ship omits two systemd directives that would otherwise be useful:
+
+- `MemoryDenyWriteExecute=true`
+- `LockPersonality=true`
+
+Both block the W+X memory mappings V8 needs to JIT JavaScript. Adding them causes the service to silently SIGTRAP at startup with `Result: core-dump` and ~5 MB peak memory — no useful log output. If you customize the unit, leave both off.
+
 ## Troubleshooting
 
 | Symptom | Likely cause | Fix |

package/deploy/bridge/README.md

@@ -0,0 +1,93 @@
+# Claude Desktop bridge for the remote MCP
+
+A small stdio↔HTTPS proxy so Claude Desktop can talk to a team-shared `sentinelone-mcp` server running on a VM. Each team member runs the bridge on their own machine; the bridge sends bearer-authed POSTs to the shared MCP endpoint.
+
+## Why this exists
+
+Claude Desktop's `claude_desktop_config.json` only accepts stdio-based MCP servers in current stable builds. Adding a remote server via `type: "http"` gets rejected with "not valid MCP server configuration". The bridge wraps the remote HTTPS endpoint as a local stdio process, which Claude Desktop accepts.
+
+Claude Cowork and Claude Code don't need this — both support `type: "http"` natively.
+
+## What's in the box
+
+- [`sentinelone-mcp-bridge.mjs`](./sentinelone-mcp-bridge.mjs) — the script. 40 lines, zero external dependencies. Requires Node.js 18+ (uses the built-in `fetch`).
+
+## Install (per team member, one-time)
+
+```bash
+# Download the script
+mkdir -p ~/.local/bin
+curl -fsSL https://raw.githubusercontent.com/pmoses-s1/claude-skills/main/sentinelone-mcp/deploy/bridge/sentinelone-mcp-bridge.mjs \
+  -o ~/.local/bin/sentinelone-mcp-bridge.mjs
+chmod +x ~/.local/bin/sentinelone-mcp-bridge.mjs
+
+# Confirm Node is on PATH
+node --version   # must be 18.0.0 or newer
+```
+
+## Configure Claude Desktop
+
+Edit `~/Library/Application Support/Claude/claude_desktop_config.json` on macOS, or `%APPDATA%\Claude\claude_desktop_config.json` on Windows. Add the `sentinelone-mcp` block:
+
+```json
+{
+  "mcpServers": {
+    "sentinelone-mcp": {
+      "command": "node",
+      "args": ["/Users/<you>/.local/bin/sentinelone-mcp-bridge.mjs"],
+      "env": {
+        "MCP_URL":    "https://mcp.s1.internal/mcp",
+        "MCP_BEARER": "<your personal bearer token>"
+      }
+    }
+  }
+}
+```
+
+`MCP_URL` is whatever URL your team's admin gave you (it should end in `/mcp`). `MCP_BEARER` is your personal bearer token from `/etc/sentinelone-mcp/bearer-tokens.json` on the VM.
+
+Quit Claude Desktop fully (Cmd+Q on macOS, not just close the window) and reopen. The 26 tools should appear in the tools list.
+
+## Smoke test (without Claude Desktop)
+
+```bash
+export MCP_URL='https://mcp.s1.internal/mcp'
+export MCP_BEARER='<your token>'
+
+# initialize round trip
+echo '{"jsonrpc":"2.0","id":0,"method":"initialize","params":{"protocolVersion":"2024-11-05","capabilities":{},"clientInfo":{"name":"cli","version":"1"}}}' \
+  | node ~/.local/bin/sentinelone-mcp-bridge.mjs
+
+# tools/list (should return 26)
+echo '{"jsonrpc":"2.0","id":1,"method":"tools/list"}' \
+  | node ~/.local/bin/sentinelone-mcp-bridge.mjs \
+  | python3 -c 'import sys,json; print(len(json.load(sys.stdin)["result"]["tools"]), "tools")'
+```
+
+## Troubleshooting
+
+| Symptom | Likely cause | Fix |
+|---|---|---|
+| Claude Desktop log: `MCP error -32001: Request timed out` | `MCP_URL` unreachable or wrong path | `curl -sS $MCP_URL` from the same machine. Confirm the URL ends with `/mcp`. |
+| `fetch error: ... UNABLE_TO_GET_ISSUER_CERT_LOCALLY` | Server is using a private CA (e.g. `tls internal`); Node doesn't read the system keychain | Use a publicly-trusted cert on the server (Let's Encrypt or ZeroSSL). See [../README.md#aws-specific-gotchas](../README.md#aws-specific-gotchas). |
+| `bridge fetch error: ... ENOTFOUND` | DNS doesn't resolve `MCP_URL` host | Verify with `nslookup` or `dig`. If using an AWS public DNS, it may have changed; re-check the EC2 console. |
+| 401 from upstream in the log | Wrong / revoked bearer token | Ask the admin for a fresh token; replace `MCP_BEARER`. |
+| Bridge starts but Claude Desktop times out | Node version too old | `node --version` — need 18+. Built-in fetch was added in 18. |
+
+## How it works
+
+```
++----------------+          stdio JSON-RPC          +--------+        HTTPS POST /mcp        +------+
+| Claude Desktop | <------------------------------> | bridge | <---------------------------> | VM   |
++----------------+                                  +--------+   Bearer auth, JSON in/out    +------+
+```
+
+The bridge reads one JSON-RPC message per line from stdin, POSTs it to `MCP_URL` with the `Authorization: Bearer <token>` header, and writes the JSON-RPC reply to stdout. JSON-RPC notifications (messages with no `id`) get no reply, matching the spec. Errors get translated to a JSON-RPC error envelope so Claude Desktop sees something useful instead of a hung process.
+
+There is no session state, no buffering, and no SDK dependency — it's just stdin → fetch → stdout.
+
+## Security notes
+
+- The bearer token is stored in plaintext in `claude_desktop_config.json`. Treat that file as a secret on each laptop.
+- Rotate bearer tokens by editing `/etc/sentinelone-mcp/bearer-tokens.json` on the VM (see [../README.md#day-2-operations](../README.md#day-2-operations)) and reissuing the new value to each team member.
+- TLS verification uses Node's bundled CA store. For privately-issued certs, set `NODE_EXTRA_CA_CERTS=/path/to/root.pem` in the `env` block. Better: use a publicly-trusted cert on the server so no client-side trust is needed.

