Skip to main content

Connect SentinelOne to Anzenna

This guide walks you through creating a service user in the SentinelOne Management Console and connecting it to Anzenna for comprehensive endpoint security monitoring.

Prerequisites

  • SentinelOne Management Console administrator access

  • Anzenna account with integration permissions

  • Ability to create service users in SentinelOne

Overview

The integration provides:

  • Endpoint detection and response monitoring
  • Device inventory and health status
  • Threat intelligence and alert visibility
  • Agent status tracking
  • Security policy compliance monitoring

Step-by-Step Instructions

1. Access SentinelOne Console

  1. Log into your SentinelOne Management Console

  2. Navigate to Settings > Users

2. Create Service User

  1. Select Service Users from the navigation

  2. Click the Actions menu

  3. Choose Create New Service User

3. Configure Service User

  1. Enter the service user name: 

    Anzenna

4. Set API Token Expiration

  1. Click the expiration date dropdown menu

  2. Select Custom to set a personalized expiration timeframe

  3. Choose a target date approximately 2 years in advance

Token Rotation

Setting a longer expiration period (2+ years) reduces the frequency of API key rotation and maintenance overhead.

  1. Select the appropriate year from the calendar

  2. Select the specific date for expiration

  3. Click Apply to confirm your date selection

5. Configure Scope Permissions

  1. Click Next to proceed to permissions

  2. Click Select Scope of Access…

Choose the appropriate scope for your integration needs:

  • Global - Access to all sites and accounts

  • Account - Specific account access

  • Site - Specific site access

Scope Selection

Choose Global for complete visibility across your entire SentinelOne deployment. Use Account or Site scope if you need to limit Anzenna's access.

  1. Click Next after selecting scope

6. Assign Permissions

The service user needs the following permissions for monitoring:

Permission CategoryAccess Level
AgentsView
ThreatsView
ActivitiesView
GroupsView
PoliciesView
ExclusionsView
ReportsView

  1. Select Viewer role (provides all necessary read permissions)

  2. Or manually select View permissions for each category above

7. Create User and Get API Token

  1. Click Create User to finalize the service user

  2. Copy the generated API token immediately

Important

The API token is only displayed once. If you lose it, you'll need to regenerate a new token.

  1. Store the API token securely (you'll paste it into Anzenna next)

  2. Click Close to exit the dialog

8. Connect to Anzenna

  1. Log into Anzenna at

    app.anzenna.ai

  2. Navigate to Settings > Integrations

  3. Find the SentinelOne integration card

  4. Toggle the switch to enable the integration

  5. Paste the API token you copied from SentinelOne

  6. Enter your SentinelOne Management Console URL

  7. Format: https://your-instance.sentinelone.net

  8. Click Save to establish the connection

Verification

  1. Return to Anzenna > Integrations

  2. Confirm SentinelOne shows as Connected

  3. Navigate to Anzenna's Endpoints dashboard

  4. Verify devices from SentinelOne are appearing

  5. Check that recent threats and alerts are visible

  6. Review that agent status information is syncing

What Data is Collected

Endpoint Information

  • Device inventory
  • Agent versions and status
  • Operating system details
  • Last seen timestamps
  • Network information

Security Events

  • Threat detections
  • Behavioral indicators
  • File reputation data
  • Process executions
  • Network connections

Agent Status

  • Agent health
  • Update status
  • Protection status
  • Operational mode

Policy Information

  • Applied policies
  • Policy compliance status
  • Exclusion lists
  • Group assignments

Managing the Integration

Viewing Connection Status

Check integration health:

  1. Go to Anzenna > Integrations

  2. Review SentinelOne connection status
  3. Check last successful sync timestamp

Regenerating API Token

If token is compromised or expired:

  1. In SentinelOne, go to Settings > Users > Service Users

  2. Find the Anzenna service user

  3. Click Actions > Generate New API Token

  4. Copy the new token
  5. Update in Anzenna integration settings

  6. Click Save

Extending Token Expiration

  1. Edit the Anzenna service user in SentinelOne

  2. Update the expiration date
  3. No need to regenerate token
  4. Changes take effect immediately

Revoking Access

  1. In Anzenna, disable the SentinelOne integration

  2. In SentinelOne, delete or disable the Anzenna service user

  3. All API access is immediately revoked

Troubleshooting

Connection Fails

"Invalid API token" error:

  • Verify token was copied correctly (no extra spaces)

  • Ensure token hasn't expired

  • Check service user is enabled in SentinelOne

  • Confirm URL format is correct

No Data Appearing

Endpoints not showing in Anzenna:

  • Wait 15-30 minutes for initial sync
  • Verify service user has View permissions

  • Check that scope includes target sites/accounts

  • Ensure agents are online and reporting to SentinelOne

Permission Errors

API returns access denied:

  • Verify service user has Viewer role
  • Check scope covers the required sites
  • Ensure user wasn't accidentally disabled
  • Confirm permissions weren't modified

Token Expiration Issues

Token expired unexpectedly:

  • Check expiration date in SentinelOne

  • Regenerate new token with longer expiration

  • Update Anzenna with new token
  • Set calendar reminder for next expiration

Security Considerations

  • API token security - Treat token like a password

  • Least privilege - Viewer role provides read-only access

  • Scope limitation - Use Account/Site scope if global not needed

  • Regular audits - Review service user activity logs

  • Expiration monitoring - Set reminders before token expires

  • Incident response - Regenerate token if compromise suspected

Best Practices

  1. Set long expiration - 2+ years reduces maintenance

  2. Document token location - Note where token is stored securely

  3. Monitor sync status - Check daily for first week after setup

  4. Review permissions - Audit quarterly to ensure correct access

  5. Calendar reminders - Set reminder 30 days before expiration

  6. Test thoroughly - Verify all expected data is flowing

  7. Keep console URL updated - Update if SentinelOne instance changes

Integration Maintenance

Regular Checks

Perform these checks monthly:

  • Verify connection status
  • Review last sync timestamp
  • Check for any error messages
  • Confirm data freshness

Before Token Expiration

30 days before expiration:

  1. Review if integration is still needed
  2. If yes, extend expiration date
  3. Or regenerate token with new expiration
  4. Update calendar reminders

During SentinelOne Upgrades

After console upgrades:

  • Test integration connectivity
  • Verify API compatibility
  • Check for any new features/permissions

Need help? Contact

Anzenna Support

for assistance.