SCENARIO
Security Operations Centers (SOCs) face overwhelming alert volumes, complex threat investigations, and resource constraints. Analysts spend hours writing Deep Visibility queries, correlating events across multiple data sources, and drafting investigation reports. Manual threat hunting requires specialized knowledge of query languages and threat intelligence, creating bottlenecks that delay incident response.
Use this guide when you need to:
- Accelerate threat investigations from hours to minutes using natural language queries
- Automate threat hunting with AI-generated Deep Visibility queries and one-click hunt execution
- Triage high-priority alerts automatically using AI-powered risk scoring and contextual analysis
- Generate investigation reports and executive summaries automatically from threat data
- Query security data across multiple sources (SentinelOne, Zscaler, Okta, Palo Alto, Fortinet, Microsoft 365) with unified natural language interface
- Reduce analyst burnout by offloading repetitive investigation tasks to AI assistant
- Enable junior analysts to perform expert-level threat hunting without deep query language expertise
Business Impact:
- 80% faster threat hunting: Early adopters report executing hunts 80% faster with Purple AI
- 60% breach risk reduction: Focus on high-priority threats reduces likelihood of major breaches by 60%
- Analyst productivity: Automate repetitive tasks, allowing analysts to focus on strategic security improvements
- Skill gap mitigation: Junior analysts can perform expert-level investigations using natural language
- Cost savings: Reduce investigation time from hours to minutes, saving hundreds of analyst hours per year
- Improved detection coverage: AI suggests related hunts and IOCs that analysts might miss manually
SentinelOne Purple AI is a generative AI security analyst that transforms threat investigations and response with one-click hunting, suggested queries, auto-generated reports, and autonomous alert triage.
REQUIREMENTS & ASSUMPTIONS
Prerequisites:
- SentinelOne Singularity Complete license: Purple AI is included with Complete tier
- Console access: Analyst, Admin, or SOC Analyst role with Purple AI permissions
- Console version: Purple AI Athena release or later (2024+)
- Data sources: At least one of the following:
- SentinelOne Deep Visibility (endpoint telemetry)
- Zscaler Zero Trust Exchange
- Okta (identity and access management)
- Palo Alto Networks Firewall
- Proofpoint TAP (email security)
- Fortinet FortiGate
- Microsoft Office 365
License Verification: Check console for Purple AI availability:
Console > Settings > License > Modules: "Purple AI" should be listed
Supported Languages:
- English (primary)
- Spanish, French, German, Italian, Dutch
- Arabic
- Japanese, Korean, Thai, Malay, Indonesian
Data Requirements:
- Minimum retention: 365 days Deep Visibility data (recommended for historical threat hunting)
- Data normalization: Purple AI uses Open Cybersecurity Schema Framework (OCSF) for unified data querying
- Third-party integrations: Configure data connectors for Zscaler, Okta, Palo Alto, etc. (if using multi-source queries)
User Assumptions:
- Analysts understand basic cybersecurity concepts (IOCs, TTPs, MITRE ATT&CK)
- Users can interpret Purple AI suggestions and validate findings
- Security operations team has defined incident response workflows
- Escalation procedures are documented for high-severity threats
PROCESS
Step 1: Access Purple AI interface
-
Log in to SentinelOne Management Console
-
Navigate to Purple AI:
- Option A: Click Purple AI icon in top navigation bar (purple brain icon)
- Option B: Navigate to Visibility → Purple AI
-
Purple AI Dashboard displays:
- Chat Interface: Natural language query input box
- Quick Start Hunts: Pre-built threat hunting templates
- Recent Queries: History of previous Purple AI interactions
- Auto-Investigations: List of autonomous threat investigations
- Suggested Hunts: AI-recommended hunts based on current threat landscape
Result: Purple AI interface is accessible and ready for natural language threat hunting.
Step 2: Perform natural language threat hunting
Purple AI allows analysts to ask security questions in plain English (or other supported languages) without writing complex Deep Visibility queries.
Example Query 1: Investigate suspicious PowerShell activity
User: "Show me PowerShell commands with encoded parameters in the last 24 hours"
Purple AI Response:
- Generates Deep Visibility query automatically:
EventType = "Process Creation" AND
SrcProcName CONTAINS "powershell.exe" AND
SrcProcCmdLine CONTAINS "-encodedcommand" AND
CreatedAt >= "2025-11-25T00:00:00Z"
- Executes query and returns results:
Found 12 endpoints with encoded PowerShell commands
- Provides context:
"Encoded PowerShell is commonly used by attackers to obfuscate malicious commands.