package/deploy/bridge/sentinelone-mcp-bridge.mjs

@@ -0,0 +1,104 @@
+#!/usr/bin/env node
+/**
+ * Tiny stdio -> HTTPS bridge for the SentinelOne MCP server running on a VM.
+ *
+ * Why this exists:
+ *   Claude Desktop's stable claude_desktop_config.json only accepts stdio-based
+ *   MCP servers; the type:"http" form is rejected. This bridge translates
+ *   Claude Desktop's stdio JSON-RPC into POSTs against the MCP HTTP endpoint,
+ *   so a single shared HTTPS MCP can serve a whole team's Claude Desktops.
+ *
+ * Required environment:
+ *   MCP_URL     full HTTPS endpoint, e.g. https://mcp.s1.internal/mcp
+ *   MCP_BEARER  bearer token (no "Bearer " prefix; the script adds it)
+ *
+ * Optional:
+ *   none. Zero external dependencies. Requires Node.js 18+ for built-in fetch.
+ *
+ * Configure Claude Desktop:
+ *   {
+ *     "mcpServers": {
+ *       "sentinelone-mcp": {
+ *         "command": "node",
+ *         "args": ["/Users/<you>/.local/bin/sentinelone-mcp-bridge.mjs"],
+ *         "env": {
+ *           "MCP_URL":    "https://mcp.s1.internal/mcp",
+ *           "MCP_BEARER": "<your bearer token>"
+ *         }
+ *       }
+ *     }
+ *   }
+ *
+ * Smoke test:
+ *   MCP_URL=... MCP_BEARER=... bash -c '
+ *     echo "{\"jsonrpc\":\"2.0\",\"id\":1,\"method\":\"tools/list\"}" \
+ *     | node sentinelone-mcp-bridge.mjs'
+ *   # -> JSON-RPC response with 26 tools in result.tools[]
+ */
+
+import { createInterface } from 'node:readline';
+
+const URL    = process.env.MCP_URL    || (() => { throw new Error('MCP_URL not set'); })();
+const BEARER = process.env.MCP_BEARER || (() => { throw new Error('MCP_BEARER not set'); })();
+
+const log = (...a) => process.stderr.write('[bridge] ' + a.join(' ') + '\n');
+
+log('starting; target', URL);
+
+const rl = createInterface({ input: process.stdin, terminal: false });
+
+let inFlight = 0;
+let stdinClosed = false;
+function maybeExit() {
+  if (stdinClosed && inFlight === 0) {
+    log('all requests complete, exiting');
+    process.exit(0);
+  }
+}
+
+rl.on('line', async (line) => {
+  const raw = line.trim();
+  if (!raw) return;
+
+  let msg;
+  try { msg = JSON.parse(raw); }
+  catch (e) { log('bad json from stdin:', e.message); return; }
+
+  const isNotification = msg.id === undefined;
+
+  inFlight++;
+  try {
+    const res = await fetch(URL, {
+      method: 'POST',
+      headers: {
+        'Content-Type': 'application/json',
+        'Authorization': `Bearer ${BEARER}`,
+        'Accept': 'application/json',
+      },
+      body: raw,
+    });
+
+    if (isNotification) return;
+
+    const text = await res.text();
+    if (!res.ok) log(`HTTP ${res.status} from upstream: ${text.slice(0, 200)}`);
+    process.stdout.write(text.trimEnd() + '\n');
+  } catch (e) {
+    const cause = e.cause ? ` cause=${e.cause.code || e.cause.message || JSON.stringify(e.cause)}` : '';
+    log('fetch error:', e.message, cause);
+    if (!isNotification) {
+      process.stdout.write(JSON.stringify({
+        jsonrpc: '2.0',
+        id: msg.id ?? null,
+        error: { code: -32603, message: `bridge fetch error: ${e.message}${cause}` },
+      }) + '\n');
+    }
+  } finally {
+    inFlight--;
+    maybeExit();
+  }
+});
+
+rl.on('close', () => { log('stdin closed, draining...'); stdinClosed = true; maybeExit(); });
+process.on('SIGINT', () => process.exit(0));
+process.on('SIGTERM', () => process.exit(0));

