Purple AI Reviews

Purple AI addresses queries and analysis on threats. If you have a threat incident while using the SentinelOne Singularity platform, Next-Gen SIEM, or any SentinelOne product, Purple AI allows you to automate responses and conduct in-depth analysis on how the threat attack occurred. Purple AI offers excellent services and is majorly used by the identity part of SentinelOne, where it helps in managing authentications.

For a threat incident use case, Purple AI helps us to mitigate and eradicate the threat within a reduced time, much more than expected. We were able to analyze threat trends and proactively create automation policies on the console. Purple AI helps in identifying weaknesses and vulnerabilities in the environment. This is especially useful for SOC Analyst people who monitor the security posture of the infrastructure. There is no need to learn a querying language to do correlations. If you are using Purple AI, you can provide the query as plain text and it will automatically query the logs stored in the SIEM or XDR. We are able to easily correlate the logs for any threat incident.

As a reseller, we not only sell products but also provide support in case of any attack. When a threat attack occurs, we are the support person for the end users, and we use all available tools in the market to help them mitigate the attack, eradicate it, and find the root cause of the analysis if possible. By using Purple AI, we are able to track what was happening in the end user machine and create new automated rules to prevent those kinds of attacks from happening in the future.

I would say that 50 to 60 percent of time was saved. Usually, in an environment without SIEM, XDR, or AI engines used for analyzing logs, I took around three to four hours just to find the source of the attack. In this case, the time reduction is actually 70 to 80 percent. Even if there was no detection in SentinelOne, I was able to analyze the logs and log patterns using simple queries and identify the root cause of an attack within half an hour.

If you want to become a SOC expert for other tools, there are numerous tools available in the market such as Splunk, LogRhythm, and X-axis. You need to know shell scripting or querying language to drill down the data and get the information required. With SentinelOne, there is no need for such things. If you know what you want, such as a process name, source process, or parent process name, these terminologies are easy for us to track down, and we can use these terms in the query and get our required results.

Everything will not give 100 percent perfect answers because these are driven by data patterns and trends using machine learning. There is no tool that will provide 100 percent accuracy. In my experience, giving a true positive of above 75 percent is good, and Purple AI achieves this.

Purple AI helps me save time to generate queries and do threat hunting. In threat hunting scenarios, its prediction is good. They have a pretty good KDD built within their model. We are able to achieve at least 85 to 90 percent accuracy.

It is a single click feature. If you have a threat hunting option and click it against the threat details, it is just a single click and you will be able to see graphs and timeline information. Everything will be visible, and it will also populate all the hidden risks which have either been mitigated or which need to be mitigated. Everything will be populated in the console itself.

In terms of visibility, Purple AI gives great performance. Since it provides much deeper visibility, we are able to respond to an attack in reduced time. The main thing is that organizations have a big gap in visibility and are not able to see the entire infrastructure under a single console. With proper integrations and console configurations like EDR, XDR, and if you implement a SentinelOne SIEM, you will be able to get all the logs from integrated sources. With the power of Purple AI, we are able to achieve less time for mitigating attacks. In today's world, the time to respond to an attack is key. If the time taken to respond to an attack is critical, you won't be able to deliver low TTR without proper visibility. Without proper visibility, you won't know where the threat attack is originating and will be searching in circles for that threat source. Unless you have full visibility of your environment, you won't be able to provide mitigation or identify the root cause of the threat attack. Since Purple AI gives minimal response time, the visibility part is obviously better.

We have not tested in that manner because when comparing with the competition product CrowdStrike, Purple AI and CrowdStrike are pretty good and more or less equal in the way of responding to a query.

On the technical side, I can compare Purple AI with CrowdStrike's threat intelligence. CrowdStrike was initially a breach investigation company and was in the Indian market well before SentinelOne, acquiring more significant ground.

We have used Charlotte AI, which is provided by CrowdStrike, the direct competitor of SentinelOne. These two have key differences. Charlotte AI focuses more on IOAs and IOCs, whereas Purple AI helps us query the logs and hunt threats. As an improvement, if SentinelOne could focus on IOA similar to what CrowdStrike is giving, that would be a good point.