Let me analyze these events for suspicious patterns..."
- Suggests next steps:
"Would you like me to:
1. Analyze the decoded command contents
2. Check if these endpoints have other suspicious activity
3. Generate a threat report"
Example Query 2: Hunt for lateral movement attempts
User: "Find any evidence of lateral movement using WMI or PsExec in the last 7 days"
Purple AI Response:
- Generates comprehensive query:
(EventType = "Process Creation" AND
(SrcProcName CONTAINS "wmic.exe" OR SrcProcName CONTAINS "psexec.exe") AND
SrcProcCmdLine CONTAINS "/node:" OR SrcProcCmdLine CONTAINS "\\\\") OR
(EventType = "Network Connection" AND
DstPort = 135 AND # WMI/DCOM port
SrcProcName NOT IN ("svchost.exe", "wmiprvse.exe")) # Exclude legitimate WMI processes
AND CreatedAt >= "2025-11-19T00:00:00Z"
- Returns findings:
Found 3 endpoints with potential lateral movement activity
- WKS-FINANCE-05: wmic.exe executed with /node:WKS-FINANCE-10
- WKS-SALES-12: psexec.exe targeting \\WKS-SALES-15
- Risk assessment:
High Risk: WKS-FINANCE-05 shows signs of unauthorized remote execution
- Recommended actions:
1. Isolate WKS-FINANCE-05 from network
2. Investigate user account on WKS-FINANCE-05
3. Check for malware on WKS-FINANCE-10 (target endpoint)
Example Query 3: Cross-platform threat hunting
User: "Show me users who logged into Okta from unusual locations and then accessed sensitive files"
Purple AI Response (multi-source query):
- Queries Okta logs for authentication events:
Okta: User login from IP not in historical location baseline
- Queries SentinelOne for file access:
EventType = "File Modification" AND
FilePath CONTAINS "\\Confidential\\" AND
SrcProcUserName IN (<users from Okta query>)
- Correlates results:
Found 2 users matching this pattern:
- User: john.doe@company.com
- Okta login from IP 203.0.113.50 (Russia) at 2025-11-25 14:30
- SentinelOne: Accessed \FinanceShare\Confidential\Q4_Revenue.xlsx at 14:45
- Threat intelligence:
IP 203.0.113.50 is associated with known phishing campaigns (AlienVault OTX)
- Recommended actions:
1. Suspend john.doe@company.com Okta account immediately
2. Revoke active session tokens
3. Investigate for account compromise or insider threat
4. Check for data exfiltration (uploads to cloud storage, USB activity)
Best Practices for Natural Language Queries:
- Be specific about time ranges ("last 24 hours", "past 7 days", "this week")
- Include relevant context ("on web servers", "in finance department", "Windows endpoints")
- Use security terminology Purple AI understands (IOCs, lateral movement, privilege escalation, C2)
- Ask follow-up questions to drill deeper into findings
Result: Purple AI generates expert-level threat hunting queries from natural language input, accelerating investigations by 80%.
Step 3: Use Quick Start Threat Hunting templates
Purple AI provides pre-built threat hunting templates for common attack scenarios.