package/deploy/caddy/Caddyfile.example

@@ -9,6 +9,17 @@
 #        tls /path/to/cert.pem /path/to/key.pem
 #                          Bring your own cert from an internal PKI.
 #
+# AWS users: Let's Encrypt refuses to issue for *.amazonaws.com hostnames by
+# policy. When you use the `tls <email>` shorthand, Caddy automatically falls
+# back to ZeroSSL (also free, also publicly trusted, no policy block). The
+# end-state cert should have `issuer=ZeroSSL ECC DV SSL CA 2`. Port 80 must
+# be open in the SG for HTTP-01 to complete.
+#
+# DO NOT mix `tls <email>` with an `issuer acme { ... }` block — Caddy errors
+# with "cannot mix issuer subdirective with other issuer-specific subdirectives".
+# Pick one form: the email shorthand on its own line, OR a full `tls { ... }`
+# block with the email moved inside the `issuer acme` stanza. Not both.
+#
 # Why Caddy and not nginx? Caddy auto-renews certs, has zero config for SSE
 # streaming (flush_interval handled), and is one binary with no system Python
 # or Lua dependency. Equally valid alternative: nginx with the snippet at the

package/deploy/install.sh

@@ -141,7 +141,6 @@ if [[ ! -f "$CRED_PATH" ]]; then
   "S1_HEC_INGEST_URL":    "https://ingest.us1.sentinelone.net",
   "SDL_XDR_URL":          "https://xdr.us1.sentinelone.net",
   "SDL_LOG_READ_KEY":     "",
-  "SDL_LOG_WRITE_KEY":    "",
   "SDL_CONFIG_READ_KEY":  "",
   "SDL_CONFIG_WRITE_KEY": ""
 }

package/deploy/systemd/sentinelone-mcp.service

@@ -29,6 +29,9 @@ Restart=on-failure
 RestartSec=5
 
 # Hardening
+# NOTE: MemoryDenyWriteExecute=true and LockPersonality=true are incompatible
+# with Node.js V8 JIT (W+X mappings). Including them causes a silent SIGTRAP
+# at startup with no useful log output. Leave them off for Node services.
 NoNewPrivileges=true
 PrivateTmp=true
 ProtectSystem=strict
@@ -39,8 +42,6 @@ ProtectControlGroups=true
 RestrictNamespaces=true
 RestrictRealtime=true
 RestrictSUIDSGID=true
-LockPersonality=true
-MemoryDenyWriteExecute=true
 SystemCallArchitectures=native
 ReadWritePaths=
 

package/index.js

@@ -111,7 +111,6 @@ ENVIRONMENT
                               uam_post_indicators, uam_post_alert.
   SDL_XDR_URL                 SDL tenant URL.
   SDL_LOG_READ_KEY            SDL Log Read key.
-  SDL_LOG_WRITE_KEY           SDL Log Write key. Required for sdl_upload_logs.
   SDL_CONFIG_READ_KEY         SDL Config Read key.
   SDL_CONFIG_WRITE_KEY        SDL Config Write key. Required for sdl_put_file.
   S1_CREDS_FILE               Explicit path to a credentials.json file.

package/lib/credentials.js

@@ -107,7 +107,6 @@ export function getCreds() {
     S1_CONSOLE_API_TOKEN: e('S1_CONSOLE_API_TOKEN') || e('S1_API_TOKEN'),
     S1_HEC_INGEST_URL:    e('S1_HEC_INGEST_URL'),
     SDL_XDR_URL:          e('SDL_XDR_URL') || e('SDL_BASE_URL'),
-    SDL_LOG_WRITE_KEY:    e('SDL_LOG_WRITE_KEY'),
     SDL_CONFIG_WRITE_KEY: e('SDL_CONFIG_WRITE_KEY'),
     SDL_CONFIG_READ_KEY:  e('SDL_CONFIG_READ_KEY'),
     SDL_LOG_READ_KEY:     e('SDL_LOG_READ_KEY'),