They could feed information on IOA, such as based on attackers, what different attack groups are performing the attacks, and provide those insights. Compared to its competition, for doing DFIR (Digital Forensics and Incident Response), not only IOCs are needed but also IOAs. Information about the indication of the attacker, who is attacking, and the attacker group history would be better if Purple AI could incorporate that.

We can build some queries and automated responses for any suspicious or malicious conditions. It would be better if there were workflows in place for giving alerts. The way alerts are handled could be improved because when compared to other competing products, I am able to handle the technique of the threat and categorize it based on severity. If it has a major impact on the environment, I can contain the system. I have numerous options to create various kinds of alerts.

I have been using this for around one and a half years. Purple AI is pretty new to the market.

We have not faced any stability issues. Purple AI is pretty stable.

You have to have the Flexi-license in case you need to add some add-ons. From the licensing part, they are providing Flexi-license, which is good. Many vendors are not doing that, so this is good in terms of scalability.

Nowadays, I will give a rating of 10 because the support is very good.

Positive

We used some Trellix solutions and GTA threat intelligence. I was also working with Trend Micro, but it took a long time.

SentinelOne is mostly available on the cloud only. On-premises, they do have a solution, but even SentinelOne does not recommend going with on-prem. They have an on-prem solution, but even their team is not that confident about it.

This is not at all complex. This is a straightforward implementation.

For enterprises, it is affordable. For SMBs, it is quite expensive.

On the technical side, I can compare Purple AI with CrowdStrike's threat intelligence. CrowdStrike was initially a breach investigation company and was in the Indian market well before SentinelOne, acquiring more significant ground.

We have used Charlotte AI, which is provided by CrowdStrike, the direct competitor of SentinelOne. These two have two key differences. Charlotte AI focuses more on IOAs and IOCs, whereas Purple AI helps us query the logs and hunt threats. As an improvement, if SentinelOne could focus on IOA similar to what CrowdStrike is giving, that would be a good point.

Data security is important because in today's organizations, they have endpoints, networks, and applications everywhere. With the internet, IoT, and many other AI tools and platforms, many people use AI tools for various products, presentations, and data analytics. Everything is available on the internet today. When it comes to SentinelOne, it provides an XDR solution where Purple AI plays a major role. If an organization has properly integrated all its solutions with XDR and SentinelOne SIEM, then at each level, SentinelOne will have correlated logs where data is flowing if all configurations in other solutions are in place. With respect to data security, SentinelOne does not have a dedicated data security solution. SentinelOne is primarily focused on Next-Gen SIEM, cloud security, identity security, endpoint security, and XDR. These are the key solutions they focus on. With XDR in place, we can integrate other data security solutions such as Netskope, which has DLP at the network layer, or Fortinet, which has DLP at both endpoint and network layers. With those integrations, we can view logs regarding data flows, and that is the only thing we can do from SentinelOne's side. To my knowledge, SentinelOne does not currently have a dedicated DLP or data security solution. My overall rating for this product is 8.5 out of 10.

I have been using Purple AI by SentinelOne for the past six months. We are a customer of SentinelOne, and we use their tools like Purple AI and SentinelOne to provide security services to our clients.

The natural language processing capability analyzes and maps data in an intuitive way. For example, I can ask Purple AI to identify all alerts received for a specific IP in the last six months. Purple AI runs its machines and processes the data, then provides information about the activities or indicators of compromise associated with that IP.

Purple AI can identify risks and vulnerabilities. For instance, we might discover a host with high vulnerability and potential of being attacked. Purple AI tells us what vulnerabilities exist on that host or on other assets in our environment. That is what Purple AI can do.

Purple AI has been integrated with the SentinelOne Singularity tool, and it helps us significantly with security alerts. When we receive any security alert, Purple AI summarizes the overall incident and provides a snippet. We can also ask Purple AI anything related to our security tools or alerts, and it provides relevant answers. It has been a very good product.

The best feature is that the summary is very precise, crisp, and presented in layman's language while still including all the technical aspects required for analysis. As an analyst, rather than going through numerous logs and details, reading the snippet provides me with approximately 40 to 50 percent of what has happened, explaining the overall incident in one or two paragraphs. This is very useful for me.

