#Infosec2024: Decoding SentinelOne's AI Threat Hunting Assistant

Written by

Artificial intelligence (AI) has lowered the barrier to entry for both cyber attackers and cyber defenders.

During Infosecurity Europe 2024, cybersecurity platform provider SentinelOne will showcase how Purple AI, its new assistant tool for cybersecurity professionals, can help speed up the work of skilled analysts and democratize threat hunting for other cyber practitioners.

SentinelOne’s Demo at Infosecurity Europe

A ‘Man vs Machine’ Threat Hunt

Speaking to Infosecurity, Brett Taylor, SentinelOne’s senior engineering director for the UK and Ireland, shared what to expect from the ‘Man vs Machine’ demonstration.

He described it as a 30-minute live threat-hunting competition during which two back-to-back people, a skilled security operations analyst and either a customer or a SentinelOne commercial team member, operate on two different consoles in real time and try to narrow down as much information on a specific threat as possible.

“The security engineer will use SentinelOne’s platform and our proprietary PowerQuery language, and the other person will use Purple AI and natural language to perform the same threat-hunting task. The first to get the wanted result wins,” explained Taylor.

A Real-Life Simulation

The case both competing people will work on consists of simulated data from a standard advanced persistent threat (APT) actor’s activity trying to infect a system with malware.

It will involve all the steps typical of a common APT group’s techniques, tactics and procedures (TTPs), including elements of evasion, persistence, lateral movement and process injection.

Both competitors' live threat hunting will be projected to an audience on a split screen in real-time.

“Usually, a skilled security operations center (SOC) analyst would get some notifications in the SentinelOne system, such as indicators of compromise (IOCs),” Taylor said.  

“They would then use these as the first part of a query that they would write using our PowerQuery language, which allows them to ask questions around those IOCs and then pivot on the result sets returned by our engine,” he continued.

How AI can Democratize Threat Hunting

Embarking with a Purple AI-Enabled Threat Hunter

The non-skilled threat hunter will use the Purple AI dashboard. The dashboard allows users to analyze data from their endpoint, detection and response (EDR) solution.

First, using SentinelOne’s AI-powered product called ‘AI Security Analyst,’ they would ask a question in natural language – in English – about a potential threat. For instance: ‘Am I targeted by UNC1878?’

UNC1878 is the MITRE tracking identifier of a threat group that monetizes network access via the deployment of Ryuk ransomware.

“We use MITRE denominations for threat actors in our engine so that we avoid confusion between attributions from different security vendors,” Taylor noted.

Upon receiving this input, Purple AI would gather all telemetry associated with UNC1878 and other linked groups and show the results in another box, including a list of IOCs, IP addresses, hashes, and other elements related to UNC1878’s TTPs in the simulated system.

"We believe anyone can start threat hunting even with very limited security analysis skills."Brett Taylor, Senior Engineering Director UK&I, SentinelOne

“When it would take hours, if not days, even for a level 3 SOC analyst to generate that query, Purple AI provides a result in a matter of seconds,” Taylor argued.

The engine would then allow the person to filter out what they want to investigate further. It also provides a summary of the TTPs for each identified attack, which would help the analyst decide where to focus their investigation.

How Purple AI Works

Taylor said: “Don’t think Purple AI is just a chatbot or a virtual assistant. It not only creates complex data queries from natural language but also anticipates the next thoughts the analyst might want to say and the next action they might want to take based upon the outcomes it derives.”

The Purple AI engine pulls data from a proprietary data lake structured according to an open cybersecurity framework standard. Several AI algorithms, including a commercial large language model (LLM) with retrieval-augmented generation (RAG), are then trained on that data lake.

RAG is an architectural approach that can improve the efficacy of LLM applications by leveraging custom data.

“This process allows us to stop hallucinations but also ensure the queries we ask are complete,” Taylor explained.

“We believe anyone can start threat hunting even with very limited security analysis skills, which is why we set our demonstration as a competition between a skilled analyst and a non-technical individual.”

What’s Next for Purple AI

Purple AI was introduced in 2023. After Infosecurity Europe, SentinelOne will expand its capabilities and allow the engine to analyze data beyond the EDR’s remit.

“The tool will be able to analyze data from cloud sources like Amazon Web Services (AWS) Microsoft Azure logs for security purposes, for example,” Taylor said.

His team also wants to embed Purple AI into its users’ workflow, “let the tool come to you and provide you with security analytics instead of you querying it,” the senior engineer concluded.

SentinelOne’s ‘Man vs Machine’ showcase will be presented during Infosecurity Europe on stand C20.

AI for cybersecurity use cases will also be forming a major part of the Infosecurity Europe conference program.

The event is taking place from June 4 to 6 at the ExCel in London. Register here to ensure your attendance.

What’s hot on Infosecurity Magazine?