package/lib/hec.js

@@ -0,0 +1,128 @@
+/**
+ * HEC (HTTP Event Collector) raw-log ingestion into the SentinelOne AI SIEM
+ * Singularity Data Lake. This is the SDL log-ingestion path and the replacement
+ * for the removed SDL `uploadLogs`. It is NOT UAM ingest: the `uam_*` tools post
+ * OCSF indicators/alerts to /v1/* on the same ingest host, but that is a separate
+ * API and is not connected to HEC.
+ *
+ * Source of truth: S-26.1 User Guide, "Singularity Data Lake > Data Ingestion >
+ * Additional Integrations > HTTP Event Collector (HEC)", p.4723-4726.
+ *   Host      : S1_HEC_INGEST_URL (e.g. https://ingest.us1.sentinelone.net)
+ *   Endpoints : /services/collector/raw   (raw text — recommended for logs)
+ *               /services/collector/event (structured JSON)
+ *   Auth      : Authorization: Bearer <S1_CONSOLE_API_TOKEN> (the same Management Console API token the other tools use)
+ *   Scope     : S1-Scope header is REQUIRED (accountId or accountId:siteId). Without it HEC returns 400 "Missing S1-Scope header".
+ *   Parser    : ?sourcetype=<parserName> query param. Other query params become fields in the UI.
+ *   Pre-parsed: /event with ?isParsed=true indexes already-structured JSON fields directly, with no SDL parser.
+ *   Compress  : optional "Content-Encoding: gzip" (or zstd) — recommended, lowers egress cost.
+ *   Limits    : 10 MB uncompressed per request, 1000 requests/sec, 2 GB/sec per account.
+ */
+
+import { gzipSync } from 'zlib';
+import { getCreds } from './credentials.js';
+
+const MAX_UNCOMPRESSED = 10 * 1024 * 1024; // 10 MB per HEC docs
+
+function hecBase() {
+  const url = (getCreds().S1_HEC_INGEST_URL || '').replace(/\/+$/, '');
+  if (!url) {
+    throw new Error(
+      'S1_HEC_INGEST_URL not configured. Add it to credentials.json ' +
+      '(e.g. "S1_HEC_INGEST_URL": "https://ingest.us1.sentinelone.net"). ' +
+      'Find the regional ingest URL at https://community.sentinelone.com/s/article/000004961'
+    );
+  }
+  return url;
+}
+
+function hecToken() {
+  const tok = getCreds().S1_CONSOLE_API_TOKEN;
+  if (!tok) {
+    throw new Error('S1_CONSOLE_API_TOKEN not configured. HEC uses the same Management Console API token as the Bearer.');
+  }
+  return tok;
+}
+
+function sleep(ms) { return new Promise(r => setTimeout(r, ms)); }
+
+/**
+ * Ingest raw logs/events into SDL via the HEC endpoint.
+ *
+ * @param {string} logContent  Raw text. For /raw, newline-separated lines become separate events.
+ * @param {object} [opts]
+ * @param {string} [opts.parser]    Parser name -> ?sourcetype=
+ * @param {object} [opts.fields]    Extra {key: value} pairs -> query params, each becomes a UI field.
+ *                              Avoid HEC-reserved keys (event, time, host, source, sourcetype, index, fields):
+ *                              HEC interprets those, they are not stored as custom fields. Use `parser` (not a field) to set sourcetype. (S-26.1 HEC docs, p.4708.)
+ * @param {string} opts.scope       REQUIRED. accountId or "accountId:siteId" -> S1-Scope header. HEC returns 400 "Missing S1-Scope header" without it.
+ * @param {('raw'|'event')} [opts.endpoint='raw']
+ * @param {boolean} [opts.compress=true]  gzip the body (Content-Encoding: gzip)
+ * @param {boolean} [opts.isParsed=false] /event only: set ?isParsed=true to index already-structured JSON fields without an SDL parser.
+ * @returns {Promise<{status:number, endpoint:string, url:string, body:any}>}
+ */
+export async function hecIngest(logContent, { parser, fields = {}, scope, endpoint = 'raw', compress = true, isParsed = false } = {}) {
+  if (typeof logContent !== 'string' || logContent.length === 0) {
+    throw new Error('hecIngest: logContent must be a non-empty string.');
+  }
+  if (endpoint !== 'raw' && endpoint !== 'event') {
+    throw new Error("hecIngest: endpoint must be 'raw' or 'event'.");
+  }
+  if (!scope || typeof scope !== 'string') {
+    throw new Error('hecIngest: scope is required. HEC rejects requests without an S1-Scope header (400 "Missing S1-Scope header"). Pass an accountId or "accountId:siteId".');
+  }
+
+  const qs = new URLSearchParams();
+  if (parser) qs.set('sourcetype', parser);
+  for (const [k, v] of Object.entries(fields || {})) qs.set(k, String(v));
+  if (isParsed) qs.set('isParsed', 'true');
+  const query = qs.toString();
+  const url = `${hecBase()}/services/collector/${endpoint}${query ? `?${query}` : ''}`;
+
+  const rawBuf = Buffer.from(logContent, 'utf-8');
+  if (rawBuf.length > MAX_UNCOMPRESSED) {
+    throw new Error(
+      `hecIngest: payload is ${rawBuf.length} bytes, over the 10 MB uncompressed HEC limit. ` +
+      'Split into smaller batches.'
+    );
+  }
+  const body = compress ? gzipSync(rawBuf) : rawBuf;
+
+  const headers = {
+    Authorization: `Bearer ${hecToken()}`,
+    'Content-Type': 'text/plain',
+  };
+  if (compress) headers['Content-Encoding'] = 'gzip';
+  headers['S1-Scope'] = scope;
+
+  let delay = 1000;
+  let lastErr;
+  for (let attempt = 0; attempt <= 3; attempt++) {
+    let res;
+    try {
+      res = await fetch(url, { method: 'POST', headers, body });
+    } catch (err) {
+      lastErr = err;
+      if (attempt === 3) throw err;
+      await sleep(delay);
+      delay = Math.min(delay * 2, 8000);
+      continue;
+    }
+
+    if ((res.status === 429 || res.status >= 500) && attempt < 3) {
+      const retryAfter = res.headers.get('Retry-After');
+      await sleep(retryAfter ? parseInt(retryAfter, 10) * 1000 : delay);
+      delay = Math.min(delay * 2, 8000);
+      continue;
+    }
+
+    const text = await res.text();
+    let data;
+    try { data = JSON.parse(text); } catch { data = text; }
+
+    if (!res.ok) {
+      throw new Error(`HEC POST /services/collector/${endpoint} -> ${res.status}: ${JSON.stringify(data)}`);
+    }
+    return { status: res.status, endpoint, url, body: data };
+  }
+  throw lastErr;
+}