AI-assisted summary provides overall incident summaries in a concise format. Rather than reading a 10-page book, I get a snippet that explains the entire incident. An incident report typically contains 10 to 20 pages, but Purple AI presents it in two to three paragraphs, explaining exactly what has happened. In cybersecurity, we try to answer key questions: what has happened, who did it, and how it happened. Purple AI has been designed specifically for SentinelOne to provide these AI analysis summaries for security alerts.

As analysts, we first review the Purple AI snippet to understand what it is communicating. I do not completely depend on it because I understand that AI can sometimes generate incorrect or inappropriate answers, but in my experience, this has been rare. Reviewing the snippet helps me save considerable time rather than diving deep into the incident and checking each detail. Having all the information in two to three paragraphs is very helpful and saves a lot of time.

There is considerable room for improvement because this is a booming field. According to Anthropic cloud technology, the IT sector market can be automated up to 95 percent, and we have only reached 25 percent. There is substantial skill to improve.

Purple AI could improve by becoming automated with alert analysis. For example, it should analyze the complete alert and determine what has happened, who did it, and what the remediation steps should be. While having it take action automatically is not feasible because it requires extensive training data, it could ask an analyst to confirm or authorize the action. There is a significant gap for automation. AI combined with automation is a very powerful tool, and combining these could reduce both time and work because automation saves time for everyone.

The improvements needed are not about bugs but about being more efficient and improving the product itself.

Purple AI should implement AI in automation, with AI serving as the brain of automation. Purple AI can accomplish this because it provides exactly what has happened, maintaining at least 90 percent accuracy based on my knowledge and experience. For example, we receive alerts for brute force attacks or failed login activities that still trigger alerts. These could be directly automated using AI. AI would function as the brain and would have the capability to make its own decisions about what has happened and what should be done. We would be the ones controlling and authorizing the actions while AI performs them under supervision. That is where room for improvement exists.

Regarding bugs, I did not find any bugs in my experience with Purple AI. However, the user interface could be improved to better present information to users. Apart from that, I have nothing additional to add.

I have been using this solution for almost two years.

Purple AI has very high chances of scalability. I would give it a 10 on scalability.

CrowdStrike does not have its own AI as per my knowledge. I worked with CrowdStrike Falcon, which is an endpoint EDR tool. Purple AI is integrated with SentinelOne and has its own advantages such as providing analysis and information about risk and threats. CrowdStrike operates on a completely different logic and behavioral-based approach where actions are taken. That is a completely different aspect. However, regarding AI integration, I have not worked with other AI-integrated tools. I have worked with something called Sumo Logic, which has integration tools, and I have worked with AlienVault, which also does not have AI. Therefore, I cannot provide an honest review on other AI tools because I have not used them.

My team uses Purple AI as an AI assistant for investigation of alerts we get in SentinelOne, as well as for threat analysis and threat hunting. We use this feature for that purpose. By using this, we can easily and quickly triage alerts. Purple AI provides a summary of the alerts we receive, detailing what the process activities are and what the user behavior is. All of these help us understand incidents faster without digging deep into alerts manually.

Purple AI plays a significant role in amplifying my team's knowledge as a service provider. We save time on particular alerts because Purple AI can respond to low and medium alerts by itself. For high and critical alerts, we still need to investigate further as it sometimes provides generic responses. Overall, for low and medium alerts, it results in significant time savings, but we still need manual review for high alerts.

The auto-saving feature in Notebooks helps us collaborate efficiently. It functions the same as ChatGPT; if we run any queries, it saves them automatically. We can share notebooks with our teammates, allowing us to work collaboratively on a specific incident or threat hunting effort. This feature is beneficial as it facilitates collaboration.

The best features in Purple AI are that it functions as an AI assistant for security analysis of any alert we receive. It summarizes the incident or alert we receive and helps us understand what is happening quickly without digging into logs manually, which takes more time. We get this very easily in less time by using a natural language prompt. We can fetch the logs, investigate, and Purple AI also provides us the next steps and recommendations on what to look for. These are some features which are useful.

