Skip to main content
Glama
Sentinel-One

Purple AI MCP Server

Official
by Sentinel-One

purple_ai

Investigate cybersecurity threats, generate PowerQueries, and get answers about SentinelOne by asking questions in plain language.

Instructions

Interact with SentinelOne's Purple AI, a cybersecurity assistant that helps you investigate threats, generate PowerQueries, and answer questions about SentinelOne. Purple AI understands natural language and converts your questions into structured security queries, or answers in plain language.

What Purple AI can do:

  • Generate and explain PowerQueries for threat hunting and detection

  • Help answer questions using threat intelligence and behavioral signals

  • Explore user, process, network, and file-based activities

  • Investigate MITRE TTPs, ransomware behavior, lateral movement, and more

  • Answer questions about SentinelOne capabilities

What Purple AI can't do:

  • Access active alerts (use the Alerts tool for that)

  • Modify configurations or directly interact with your endpoints

  • Run the PowerQueries itself (use the PowerQuery tool to run the PQ returned by Purple AI)


How to ask good questions

Purple AI works best when your questions are:

  • Descriptive: Include process names, file paths, domains, ports, or usernames

  • Focused: Describe what you're trying to understand or find

  • Scoped: If helpful, include filters like time ranges, endpoint type, or OS

Example questions:

  • Show me PowerShell processes that connected to external IPs

  • Find unsigned processes that accessed lsass.exe

  • List endpoints where the user “jsmith” logged in more than 5 times

  • Are there any reverse SSH tunnels from public IPs?

  • Find living-off-the-land binaries spawned from Microsoft Word

DO NOT instruct Purple AI to "Generate a Powerquery to ...". Instead, just say what you are looking for. Example: - GOOD: "Is APT-1337 in my environment?" - BAD: "Generate a PowerQuery to determine if APT-1337 is in my environment, including their typical tools, processes, and TTPs."


Tips for writing questions

  • Start with verbs like: show, find, list, search

  • Add specific entities like: powershell, svchost, lolbins, ssh, .tmp files

  • Use filters like: external IPs, non-Windows folders, file size over 1GB

  • Ask about behaviors: ransomware, persistence, privilege escalation, data staging, beaconing, phishing

Input Schema

TableJSON Schema
NameRequiredDescriptionDefault
queryYes

Output Schema

TableJSON Schema
NameRequiredDescriptionDefault
resultYes
Behavior5/5

Does the description disclose side effects, auth requirements, rate limits, or destructive behavior?

With no annotations, the description fully discloses behavior: it generates and explains PowerQueries but does not run them, understands natural language, and returns answers. It also warns against instructing it to 'generate a PowerQuery' directly, revealing an important behavioral constraint.

Agents need to know what a tool does to the world before calling it. Descriptions should go beyond structured annotations to explain consequences.

Conciseness4/5

Is the description appropriately sized, front-loaded, and free of redundancy?

The description is well-structured with clear sections (capabilities, limitations, query guidance, examples) and front-loads the purpose. While somewhat lengthy, every section earns its place, though minor trimming could improve conciseness.

Shorter descriptions cost fewer tokens and are easier for agents to parse. Every sentence should earn its place.

Completeness5/5

Given the tool's complexity, does the description cover enough for an agent to succeed on first attempt?

Given the complexity of the tool (interactive cybersecurity assistant), the description is comprehensive. It covers capabilities, limitations, query format, examples, and guidance. The presence of an output schema also reduces the need to describe return values.

Complex tools with many parameters or behaviors need more documentation. Simple tools need less. This dimension scales expectations accordingly.

Parameters5/5

Does the description clarify parameter syntax, constraints, interactions, or defaults beyond what the schema provides?

The single parameter 'query' has no description in the input schema (0% coverage), but the description extensively explains what kinds of queries to ask, provides examples, and offers tips for effective questions, adding substantial meaning beyond the schema.

Input schemas describe structure but not intent. Descriptions should explain non-obvious parameter relationships and valid value ranges.

Purpose5/5

Does the description clearly state what the tool does and how it differs from similar tools?

The description clearly states that purple_ai is a cybersecurity assistant that helps investigate threats, generate PowerQueries, and answer questions. It lists specific capabilities and distinguishes itself from sibling tools like powerquery (which runs queries) and alerts tools.

Agents choose between tools based on descriptions. A clear purpose with a specific verb and resource helps agents select the right tool.

Usage Guidelines5/5

Does the description explain when to use this tool, when not to, or what alternatives exist?

The description explicitly states when to use the tool (asking natural language questions about threats, generating PowerQueries) and when not to (accessing alerts, modifying configs). It provides guidance on how to ask good questions with examples and tips, and contrasts with the powerquery tool.

Agents often have multiple tools that could apply. Explicit usage guidance like "use X instead of Y when Z" prevents misuse.

Install Server

Other Tools

Latest Blog Posts

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/Sentinel-One/purple-mcp'

If you have feedback or need assistance with the MCP directory API, please join our Discord server