- Navigate to Purple AI → Quick Start Hunts
- Select a hunt template:
Available Quick Start Hunts:
| Hunt Template | Description | Use Case |
|---|---|---|
| Ransomware Indicators | Detect file encryption, suspicious processes, ransom notes | Proactive ransomware hunting |
| Credential Dumping | Find LSASS access, mimikatz, ntds.dit extraction | Detect credential theft |
| Persistence Mechanisms | Identify Run keys, scheduled tasks, services, WMI subscriptions | Find attacker persistence |
| Living off the Land | Detect abuse of legitimate Windows tools (certutil, bitsadmin, mshta) | Detect fileless attacks |
| Data Exfiltration | Large outbound transfers, cloud storage uploads, USB activity | Prevent data theft |
| Privilege Escalation | UAC bypass, token manipulation, DLL hijacking | Detect elevation attempts |
| C2 Beaconing | Periodic network connections, DNS tunneling, unusual protocols | Find command-and-control |
| Web Shells | Suspicious web server processes, unusual file writes to wwwroot | Detect webshell backdoors |
-
Click a hunt template (e.g., "Ransomware Indicators")
-
Purple AI executes the hunt:
- Automatically generates Deep Visibility query
- Searches across all endpoints and data sources
- Returns results with context and risk scoring
Example: Ransomware Indicators Hunt
Purple AI Executing: Ransomware Indicators Hunt
Query Generated:
EventType = "File Modification" AND
FileExtension IN (".encrypted", ".locked", ".crypt", ".crypted") OR
(EventType = "Process Creation" AND
SrcProcCmdLine CONTAINS (".vssadmin delete shadows", "bcdedit /set {default} recoveryenabled No")) OR
(EventType = "File Creation" AND
FileName IN ("README.txt", "HOW_TO_DECRYPT.txt", "DECRYPT_INSTRUCTIONS.html"))
Results:
No ransomware indicators found across 1,247 monitored endpoints
Status: HEALTHY - No immediate ransomware threat detected
Recommendation:
- Continue monitoring for ransomware indicators
- Ensure backups are current and tested
- Review ransomware policy: Console > Settings > Policies > Ransomware Protection
- Review findings and take action if threats are detected
Result: One-click threat hunts provide instant visibility into common attack scenarios without manual query writing.
Step 4: Generate investigation reports automatically
Purple AI can automatically generate investigation reports from threat data.
-
After completing a threat hunt or investigation, ask Purple AI:
User: "Generate an investigation report for this incident" -
Purple AI generates comprehensive report:
Example Investigation Report:
================================================================================
SENTINELONE PURPLE AI INVESTIGATION REPORT
================================================================================
INVESTIGATION ID: INV-2025-11-26-001
ANALYST: Jane Doe
GENERATED: 2025-11-26 15:30:00 UTC
EXECUTIVE SUMMARY
-----------------
A credential dumping attack was detected on endpoint WKS-FINANCE-05 on
2025-11-26 at 14:15 UTC. The attacker used mimikatz to extract credentials
from LSASS memory and attempted lateral movement to WKS-FINANCE-10.
RISK LEVEL: CRITICAL
CONFIDENCE: HIGH
MITRE ATT&CK: T1003.001 (OS Credential Dumping: LSASS Memory)
TIMELINE OF EVENTS
------------------
2025-11-26 14:10:00 | User john.doe downloads suspicious file: invoice.exe
2025-11-26 14:12:00 | invoice.exe executes, spawns PowerShell
2025-11-26 14:15:00 | PowerShell loads mimikatz, dumps credentials from LSASS
2025-11-26 14:20:00 | wmic.exe attempts remote execution on WKS-FINANCE-10
2025-11-26 14:22:00 | SentinelOne detects and blocks mimikatz, quarantines invoice.exe
INDICATORS OF COMPROMISE
------------------------
File Hash (SHA256): abc123...def456
File Name: invoice.exe
File Path: C:\Users\john.doe\Downloads\invoice.exe
Process: mimikatz.exe
Command Line: mimikatz "sekurlsa::logonpasswords" exit
Network Connection: WKS-FINANCE-05 → WKS-FINANCE-10:135 (WMI/DCOM)
AFFECTED ENDPOINTS
------------------
- WKS-FINANCE-05 (compromised, isolated)
- WKS-FINANCE-10 (lateral movement target, no compromise detected)
THREAT INTELLIGENCE
-------------------
File hash matches known credential stealer: Mimikatz variant
VirusTotal: 65/70 detections
AlienVault OTX: Associated with APT29 (Cozy Bear) campaigns
ACTIONS TAKEN
-------------
1. SentinelOne automatically quarantined invoice.exe
2. Killed mimikatz process
3. Network quarantine applied to WKS-FINANCE-05
4. Forced password reset for john.doe account
5. Investigated WKS-FINANCE-10 for signs of compromise (none found)
RECOMMENDATIONS
---------------
1. Reset passwords for all users who logged into WKS-FINANCE-05 (credential theft)
2. Review email logs for phishing campaign targeting john.doe
3. Conduct user security awareness training on phishing recognition
4. Enable Credential Guard on Windows 10/11 endpoints to protect LSASS
5. Monitor for additional mimikatz detections across environment
REFERENCES
----------
- MITRE ATT&CK: T1003.001 (LSASS Memory Dumping)
- Threat ID: THR-12345678
- SentinelOne Storyline: <link to storyline>
APPROVED FOR DISTRIBUTION: ☐ Yes ☐ No
ESCALATION REQUIRED: ☑ Yes (executive briefing recommended)
================================================================================
Report Generated by SentinelOne Purple AI
- Export report:
- Click Export button
- Format: PDF, DOCX, HTML, JSON
- Share with stakeholders, management, or incident response teams
Result: Automated report generation saves analysts hours of manual documentation, ensuring consistent and comprehensive reporting.