The natural language hunting in Purple AI helps us a great deal, especially for juniors. For other tools we use, such as Sumo Logic and Splunk, we need to understand query language and scripting to get what we want. But in Purple AI, if we just know what to look for, we can prompt in natural language, asking for DNS logs related to a specific host, and it provides us with the logs we want.

The threat hunting quick start library is very useful as it provides us with suggestions based on ongoing attacks. For example, the striker cyber attacks happening from Iran to other companies. Based on these current attacks, it suggests whether we want to look for IOCs related to the striker attack, and it has predefined templates for that. It is very useful to have these templates.

In evaluating Purple AI's impact on visibility and unified workflows during threat hunting, I cannot say it is one hundred percent effective. Sometimes it is a bit too generic. However, it does not provide wrong answers but may not always be relevant to what we ask. From a visibility perspective, I can say it is mostly generic and not detailed enough at times.

There is room for improvement in some areas. Sometimes Purple AI provides too generic responses for complex alerts, particularly at levels classified as high or critical. In those areas, it needs to improve and should be more technical instead of generic.

I have been using Purple AI with SentinelOne for one year and two months.

Regarding stability, it depends on the performance of the tool, as Purple AI is a feature of SentinelOne. Sometimes it lacks performance and may take a while to load, or it may not show alerts at all, requiring us to log out and log back in. Therefore, it relies heavily on the overall performance of the SentinelOne tool.

Purple AI works well for all types of alerts across various data sources and environments; hence, I find it good for scalability. However, it still depends on the quality of data it receives from our sources as it affects how well it can analyze and respond.

I would rate the technical support for Purple AI an eight out of ten.

I have not used many AI integrated tools, but I have only used Sumo Logic which has an AI assistant feature. Compared to that, I can confidently say Purple AI is better, particularly regarding response time and the accuracy of the responses we are looking for.

Detection-wise, Purple AI has reduced my investigation and response times by half, approximately fifty percent.

Purple AI is deployed in the cloud as it comes as a feature with the SentinelOne Singularity tool, so there is no separate deployment needed.

In terms of the mean time to detect and respond to threats, when we receive an alert, Purple AI does not detect as such, but it helps us a great deal in reducing investigation time. It provides us with a summary of the alert and suggests what suspicious activities have occurred, along with guidance on what to look for next. This alert summarization helps us significantly, particularly for low and medium severity alerts. However, for critical and high severity alerts, we still need manual intervention to look into them.

We use the Gen AI Security Analyst feature, as Purple AI is integrated with Gen AI.

I notice a difference in speed using Purple AI compared to legacy SIEMs such as Sumo Logic; it is fast, taking only a few seconds to respond. Sumo Logic has an AI assistant called Sumo Copilot, but it takes much longer, often responding after a minute. In comparison, Purple AI is quicker and does not take much time to give a response.

The response time reduction is approximately fifty percent.

Purple AI does provide a threat intel feature. If any alert triggers, specifically if a file or IP related to that alert is identified, it automatically reaches threat intel and gives us a result based on that.

Data privacy and security in Purple AI meet my needs and requirements; it is good in that regard.

Regarding the threat hunting quick start library, it is very useful as it provides us with suggestions based on ongoing attacks, including the striker cyber attacks happening from Iran to other companies. Based on these current attacks, it suggests whether we want to look for IOCs related to the striker attack, and it has predefined templates for that. It is very useful to have these templates.

The main use cases I use Purple AI for are building queries, alerts, and Star custom policies. Mostly I use Purple AI for building alerts, queries, and Star custom policies. Sometimes it doesn't give exact queries on how to build them, but over time it has improved.

The main benefit is the threat hunting part and building any queries regarding Star custom policies, and building any alerts. That is the main part I use Purple AI for, and it's actually very helpful and useful.

Sometimes I use it for analyzing specific endpoints. The analysis part is great, but when it comes to building queries and those Star custom policies, it's okay.

Purple AI's best feature is the analysis part. You can simply give the context and it digs out and presents it in a very representable way. That's the good part I appreciate about Purple AI.

I have used it and it's a very helpful threat hunting tool. Purple AI integrated with threat hunting has helped me a lot in most incident response situations. Recently I went through an incident response case where we were using the SentinelOne threat hunting tool, and it was almost near perfect. It was able to give good outputs on whatever things we were analyzing.

