Skip to main content
All CollectionsSentinelOne & GuardzBring Your Own SentinelOne
Guardz + SentinelOne Integration Guide (BYO-S1)
Guardz + SentinelOne Integration Guide (BYO-S1)
Updated over 2 weeks ago

πŸ“Œ Introduction

This guide walks you through the process of integrating your existing SentinelOne (S1) deployment with Guardz using a Site Service User API Token.

βœ… What this integration enables:

  • 🎯 Sync SentinelOne-managed devices with Guardz.

  • πŸ”Ž Automatically open S1-detected endpoint threats as issues in Guardz Detection & Response.

  • ⚑ Manage & remediate threats directly from the Guardz platform.

  • πŸ›‘οΈ Inherit & modify SentinelOne security policies within Guardz.

πŸ’‘ Important Notes:

  • Each Guardz customer corresponds to a SentinelOne Site.

  • A separate API token is required for each site.

  • Admin permissions are required for setup.


πŸ“Œ Step 1: Configure SentinelOne API Access

πŸ”Ή Generate a Site Service User API Token in SentinelOne

1️⃣ Log in to the SentinelOne Management Console.
2️⃣ Navigate to Policy & Settings > User Management > Service Users.
3️⃣ Click "New Service User" to open the creation modal.
4️⃣ Enter Details:

  • Name: Use a descriptive name like "Guardz Integration".

  • Expiration: Set to 1 year or longer to minimize renewals.

  • Scope of Access: Select "Site", then choose the Account & Site to integrate.

  • Site Role: Change from Viewer (default) β†’ Admin (Admin permissions required).

5️⃣ Click "Create Service User".
6️⃣ Copy the API Token displayed on the next screen and store it securely.


πŸ’‘ Repeat these steps for each SentinelOne site you want to integrate with Guardz.
​


πŸ“Œ Step 2: Connect SentinelOne to Guardz

πŸ”Ή Configure SentinelOne in Guardz

1️⃣ Log into Guardz.
2️⃣ Navigate to Security Controls > Endpoint Security.
3️⃣ If required, click "Deploy" to activate the SentinelOne Security Control.
4️⃣ Under SentinelOne Endpoint Protection, click "Connect".
5️⃣ Enter your SentinelOne details:

  • Subdomain: <your-subdomain>.sentinelone.net
    ​API Token: Paste the Service User API Token from SentinelOne.


6️⃣ Click "Save & Connect".

βœ… Once connected:

  • All SentinelOne-managed devices will appear in Guardz > Devices.

  • Threats detected by SentinelOne will automatically open as issues in Guardz Detection & Response.

  • You can manage SentinelOne security policies from within Guardz.


πŸ“Œ Step 3: Adjust SentinelOne Site Policy Settings in Guardz

πŸ”§ After integration, SentinelOne policies will be inherited in Guardz. You can:

  • Modify detection sensitivity settings for endpoint protection.

  • Configure automated remediation rules for threats detected by SentinelOne.

  • Adjust response actions for high-risk detections (e.g., device isolation).

πŸ“Œ To modify SentinelOne policies in Guardz:
1️⃣ Navigate to Security Controls > Endpoint Security > SentinelOne Settings.
2️⃣ Adjust site-specific security policies as needed.
3️⃣ Click "Save" to apply the changes.


πŸ“Œ Troubleshooting Common Issues

πŸ”Ή Issue: "Failed to connect SentinelOne API."
βœ… Fix:

  • Verify the correct API Token was used (ensure it has Admin permissions).

  • Check if the subdomain is correct (it should be <your-subdomain>.sentinelone.net).

πŸ”Ή Issue: "Devices not syncing in Guardz."
βœ… Fix:

  • Ensure SentinelOne agents are properly deployed and reporting to the correct Site.

  • Confirm that the SentinelOne API user has the correct site scope assigned.

πŸ”Ή Issue: "SentinelOne Threats not appearing in Guardz Detection & Response."
βœ… Fix:

  • Ensure the API integration is active in Security Controls > Endpoint Security.

  • Check SentinelOne threat logs to confirm new detections are registered.

πŸ”Ή Issue: "SentinelOne security policies not reflecting in Guardz."
βœ… Fix:

  • Try reloading SentinelOne Site Policy Settings in Security Controls > Endpoint Security.


πŸ“Œ Best Practices

βœ” Regularly rotate API tokens to maintain security.
βœ” Monitor API connection health in Security Controls > Endpoint Security.
βœ” Ensure SentinelOne sites are correctly mapped to Guardz customers.
βœ” Use Guardz Detection & Response for unified security monitoring across endpoints.


​

Did this answer your question?