Step 5: Enable Auto-Triage for autonomous alert prioritization
Auto-Triage uses AI to automatically prioritize alerts based on risk, reducing alert fatigue.
-
Navigate to Console → Settings → Purple AI → Auto-Triage
-
Enable Auto-Triage:
- Toggle Auto-Triage to ON
-
Configure triage criteria:
- Risk Score Threshold: Automatically escalate alerts with risk score > 80
- Auto-Assign: Assign high-priority alerts to specific analysts or groups
- Auto-Isolate: Automatically network-isolate endpoints with critical-severity threats (use cautiously)
- Notification: Send Slack/email notifications for critical alerts
-
Auto-Triage workflow:
Alert Received: Suspicious PowerShell detected on WKS-SALES-12 Purple AI Auto-Triage Analysis: - Risk Score: 85 / 100 - Threat Type: Potential fileless malware - MITRE ATT&CK: T1059.001 (PowerShell execution) - Contextual Factors: - User: john.doe (no history of PowerShell usage) - Time: 2:30 AM (outside business hours) - Command: Encoded and obfuscated - Network: Outbound connection to suspicious IP (203.0.113.50) Auto-Triage Action: - Priority: CRITICAL - Assigned to: SOC Analyst on-call - Notification sent: Slack #soc-alerts channel - Recommended action: Immediate investigation required AI-Suggested Next Steps: 1. Review PowerShell command content (decode Base64) 2. Check endpoint for additional suspicious activity (last 24 hours) 3. Verify user account not compromised (recent Okta logins) 4. Consider network quarantine if malware confirmed -
Review auto-triaged alerts:
- Console → Alerts → Filter: Auto-Triaged = Yes
- Verify Purple AI prioritization matches analyst judgment
- Tune auto-triage rules if false positives occur
Result: Auto-Triage reduces alert noise by 60%, allowing analysts to focus on high-priority threats that truly matter.
Step 6: Enable Auto-Investigations for autonomous threat hunting
Auto-Investigations allow Purple AI to autonomously investigate alerts and threats without analyst intervention.
-
Navigate to Console → Settings → Purple AI → Auto-Investigations
-
Enable Auto-Investigations:
- Toggle Auto-Investigations to ON
-
Configure investigation triggers:
- Trigger on High-Risk Alerts: Automatically investigate alerts with risk score > 80
- Trigger on Specific Threat Types: Malware, Ransomware, Credential Theft
- Schedule: Continuous (24/7) or Scheduled (business hours only)
-
Auto-Investigation workflow:
Alert: Potential ransomware detected on WKS-ACCOUNTING-08 Purple AI Auto-Investigation Started: 1. Analyzed process tree (identified suspicious encryption process) 2. Queried Deep Visibility for file modification events 3. Found 150 files encrypted with .locked extension 4. Checked for ransom note (found README.txt in C:\Users\Public\) 5. Identified ransomware family: LockBit 3.0 (via hash match) 6. Investigated network activity (C2 callback to 198.51.100.75) 7. Checked for lateral movement attempts (none detected) 8. Generated remediation recommendations Auto-Investigation Results: - Threat Confirmed: LockBit 3.0 ransomware - Risk Level: CRITICAL - Recommended Actions: 1. Isolate WKS-ACCOUNTING-08 immediately (auto-executed) 2. Initiate automatic rollback (SentinelOne rollback feature) 3. Reset user credentials 4. Block C2 IP at firewall (ticket created for network team) Investigation Report: Auto-generated and saved to case file Time to Complete: 45 seconds (vs. 2-3 hours for manual investigation) -
Review auto-investigation results:
- Console → Purple AI → Auto-Investigations
- View completed investigations, findings, and actions taken
- Validate AI findings and approve/reject recommendations
Result: Auto-Investigations execute expert-level threat hunts autonomously, reducing investigation time from hours to seconds.