Coming to the visibility part of Purple AI, it has very good context of what is happening around the dashboard. It collects a very good amount of pointers and the knowledge capturing is all very good. The visibility level is quite good from what I have observed.

Regarding the threat analysis part, we have seen very good time reduction. It simply takes us a few hours to resolve an issue or if there are any false positives.

AI-assisted summary is good, but if we get it in the exact threat module where we investigate all the threats, it would be more helpful for the AI part.

For next step suggestions, if they simply add a good analysis part of threat analysis integrated with AI, it would be very helpful for the platform. Additionally, if they have more customizable admin options (they have some predefined accesses in the SaaS platform), but if we could have more customizable roles for assigning a person, it would be helpful.

Coming to Purple AI, it is quite good compared to CrowdStrike Charlotte AI. Charlotte AI gives a very good threat overview, whereas Purple AI lacks that. If Purple AI covers that threat overview, it would be more useful.

Building the Star custom rules and building alerts are areas which could improve. It could give more detailed steps on exactly how we can build a good query based on the context and exactly where to give nice steps on how to implement those queries. That would be a good improvement for Purple AI.

Purple AI is more passive in SentinelOne. It's not active. If it were more active, taking some actions and interacting with the threat feed, showing the overview of the threat and the recommended steps for whatever threat we are working on, it would be a good addition.

It's passive, so only when we ask about a particular thing does it investigate at that moment and then give insights. If it were more active in the threat session, it would be more useful.

I have been working with Purple AI since 2024. It has been two years now.

We find it quite stable.

It's quite scalable. If we scale and add any two to three pieces within our existing plan, based on the endpoint, it gives the next term and when we pay the money, it adds that amount in the billing and it's quite easy.

Tech support is good. It's not very hectic like first connecting to customer care and then prioritizing our issue. We just directly get connected to the technical person.

Positive

I have worked with CrowdStrike, Sophos EDR, and Trellix. I am familiar with all four endpoints.

Initial setup, we mostly use the manual way. Just installing the EXE files and then pasting the tokens is quite easy. Coming to Windows, Linux, and Mac, it's the same process. There are no other procedures required for different platforms.

We have achieved good ROI with Purple AI. Most of the customers we show Purple AI to have seen good ROI for Purple AI.

Pricing could be better for enterprise level as I don't have much insight about it. But coming to providing SentinelOne solution for small scale enterprise, if they could offer better prices, it would be more useful.

Purple AI is used for analysis, understanding data, and lowering the entry barrier to get into your data. Previously, if you wanted to know something from your data, you either had to know what you were looking for, understand the category, determine the keyword, and combine all of those criteria with the correct syntax. You essentially had to learn a different language to know what you were looking for, or you could click it together, but that also isn't practical.

We recently got a new apprentice, and when I onboarded him to the threat hunting process, he was able to start using it that day. He has some basic security knowledge and was very quickly able to get started on it. Another example is that we are running Capture the Flag events with Purple AI. We literally say that you don't need any experience with SentinelOne or potentially even security as a whole. We had human resources people take part in that event, and they were able to complete the challenges to investigate a security incident using Purple AI. The barrier to entry is lowered significantly, and also the speed is improved. Even if you knew the query language perfectly, you would still take a bit of time to type out the whole query, whereas with Purple AI, you have the entire thing in just two or three seconds.

What I appreciate about the solution is that it does what I would expect a tool of that kind to do. I can very quickly search something, and if I want to share that with the team, I can ask the tool to not just investigate the incident, but to summarize it in an email. I can share the conversation with the team. It does everything I would want it to do.

My impressions of the natural language hunting across native and third-party data are that it doesn't care if you ask in English or German. I personally don't really care that much either, but we do have some customers who aren't that adept at English, and being able to ask the queries in German is an absolute game changer for them. Typos also don't matter, which is great.

My experience using the AI-assisted summaries and the suggested next step queries is that the individual event summaries sometimes paint a more bleak outlook than really is the case. Generally, they do tell you pretty well if something is or isn't suspicious or malicious, but in some instances, it's a bit much.