package/lib/sdl.js

@@ -5,7 +5,6 @@
  *   putFile             → config_write_key
  *   getFile / listFiles → config_write_key || config_read_key || console_api_token
  *   V1 query methods    → config_write_key || config_read_key || log_read_key || console_api_token
- *   uploadLogs          → log_write_key  (console token NOT accepted here)
  *
  * All SDL endpoints live at SDL_XDR_URL (e.g. https://xdr.us1.sentinelone.net).
  * The Authorization header is: Bearer <key>
@@ -30,7 +29,6 @@ function pickKey(chain) {
     // Confirmed: SDL_CONFIG_WRITE_KEY does NOT grant "View logs" permission on /api/query.
     // SDL_LOG_READ_KEY must be first in chain for V1 query to succeed.
     log_read:          [c.SDL_LOG_READ_KEY, c.SDL_CONFIG_READ_KEY, c.SDL_CONFIG_WRITE_KEY, c.S1_CONSOLE_API_TOKEN],
-    log_write_strict:  [c.SDL_LOG_WRITE_KEY],  // console token NOT accepted
   };
   const candidates = chains[chain] || chains.config_read;
   const key = candidates.find(k => k);
@@ -117,36 +115,6 @@ export async function deleteFile(path, expectedVersion) {
   return sdlFetch('POST', '/api/putFile', { body, chain: 'config_write' });
 }
 
-// ─── Log ingestion ────────────────────────────────────────────────────────────
-
-/** POST /api/uploadLogs — upload raw text log lines (newline-separated events). */
-export async function uploadLogs(logContent, { parser, serverHost, logfile } = {}) {
-  const extraHeaders = {};
-  if (parser)     extraHeaders['parser']      = parser;
-  if (serverHost) extraHeaders['server-host'] = serverHost;
-  if (logfile)    extraHeaders['logfile']      = logfile;
-
-  const raw = typeof logContent === 'string' ? Buffer.from(logContent, 'utf-8') : logContent;
-  return sdlFetch('POST', '/api/uploadLogs', {
-    chain: 'log_write_strict',
-    rawBody: raw,
-    contentType: 'text/plain',
-    extraHeaders,
-  });
-}
-
-/** POST /api/addEvents — ingest structured events (JSON). */
-export async function addEvents(events, session) {
-  const body = {
-    session: session || `mcp-${Date.now()}`,
-    events: events.map(e => ({
-      ts: e.ts || BigInt(Date.now()) * 1_000_000n,
-      attrs: e.attrs || e,
-    })),
-  };
-  return sdlFetch('POST', '/api/addEvents', { body, chain: 'log_write_strict' });
-}
-
 // ─── V1 Query (schema discovery) ─────────────────────────────────────────────
 // Deprecated Feb 15 2027 but still the only way to get full event JSON per-event.
 // Use for schema discovery; use LRQ for hunting.

package/lib/server-core.js

@@ -156,7 +156,6 @@ export async function dispatch(method, params, id) {
             configured: hasSdlCreds(),
             xdrUrl: c.SDL_XDR_URL || 'NOT SET',
             configWriteKey: !!c.SDL_CONFIG_WRITE_KEY,
-            logWriteKey: !!c.SDL_LOG_WRITE_KEY,
           },
           uamIngestApi: {
             configured: hasHecCreds(),

