SentinelOne Purple AI
Overview
Purple AI is SentinelOne's natural language cybersecurity assistant built into the Singularity platform. Through the purple_ai MCP tool, you can ask investigative questions in plain English and receive threat analysis, PowerQuery strings for hunting, MITRE ATT&CK TTP mappings, and contextual security intelligence. Purple AI understands the full SentinelOne telemetry model and can reason across endpoints, cloud workloads, identities, and network data.
Purple AI is the primary starting point for any investigation -- describe what you want to find and it will generate the appropriate PowerQuery or provide analysis. It is read-only and cannot take any remediation actions.
MCP Tools
Available Tools
| Tool | Description | Key Parameters |
|---|---|---|
purple_ai | Natural language cybersecurity assistant | query (required) - natural language investigation prompt |
Using purple_ai
Call purple_ai with a natural language query describing what you want to investigate:
Example: Investigate suspicious PowerShell activity:
purple_aiwithquery="Find PowerShell processes that have established network connections to external IP addresses in the last 24 hours"
Example: Generate a threat hunting query:
purple_aiwithquery="I need to find evidence of lateral movement using PsExec or WMI across managed endpoints"
Example: MITRE ATT&CK analysis:
purple_aiwithquery="What MITRE ATT&CK techniques are associated with recent alert activity?"
Key Concepts
Natural Language Investigation
Purple AI interprets natural language descriptions of threats, behaviors, and investigation goals. The key to effective use is describing what you want to find, not how to query for it.
Good prompts:
- "Find processes that are connecting to known C2 infrastructure"
- "Show me evidence of credential dumping on Windows endpoints"
- "Are there any endpoints where LSASS memory was accessed by unusual processes?"
- "Find PowerShell scripts that download and execute content from the internet"
Avoid:
- "Generate a PowerQuery for..." (Purple AI works better when you describe the threat, not the output format)
- "SELECT * FROM..." (Purple AI does not use SQL)
- Overly generic requests like "Show me everything suspicious"
PowerQuery Generation
Purple AI frequently returns PowerQuery strings as part of its response. These queries can then be executed against the Singularity Data Lake using the powerquery tool. The typical workflow is:
- Ask Purple AI a natural language question
- Purple AI returns analysis and one or more PowerQuery strings
- Execute the PowerQuery with the
powerquerytool - Analyze the results
MITRE ATT&CK Integration
Purple AI maps threats and behaviors to the MITRE ATT&CK framework:
| Category | Examples |
|---|---|
| Initial Access | Phishing, drive-by compromise, supply chain |
| Execution | PowerShell, command-line, scripting engines |
| Persistence | Registry run keys, scheduled tasks, services |
| Privilege Escalation | Token manipulation, UAC bypass |
| Defense Evasion | Process injection, timestomping, obfuscation |
| Credential Access | LSASS dump, Kerberoasting, brute force |
| Discovery | Network scanning, account enumeration |
| Lateral Movement | PsExec, WMI, RDP, SMB |
| Collection | Data staging, clipboard capture |
| Command & Control | Beaconing, DNS tunneling, encrypted channels |
| Exfiltration | Data compression, exfil over C2 |
| Impact | Encryption (ransomware), data destruction |
What Purple AI Is NOT For
Purple AI is an investigative assistant. It does not:
- Modify alert status or assignments
- Quarantine or isolate endpoints
- Block threats or take response actions
- Replace the
list_alerts,get_alert, or other specific tools for structured data retrieval - Execute PowerQuery -- use the
powerquerytool for execution
For active alert management, use the alert tools (list_alerts, get_alert, etc.). For running queries against the Data Lake, use the powerquery tool.
Common Investigation Queries
Endpoint Threats
| Investigation | Purple AI Query |
|---|---|
| Suspicious PowerShell | "Find PowerShell processes connecting to external IP addresses on non-standard ports" |
| LOLBIN Activity | "Show me Living-off-the-Land Binary activity like certutil, mshta, or regsvr32 downloading files" |
| Process Lineage | "Trace the parent process chain for any suspicious child processes of explorer.exe" |
| Ransomware Indicators | "Find evidence of mass file encryption or modification of shadow copies" |
| Fileless Malware | "Detect processes running entirely from memory without a backing file on disk" |
Lateral Movement
| Investigation | Purple AI Query |
|---|---|
| PsExec Usage | "Detect PsExec or similar remote execution tools being used across the network" |
| WMI Remote Exec | "Find WMI-based remote process creation events" |
| RDP Anomalies | "Show unusual RDP connections, especially from endpoints that don't normally use RDP" |
| SMB Lateral | "Find SMB connections followed by service creation on remote hosts" |
| Pass-the-Hash | "Detect NTLM authentication attempts that may indicate pass-the-hash attacks" |
Credential Access
| Investigation | Purple AI Query |
|---|---|
| LSASS Access | "Find processes accessing LSASS memory, excluding known legitimate tools" |
| Kerberoasting | "Detect Kerberos TGS requests for service accounts that may indicate Kerberoasting" |
| Credential Files | "Find access to files commonly containing credentials like SAM, NTDS.dit, or browser credential stores" |
| Brute Force | "Show accounts with failed login attempts exceeding 10 in the last hour" |
Command & Control
| Investigation | Purple AI Query |
|---|---|
| Beaconing | "Detect periodic outbound connections that may indicate C2 beaconing behavior" |
| DNS Tunneling | "Find DNS queries with unusually long subdomain names or high query volumes to a single domain" |
| Encoded Traffic | "Show processes making HTTPS connections to recently registered domains" |
| Non-Standard Ports | "Find outbound connections on unusual ports from common applications" |
Data Exfiltration
| Investigation | Purple AI Query |
|---|---|
| Large Transfers | "Detect large outbound data transfers exceeding 100MB to external destinations" |
| Archive Creation | "Find creation of compressed archives (zip, rar, 7z) followed by network activity" |
| Cloud Upload | "Show uploads to cloud storage services like Dropbox, Google Drive, or OneDrive from unauthorized endpoints" |
| Staging | "Detect files being copied to a common staging directory before exfiltration" |
Phishing
| Investigation | Purple AI Query |
|---|---|
| Phishing Artifacts | "Find Outlook or browser processes spawning PowerShell, cmd, or script interpreters" |
| Macro Execution | "Detect Office applications launching child processes that indicate macro execution" |
| Link Clicks | "Show browser navigations to newly registered or low-reputation domains from email link clicks" |
Response Examples
Purple AI Response (PowerQuery Generated):
Based on your investigation, I've generated a PowerQuery to find PowerShell
processes with external network connections:
EventType = "IP Connect" AND SrcProcName = "powershell.exe" AND
NetConnStatus = "SUCCESS" AND NOT DstIP In ("10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16")
| columns EndpointName, SrcProcName, SrcProcCmdLine, DstIP, DstPort, EventTime
| sort -EventTime
| limit 100
This query looks for:
- Process: powershell.exe
- Event: Successful IP connections
- Destination: External IPs (excluding RFC 1918 private ranges)
MITRE ATT&CK Mapping:
- T1059.001 - Co