I have used Purple AI's Threat Hunting Quick Start library sometimes, and it is nice to go in there when you have five or ten free minutes and look to see if there's a new threat actor that has been added to the quick start library. Then I can quickly search if we have any instances of that.

My ability to proactively find risks has definitely improved. I think that we've had under five instances where it's been proactively found. Previously, that number was lower. That's definitely a positive change.

There are potentially areas that have room for improvement to make Purple AI better, such as comprehension of the questions. One thing is that, as with all AI, it can only give you what you ask for. Sometimes people might not really know what they're asking for. Being able to understand people better would be awesome. Beyond that, potentially just providing sources when it's referencing documentation would be helpful. Sometimes it doesn't do that, which is a bit annoying. Purple AI is also not just useful for threat hunting; it also has the entire documentation. For example, if you don't know how to deploy an agent, you can ask that, and it will give you detailed instructions on the entire process. However, sometimes it doesn't link the documentation, which would be nice to have.

I have been using Purple AI since its release in year 2024.

I have not faced any challenges when implementing Purple AI. Purple AI works out of the box. If you want more data, there are third-party integrations and a large catalog of native integrations that you can utilize. If you want to go beyond that and use non-natively supported third-party data, you can ingest those data streams, but you need to get a data parser in order to actually properly work with that data. That can be a bit tedious, but there's something on the horizon for changes to that.

The stability of Purple AI, I would rate as nine.

The impact of using Purple AI on scaling autonomous security across enterprises or across my clients is not yet really measurable. So far, the autonomous capabilities aren't really there yet.

I would rate the support as nine.

Positive

I have had a look at CrowdStrike's AI solution. I still prefer SentinelOne over CrowdStrike AI, absolutely.

The advice I would give others looking into Purple AI, given that this is something new, is to remember that it is AI at the end of the day. I haven't had wrong answers, and I'll give them the credit for that, but I've had answers that weren't what I was expecting or the answer that I was looking for. This goes back to the whole thing of you can only get what you ask for. Beyond that, give it a try. It is definitely worth the time to invest in testing it. You will notice that you save so much time.

The auto-saving feature in the notebooks affects my ability to collaborate efficiently, but I have never been impacted by that. When anything new happens, it gets saved, and that works well.

Overall, I would rate Purple AI a nine.

Purple AI gives expertise on the threat intelligence piece and provides robust security posture management across our environment. It ensures availability and delivers all threat detection and response in a single platform. Purple AI has helped me affect my ability to proactively find risks with threat hunting.

This solution will greatly reduce our workflows.

Purple AI provides availability and ensures that all threat detection and response are available in a single platform. The Quick Starts library has helped to affect my ability to proactively find risks with threat hunting. 

There are still areas that could be improved. People will talk more about the storage part and the analytics piece. Sometimes they provide architecture use cases that all have limitations. The only concern related to pricing is the ingestion-based pricing model, which is higher at scale.

Regarding the solution stability, the only concern is the prompting requirement. We have to provide prompts in a proper manner, otherwise it will not work correctly. This is related to all AI solutions having similar issues. It is not unique to Purple AI.

I have been using Purple AI for about two months.

Purple AI is stable. The only concern is the prompting requirement, as we have to provide prompts in a proper manner, otherwise it will not work correctly. This is related to all AI solutions having similar issues and is not unique to Purple AI.

Before Purple AI, I have been using some similar products.

Purple AI is easy to install, and it has REST API integrations and connectors that make it easy to integrate.

The implementation team was from the vendor and vendor partner.

I cannot comment on ROI at this time because I have only been using Purple AI for two months, so I cannot provide an informed assessment.

I would say the solution is a little expensive.

Purple AI could do something to improve response time. I am using a cloud-only deployment. I recently started using Amazon Web Services on the marketplace. I did not purchase through the marketplace. Since Purple AI is hosted in the cloud, stability is not a concern.

I have not yet used that particular feature much and will need to explore it further. As a regulated entity, we must follow regulatory requirements. We need to adapt to compliance standards. Our regulatory framework is DPDPA, similar to how other companies follow GDPR in the UK. Security frameworks are implemented across all international standards that we are required to follow.

I would rate Purple AI an eight overall for its performance and capabilities.