Step 7: Use suggested hunts for proactive threat detection
Purple AI suggests threat hunts based on current threat intelligence and emerging attack trends.
- Navigate to Purple AI → Suggested Hunts
- Review suggested hunts:
Example Suggested Hunts:
Purple AI Suggested Hunt #1:
Title: Hunt for Log4Shell exploitation attempts
Reasoning: CISA advisory warns of active Log4Shell exploitation in the wild
Risk: HIGH
Target: Web servers and Java applications
Click to Execute Hunt
Purple AI Suggested Hunt #2:
Title: Detect PrintNightmare privilege escalation
Reasoning: Recent spike in PrintNightmare attacks targeting Windows print spooler
Risk: MEDIUM
Target: Windows servers and workstations
Click to Execute Hunt
Purple AI Suggested Hunt #3:
Title: Identify shadow IT cloud storage usage
Reasoning: Trend analysis shows increased use of unapproved cloud storage (Dropbox, Google Drive)
Risk: LOW (data exfiltration concern)
Target: All endpoints
Click to Execute Hunt
- Click "Execute Hunt" to run the suggested hunt
- Review findings and take action if threats are detected
Result: Proactive threat hunting based on real-time threat intelligence prevents attacks before they impact business.
Step 8: Collaborate with Purple AI for complex investigations
Purple AI supports iterative, conversational threat hunting for complex scenarios.
Example: Multi-step investigation
Analyst: "Show me all endpoints that communicated with IP 198.51.100.75 in the last 30 days"
Purple AI: Found 8 endpoints with connections to 198.51.100.75
Analyst: "What ports were used?"
Purple AI: Connections were primarily to TCP port 443 (HTTPS) and port 8080 (HTTP-Alt)
Analyst: "Show me the processes that initiated these connections"
Purple AI: Processes: chrome.exe (5 endpoints), svchost.exe (2 endpoints), unknown.exe (1 endpoint)
Analyst: "Focus on the unknown.exe process. What endpoint was that?"
Purple AI: Endpoint: WKS-SALES-15, Process: unknown.exe (C:\Users\Public\unknown.exe)
Analyst: "Get me the file hash and check VirusTotal"
Purple AI:
File Hash (SHA256): def456...abc789
VirusTotal: 58/70 detections - identified as Cobalt Strike beacon
First Seen: 2025-11-20 08:15:00 UTC
Analyst: "Check if this file exists on other endpoints"
Purple AI: File hash found on 3 additional endpoints (WKS-SALES-20, WKS-SALES-25, WKS-SALES-30)
Analyst: "Isolate all 4 endpoints immediately and generate an incident report"
Purple AI:
Action: Isolating 4 endpoints...
Status: Network quarantine applied to WKS-SALES-15, WKS-SALES-20, WKS-SALES-25, WKS-SALES-30
Incident Report: Generating...
[Report generated and saved to case file INV-2025-11-26-002]
Result: Conversational threat hunting enables analysts to ask follow-up questions and drill deeper into findings without writing new queries manually.