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@pmoses-s1/sentinelone-mcp",
-  "version": "1.1.0",
+  "version": "1.2.0",
   "description": "MCP server orchestrating SentinelOne skills, APIs, and SOC analyst context. Stdio or Streamable HTTP transport with per-user bearer auth for team deployments.",
   "type": "module",
   "main": "index.js",

package/scripts/regen-readme-tools-table.mjs

@@ -44,7 +44,7 @@ const TOOL_SKILL = {
   sdl_get_file:                  'sentinelone-sdl-api / sdl-dashboard / sdl-log-parser',
   sdl_put_file:                  'sentinelone-sdl-api / sdl-dashboard / sdl-log-parser',
   sdl_delete_file:               'sentinelone-sdl-api',
-  sdl_upload_logs:               'sentinelone-sdl-api / sdl-log-parser',
+  hec_ingest:                    'sentinelone-sdl-api / sdl-log-parser',
   // Hyperautomation
   ha_list_workflows:             'sentinelone-hyperautomation',
   ha_get_workflow:               'sentinelone-hyperautomation',

package/scripts/smoke-test-http.sh

@@ -0,0 +1,122 @@
+#!/usr/bin/env bash
+#
+# smoke-test-http.sh -- generic HTTP smoke test for sentinelone-mcp.
+#
+# Exercises the public contract end-to-end:
+#   1. healthz returns 200 (no auth)
+#   2. initialize returns the expected protocol version and server info
+#   3. tools/list returns 26 tools
+#   4. tools/call s1_api_get works (uses /agents/count as a cheap probe)
+#   5. bad bearer returns HTTP 401
+#   6. unknown method returns JSON-RPC error -32601 inside a 200 envelope
+#
+# Useful for new team members verifying their setup, or for re-checking the
+# deployment after a config change, a cert rotation, or an MCP version bump.
+#
+# Run as:
+#   MCP_HOST=mcp.s1.internal:8764 \
+#   MCP_BEARER=your-bearer-token \
+#     bash sentinelone-mcp/scripts/smoke-test-http.sh
+#
+# Or set defaults at the top of the script and run with no args.
+
+set -uo pipefail
+
+HOST="${MCP_HOST:-}"
+TOKEN="${MCP_BEARER:-}"
+
+if [[ -z "$HOST" || -z "$TOKEN" ]]; then
+  cat >&2 <<EOF
+Usage:
+  MCP_HOST=<host:port> MCP_BEARER=<token> bash $0
+
+Both env vars are required.
+EOF
+  exit 2
+fi
+
+for tool in curl jq; do
+  if ! command -v "$tool" >/dev/null 2>&1; then
+    echo "Missing dependency: $tool" >&2
+    exit 3
+  fi
+done
+
+URL="https://$HOST/mcp"
+AUTH="Authorization: Bearer $TOKEN"
+JSON="Content-Type: application/json"
+
+FAILED=0
+fail() { echo "  FAIL: $*" >&2; FAILED=$((FAILED+1)); }
+pass() { echo "  PASS: $*"; }
+
+echo "=== 1. healthz (no auth) ==="
+HEALTHZ_CODE=$(curl -s -o /dev/null -w "%{http_code}" "https://$HOST/healthz")
+[[ "$HEALTHZ_CODE" == "200" ]] && pass "healthz returned 200" || fail "healthz returned $HEALTHZ_CODE (expected 200)"
+
+echo
+echo "=== 2. initialize ==="
+INIT_BODY=$(curl -s -X POST "$URL" -H "$AUTH" -H "$JSON" -d '{
+  "jsonrpc": "2.0",
+  "id": 1,
+  "method": "initialize",
+  "params": {
+    "protocolVersion": "2024-11-05",
+    "capabilities": {},
+    "clientInfo": { "name": "smoke-test", "version": "1" }
+  }
+}')
+PROTO=$(echo "$INIT_BODY" | jq -r '.result.protocolVersion // "missing"')
+NAME=$( echo "$INIT_BODY" | jq -r '.result.serverInfo.name    // "missing"')
+VER=$(  echo "$INIT_BODY" | jq -r '.result.serverInfo.version // "missing"')
+[[ "$PROTO" == "2024-11-05" ]] && pass "protocolVersion=$PROTO" || fail "protocolVersion=$PROTO"
+[[ "$NAME"  == "sentinelone-mcp-server" ]] && pass "serverInfo.name=$NAME" || fail "serverInfo.name=$NAME"
+[[ "$VER" != "missing" ]] && pass "serverInfo.version=$VER" || fail "serverInfo.version missing"
+
+echo
+echo "=== 3. tools/list count ==="
+TOOLS_COUNT=$(curl -s -X POST "$URL" -H "$AUTH" -H "$JSON" \
+  -d '{"jsonrpc":"2.0","id":2,"method":"tools/list"}' \
+  | jq '.result.tools | length')
+[[ "$TOOLS_COUNT" == "26" ]] && pass "tools/list returned 26 tools" || fail "tools/list returned $TOOLS_COUNT"
+
+echo
+echo "=== 4. tools/call s1_api_get on /agents/count ==="
+AGENTS_TOTAL=$(curl -s -X POST "$URL" -H "$AUTH" -H "$JSON" -d '{
+  "jsonrpc": "2.0",
+  "id": 3,
+  "method": "tools/call",
+  "params": {
+    "name": "s1_api_get",
+    "arguments": { "path": "/web/api/v2.1/agents/count" }
+  }
+}' | jq -r '.result.content[0].text' | jq -r '.data.total // "missing"')
+if [[ "$AGENTS_TOTAL" =~ ^[0-9]+$ ]]; then
+  pass "s1_api_get returned $AGENTS_TOTAL agents"
+else
+  fail "s1_api_get returned data.total=$AGENTS_TOTAL"
+fi
+
+echo
+echo "=== 5. bad bearer (expect HTTP 401) ==="
+BAD_CODE=$(curl -s -o /dev/null -w "%{http_code}" -X POST "$URL" \
+  -H "Authorization: Bearer wrong-token-of-sufficient-length-1234567890" -H "$JSON" \
+  -d '{"jsonrpc":"2.0","id":99,"method":"tools/list"}')
+[[ "$BAD_CODE" == "401" ]] && pass "bad bearer rejected with 401" || fail "bad bearer returned $BAD_CODE (expected 401)"
+
+echo
+echo "=== 6. method not found (expect -32601) ==="
+ERR_CODE=$(curl -s -X POST "$URL" -H "$AUTH" -H "$JSON" \
+  -d '{"jsonrpc":"2.0","id":4,"method":"does/not/exist"}' \
+  | jq -r '.error.code // "missing"')
+[[ "$ERR_CODE" == "-32601" ]] && pass "unknown method returned -32601" || fail "unknown method returned code=$ERR_CODE"
+
+echo
+echo "=== Summary ==="
+if [[ "$FAILED" -eq 0 ]]; then
+  echo "All checks passed."
+  exit 0
+else
+  echo "$FAILED check(s) failed."
+  exit 1
+fi

