SentinelOne Integration Guide
The SentinelOne integration allows PhishingBox to enhance human risk scoring by ingesting security telemetry directly from endpoint devices. By pulling in threat detections from SentinelOne and associating them with users, you gain greater visibility into real-world risk across your organization.
Purpose of the Integration
With the integration enabled:
Devices and detection data from SentinelOne are synced into PhishingBox.
-
If a device is linked to a user (target):
Threat events (e.g., malware, suspicious activity) will automatically impact the target’s human risk score.
The result is a more holistic, real-time view of individual security posture.
Step-by-Step Configuration
Follow the instructions below to enable the integration in just a few minutes.
Get Your SentinelOne API Token & Management Host
Log in to your SentinelOne Console.
Go to My user > Actions > API Token Operations.
Generate or regenerate your API Token.
Note your Management Host (e.g.,
yourtenant.sentinelone.net).
You may need admin or API access permissions to retrieve these credentials.
Enter Your Credentials in PhishingBox
In PhishingBox, go to Integrations > SentinelOne.
Click the Setup button.
-
In the Edit Configuration window:
Toggle the integration to Active.
Paste your API Key.
Enter your Management Host.
Test & Save
Click Test to validate the integration.
Once the connection is confirmed, the Last tested date will update.
Click Save to finalize and activate the integration.
The Save button is only enabled after a successful test.
Sync Behavior Summary
| Feature | Description |
|---|---|
| Device Sync | Imports SentinelOne-managed devices into PhishingBox |
| Target Matching | Links devices to known users (targets) in PhishingBox |
| Detection Import | Brings in risk events like malware, exploits, and suspicious activity |
| Risk Score Impact | Automatically adjusts user risk scores based on threat severity |
Risk Scoring Logic
SentinelOne’s risk detections enrich the PhishingBox Human Risk Score. Detections are evaluated for severity and recency and translated into score adjustments for the affected targets.
High-severity detections raise scores significantly.
Recurring alerts can indicate persistent risk and may elevate scores further.
Combines with phishing and training data for full visibility.
Need Help?
If you're unsure how to:
Retrieve your SentinelOne API key or host address,
Configure detection-to-user mappings,
Or interpret changes in human risk scores,
Please contact PhishingBox support or your assigned customer success manager.