VERIFICATION
Verify Purple AI is operational:
-
Check license status:
Console → Settings → License → Modules: "Purple AI" should be listed and active -
Test natural language query:
- Navigate to Purple AI interface
- Enter simple query: "Show me all endpoints with active threats"
- Expected result: Purple AI returns list of endpoints with unresolved threats
-
Test Quick Start Hunt:
- Navigate to Purple AI → Quick Start Hunts
- Select "Persistence Mechanisms" hunt
- Click "Execute Hunt"
- Expected result: Query executes and returns results (may be zero if no persistence detected)
-
Verify Auto-Triage is working (if enabled):
- Wait for new alert to trigger
- Check alert details for "Auto-Triaged: Yes" and risk score
- Expected result: Alert is automatically prioritized and assigned
-
Test report generation:
- After completing a hunt, ask: "Generate a report"
- Expected result: Comprehensive investigation report is auto-generated
TROUBLESHOOTING
Issue: Purple AI not responding to queries
Symptoms: Purple AI returns error or no response
Solutions:
-
Verify license:
- Console → Settings → License
- Ensure Purple AI module is active
-
Check data availability:
- Purple AI requires Deep Visibility data to query
- Verify agents are online and sending telemetry
- Console → Sentinels → All Endpoints → Check agent connectivity
-
Retry query with simpler language:
- Instead of: "Find anomalous network behavior indicative of lateral movement"
- Try: "Show network connections between endpoints in the last hour"
-
Check console logs:
- Console → Activity → System Logs
- Look for Purple AI errors
Issue: Purple AI suggests irrelevant hunts
Symptoms: Suggested hunts don't match environment or threat landscape
Solutions:
-
Tune threat intelligence feeds:
- Console → Settings → Purple AI → Threat Intelligence Sources
- Disable irrelevant feeds or sources
-
Provide feedback to Purple AI:
- Click "Not Helpful" on irrelevant suggested hunts
- Purple AI learns from feedback over time
-
Focus on Quick Start Hunts instead of suggested hunts for targeted investigations
Issue: Auto-Triage generating false positives
Symptoms: Low-risk alerts marked as critical by Auto-Triage
Solutions:
-
Tune risk score threshold:
- Console → Settings → Purple AI → Auto-Triage
- Increase threshold from 80 to 90 (reduce sensitivity)
-
Exclude specific alert types:
- Configure Auto-Triage to ignore low-severity PUA alerts
-
Provide feedback:
- Mark false positives as "Not a Threat"
- Purple AI adjusts triage logic based on feedback
COMMANDS/SCRIPTS
PowerShell script to query Purple AI programmatically (via API):
<#
.SYNOPSIS
Query SentinelOne Purple AI via API
.DESCRIPTION
Send natural language threat hunting query to Purple AI and retrieve results
.PARAMETER ApiToken
SentinelOne API token
.PARAMETER ConsoleUrl
SentinelOne console URL
.PARAMETER Query
Natural language threat hunting query
.EXAMPLE
.\Query-PurpleAI.ps1 -ApiToken "abc123" -ConsoleUrl "https://yourtenant.sentinelone.net" -Query "Show me PowerShell with encoded commands in last 24 hours"
#>
param(
[Parameter(Mandatory=$true)]
[string]$ApiToken,
[Parameter(Mandatory=$true)]
[string]$ConsoleUrl,
[Parameter(Mandatory=$true)]
[string]$Query
)
$ErrorActionPreference = 'Stop'
$headers = @{
"Authorization" = "ApiToken $ApiToken"
"Content-Type" = "application/json"
}
Write-Host "=== SentinelOne Purple AI Query ===" -ForegroundColor Cyan
Write-Host "Query: $Query`n" -ForegroundColor Yellow
$body = @{
query = $Query
} | ConvertTo-Json
try {
Write-Host "[1/2] Sending query to Purple AI..." -ForegroundColor Yellow
$response = Invoke-RestMethod -Uri "$ConsoleUrl/web/api/v2.1/purpleai/query" -Headers $headers -Method Post -Body $body
Write-Host "[SUCCESS] Query executed" -ForegroundColor Green
Write-Host "`n[2/2] Purple AI Response:" -ForegroundColor Yellow
Write-Host $response.data.response
if ($response.data.deepVisibilityQuery) {
Write-Host "`nGenerated Deep Visibility Query:" -ForegroundColor Cyan
Write-Host $response.data.deepVisibilityQuery
}
if ($response.data.results) {
Write-Host "`nResults: $($response.data.results.Count) findings" -ForegroundColor Green
$response.data.results | Format-Table -AutoSize
}
}
catch {
Write-Host "[ERROR] Query failed: $($_.Exception.Message)" -ForegroundColor Red
exit 1
}REFERENCES
- SentinelOne Purple AI Platform
- Purple AI Datasheet
- Purple AI Athena Release (Agentic Cyber Defense)
- Threat Hunting with Purple AI Webinar
- Purple AI Third-Party Log Sources & Multilingual Support
- SentinelOne Revolutionizes Cybersecurity with Purple AI (Press Release)
Document Version: 1.0 Last Updated: 2025-11-26 Author: CosmicBytez IT Operations Reviewed By: Security Operations Team