package/tools/mgmt-console.js

@@ -21,11 +21,35 @@
 
 import { apiGet, apiPost, apiPut, apiDelete, apiPatch, purpleAlertSummary, uamListAlerts, uamGetAlert, uamAddNote, uamSetStatus } from '../lib/s1.js';
 
+/**
+ * Defensive normalization for GET /cloud-detection/rules calls.
+ *
+ * Without `isLegacy=false`, the S1 API silently omits queryType="scheduled"
+ * PowerQuery rules from the response — no error, no warning, the response
+ * just lies by omission. Promoting "empty response" to "tenant has zero
+ * scheduled detections" without isLegacy=false is the failure mode this
+ * guard exists to prevent. Exported for unit testing.
+ */
+export function normalizeS1ApiGetParams(path, params) {
+  const p = { ...(params || {}) };
+  if (
+    typeof path === 'string' &&
+    /\/cloud-detection\/rules(\/|\?|$)/.test(path) &&
+    p.isLegacy === undefined &&
+    p.is_legacy === undefined
+  ) {
+    p.isLegacy = false;
+  }
+  return p;
+}
+
 export const tools = [
   // ─── s1_api_get ───────────────────────────────────────────────────────────
   {
     name: 's1_api_get',
-    description: `Generic GET request to the SentinelOne Management Console REST API (v2.1). Use for ALL read operations: listing, counting, and exporting. The S1 API uses GET for every read — listing, counting, and exporting are always GET, never POST. The path should start with /web/api/v2.1/. Returns raw JSON response. For paginated endpoints, use the cursor or skip/limit params. Count examples: path="/web/api/v2.1/agents/count" returns {"data":{"total":N}}; path="/web/api/v2.1/threats" params={"countOnly":true} returns pagination.totalItems. Export example: path="/web/api/v2.1/threats/export" (no extra params). Get agents by IDs: path="/web/api/v2.1/agents" params={"ids":"<id1>,<id2>"} (comma-separated query param).`,
+    description: `Generic GET request to the SentinelOne Management Console REST API (v2.1). Use for ALL read operations: listing, counting, and exporting. The S1 API uses GET for every read — listing, counting, and exporting are always GET, never POST. The path should start with /web/api/v2.1/. Returns raw JSON response. For paginated endpoints, use the cursor or skip/limit params. Count examples: path="/web/api/v2.1/agents/count" returns {"data":{"total":N}}; path="/web/api/v2.1/threats" params={"countOnly":true} returns pagination.totalItems. Export example: path="/web/api/v2.1/threats/export" (no extra params). Get agents by IDs: path="/web/api/v2.1/agents" params={"ids":"<id1>,<id2>"} (comma-separated query param).
+
+⚠️ CLOUD-DETECTION RULES — MANDATORY isLegacy=false: For ANY GET on /cloud-detection/rules (listing, name search, queryType filter, scope filter) you MUST pass params.isLegacy=false. Without it the API silently omits queryType="scheduled" PowerQuery rules and returns only events-type rules — there is no error, no warning, the response just lies by omission. This handler auto-injects isLegacy=false when it sees a /cloud-detection/rules path and the caller forgot it, but always pass it explicitly so it shows up in audit logs. Promoting "empty response" to "tenant has zero scheduled detections" without isLegacy=false is the failure mode this guard exists to prevent.`,
     inputSchema: {
       type: 'object',
       properties: {
@@ -35,14 +59,17 @@ export const tools = [
         },
         params: {
           type: 'object',
-          description: 'Query string parameters as key-value pairs, e.g. {"limit": 20, "sortBy": "createdAt"}.',
+          description: 'Query string parameters as key-value pairs, e.g. {"limit": 20, "sortBy": "createdAt"}. For /cloud-detection/rules listings ALWAYS include {"isLegacy": false}; the handler auto-injects it as a safety net but explicit is better.',
           additionalProperties: true,
         },
       },
       required: ['path'],
     },
     async handler({ path, params = {} }) {
-      const result = await apiGet(path, params);
+      // Safety net: /cloud-detection/rules silently hides scheduled
+      // PowerQuery rules unless isLegacy=false is passed.
+      const normalized = normalizeS1ApiGetParams(path, params);
+      const result = await apiGet(path, normalized);
       return JSON.stringify(result, null, 2);
     },
   },

