π Introduction
This guide walks you through the process of integrating your existing SentinelOne (S1) deployment with Guardz using a Site Service User API Token.
β What this integration enables:
π― Sync SentinelOne-managed devices with Guardz.
π Automatically open S1-detected endpoint threats as issues in Guardz Detection & Response.
β‘ Manage & remediate threats directly from the Guardz platform.
π‘οΈ Inherit & modify SentinelOne security policies within Guardz.
π‘ Important Notes:
Each Guardz customer corresponds to a SentinelOne Site.
A separate API token is required for each site.
Admin permissions are required for setup.
π Step 1: Configure SentinelOne API Access
πΉ Generate a Site Service User API Token in SentinelOne
1οΈβ£ Log in to the SentinelOne Management Console.
2οΈβ£ Navigate to Policy & Settings > User Management > Service Users.
3οΈβ£ Click "New Service User" to open the creation modal.
4οΈβ£ Enter Details:
Name: Use a descriptive name like
"Guardz Integration"
.Expiration: Set to 1 year or longer to minimize renewals.
Scope of Access: Select "Site", then choose the Account & Site to integrate.
Site Role: Change from Viewer (default) β Admin (Admin permissions required).
5οΈβ£ Click "Create Service User".
6οΈβ£ Copy the API Token displayed on the next screen and store it securely.
π‘ Repeat these steps for each SentinelOne site you want to integrate with Guardz.
β
π Step 2: Connect SentinelOne to Guardz
πΉ Configure SentinelOne in Guardz
1οΈβ£ Log into Guardz.
2οΈβ£ Navigate to Security Controls > Endpoint Security.
3οΈβ£ If required, click "Deploy" to activate the SentinelOne Security Control.
4οΈβ£ Under SentinelOne Endpoint Protection, click "Connect".
5οΈβ£ Enter your SentinelOne details:
Subdomain:
<your-subdomain>.sentinelone.net
βAPI Token: Paste the Service User API Token from SentinelOne.
6οΈβ£ Click "Save & Connect".
β Once connected:
All SentinelOne-managed devices will appear in Guardz > Devices.
Threats detected by SentinelOne will automatically open as issues in Guardz Detection & Response.
You can manage SentinelOne security policies from within Guardz.
π Step 3: Adjust SentinelOne Site Policy Settings in Guardz
π§ After integration, SentinelOne policies will be inherited in Guardz. You can:
Modify detection sensitivity settings for endpoint protection.
Configure automated remediation rules for threats detected by SentinelOne.
Adjust response actions for high-risk detections (e.g., device isolation).
π To modify SentinelOne policies in Guardz:
1οΈβ£ Navigate to Security Controls > Endpoint Security > SentinelOne Settings.
2οΈβ£ Adjust site-specific security policies as needed.
3οΈβ£ Click "Save" to apply the changes.
π Troubleshooting Common Issues
πΉ Issue: "Failed to connect SentinelOne API."
β
Fix:
Verify the correct API Token was used (ensure it has Admin permissions).
Check if the subdomain is correct (it should be
<your-subdomain>.sentinelone.net
).
πΉ Issue: "Devices not syncing in Guardz."
β
Fix:
Ensure SentinelOne agents are properly deployed and reporting to the correct Site.
Confirm that the SentinelOne API user has the correct site scope assigned.
πΉ Issue: "SentinelOne Threats not appearing in Guardz Detection & Response."
β
Fix:
Ensure the API integration is active in Security Controls > Endpoint Security.
Check SentinelOne threat logs to confirm new detections are registered.
πΉ Issue: "SentinelOne security policies not reflecting in Guardz."
β
Fix:
Try reloading SentinelOne Site Policy Settings in Security Controls > Endpoint Security.
π Best Practices
β Regularly rotate API tokens to maintain security.
β Monitor API connection health in Security Controls > Endpoint Security.
β Ensure SentinelOne sites are correctly mapped to Guardz customers.
β Use Guardz Detection & Response for unified security monitoring across endpoints.
β