This article is based on SentinelOne community documentation about LDAP and Entra for the purpose of identifying user accounts.
Auto association of SentinelOne endpoints to users in Guardz
Purpose
The Auto Association feature in Guardz automatically maps users identified in the organization profile (M365 and Google Workspace) with the logged-in user of the device.
This mapping allows admins and the Guardz MDR team to:
Link issues and incidents in from SentinelOne directly to users known in Guardz.
Connect the dots between SentinelOne threats and detections from other security controls in Guardz.
Provide actionable remediation steps tied to specific individuals.
How It Works
Guardz auto association relies on LDAP/Active Directory data pulled from the SentinelOne (S1) agent. It is dependent on S1's ability to gather data from:
LDAP Server (already configured).
Entra (Azure AD).
Requirements
LDAP
Integration with Active Directory (AD) occurs automatically.
No configuration of an AD server is required.
Entra (Azure AD)
The S1 agent must be version 23.4.5 or later.
The Entra Graph API login must not be throttled or restricted.
Users must log into their endpoint individually using M365 credentials.
Note: This feature is compatible with both BYO-S1 and Managed-S1 within Guardz.
Troubleshooting
LDAP Integration
LDAP integration is fully automated with no specific configuration required in Guardz or SentinelOne.
Guardz does not provide technical support for LDAP-specific issues.
Entra Graph API
This process relies on a built-in Microsoft utility that enables agent logins to Entra.
Ensure no Microsoft/Entra policies interfere with successful logins (e.g., rate-limiting policies).
S1 AD Data Update Triggers
Agent load.
User login or logout.
Periodic updates (every 180 minutes).
Important Notes
Guardz maps each user once. Subsequent changes to user information are not updated automatically.
Manually associated users will not be overwritten by the Auto Association feature.