package/tools/sdl-api.js

@@ -6,10 +6,11 @@
  *   sdl_get_file       Get file content and version (parsers, dashboards, alerts, lookups)
  *   sdl_put_file       Deploy or update a config file (with optimistic locking)
  *   sdl_delete_file    Delete a config file
- *   sdl_upload_logs    Upload raw log events to SDL (requires Log Write key)
+ *   hec_ingest         Ingest raw logs/events into SDL via the HEC endpoint (replaces uploadLogs)
  */
 
-import { listFiles, getFile, putFile, deleteFile, uploadLogs } from '../lib/sdl.js';
+import { listFiles, getFile, putFile, deleteFile } from '../lib/sdl.js';
+import { hecIngest } from '../lib/hec.js';
 
 export const tools = [
   // ─── sdl_list_files ───────────────────────────────────────────────────────
@@ -99,34 +100,25 @@ export const tools = [
     },
   },
 
-  // ─── sdl_upload_logs ──────────────────────────────────────────────────────
+  // ─── hec_ingest ─────────────────────────────────────────────────────────────
   {
-    name: 'sdl_upload_logs',
-    description: `Upload raw log events to SDL via the uploadLogs endpoint (plain text, newline-separated). Used for ingesting custom telemetry, testing parsers, and one-off log imports. Requires an SDL Log Write Access key (SDL_LOG_WRITE_KEY) — the console JWT is NOT accepted for this endpoint. Max 6 MB per request, 10 GB per day. Pair with a parser at logfile= to apply field extraction.`,
+    name: 'hec_ingest',
+    description: `Ingest raw logs/events into the SentinelOne AI SIEM Singularity Data Lake via the HEC (HTTP Event Collector) endpoint. Applies a named parser via ?sourcetype and lands the data in the Data Lake for Event Search, PowerQuery, and detection rules. Replaces the removed sdl_upload_logs. NOT UAM ingest (the uam_* tools post OCSF indicators/alerts to /v1/* on the same host but a separate API). Per S-26.1 HEC docs: POST {S1_HEC_INGEST_URL}/services/collector/raw, Authorization: Bearer <S1_CONSOLE_API_TOKEN>, query params become fields, gzip recommended, 10 MB uncompressed per request.`,
     inputSchema: {
       type: 'object',
       properties: {
-        logContent: {
-          type: 'string',
-          description: 'Raw log text, newline-separated. Each line becomes a separate SDL event.',
-        },
-        parser: {
-          type: 'string',
-          description: 'Parser name to apply to the uploaded events (matches the "parser" header). Omit to use the default parser.',
-        },
-        logfile: {
-          type: 'string',
-          description: 'Logical logfile identifier sent as the "logfile" header, e.g. "myapp/access.log". Used by parsers to route events.',
-        },
-        serverHost: {
-          type: 'string',
-          description: 'Source host name, sent as the "server-host" header.',
-        },
+        logContent: { type: 'string', description: 'Raw log text. For the /raw endpoint, newline-separated lines become separate events.' },
+        parser: { type: 'string', description: 'Parser name, sent as the ?sourcetype= query param. Omit to skip parsing (structured JSON on /event auto-parses).' },
+        fields: { type: 'object', description: 'Extra key-value pairs sent as query params; each key becomes a field in the UI, e.g. {"server":"dev","region":"ap1"}. Avoid HEC-reserved names (event, time, host, source, sourcetype, index, fields) as keys; use the parser arg to set sourcetype.' },
+        scope: { type: 'string', description: 'REQUIRED. accountId or "accountId:siteId" sent as the S1-Scope header; HEC rejects requests without it (400 "Missing S1-Scope header").' },
+        endpoint: { type: 'string', enum: ['raw','event'], description: "HEC endpoint: 'raw' (default, raw text) or 'event' (structured JSON)." },
+        compress: { type: 'boolean', description: 'gzip the body (Content-Encoding: gzip). Default true.' },
+        isParsed: { type: 'boolean', description: 'For /event with structured JSON: set ?isParsed=true so SDL indexes the JSON fields directly, with no SDL parser. Confirmed working.' },
       },
-      required: ['logContent'],
+      required: ['logContent', 'scope'],
     },
-    async handler({ logContent, parser, logfile, serverHost }) {
-      const result = await uploadLogs(logContent, { parser, logfile, serverHost });
+    async handler({ logContent, parser, fields, scope, endpoint, compress, isParsed }) {
+      const result = await hecIngest(logContent, { parser, fields, scope, endpoint, compress, isParsed });
       return JSON.stringify(result, null, 2);
     },
   },