Linking SentinelOne as a source
This source is currently in alpha. The interface and available tables may change.
The SentinelOne connector syncs your endpoint security data into the PostHog Data warehouse, so you can trend threat volume, mitigation rates, and fleet health alongside your product data.
Prerequisites
You need a SentinelOne account with access to the management console so you can generate an API token. The token inherits your user's role and scope (account, site, or group), which determines which records sync.
Adding a data source
- In PostHog, go to the Sources tab of the data pipeline section.
- Click + New source and click Link next to this source.
- Enter your credentials (see Configuration below) and click Next.
- Select the tables you want to sync, choose a sync method and frequency, then click Import.
Once the syncs are complete, you can start querying this data in PostHog.
When linking SentinelOne, you'll need:
- Console URL – your management console hostname, like
your-tenant.sentinelone.net. It's tenant and region specific, so copy it from your browser's address bar when logged in to the console. - API token – in the management console, click your user name, then My User > Actions > API Token Operations > Generate API token. Copy the token right away, as it's only shown once. Tokens expire (typically after six months), so you'll need to regenerate and reconnect when yours does.
Sync modes
Each table can be synced in one of several modes, depending on what the source supports:
- Webhook (when available) – the source pushes changes to PostHog in real time. Fastest freshness, lowest ongoing cost, and the only mode that reliably captures updates and deletes.
- Incremental – only new or updated rows are synced on each run, using a cursor field (such as an
updated_attimestamp). Cheaper than a full refresh, but deletes aren't captured. - Append only – new rows are appended using a cursor field; existing rows are never updated. Ideal for immutable, append-only tables like event logs.
- Full refresh – the whole table is reloaded on every sync. Use it when a table has no reliable cursor or when you need deletions reflected.
See sync methods for a full explanation of how each mode works and how to choose between them.
Threats, agents, and activities support incremental sync using SentinelOne's timestamp filters. Groups and sites are small tables and sync as full refresh.
Configuration
| Option | Type | Required |
|---|---|---|
Console URL | text | Yes |
API token | password | Yes |
Supported tables
| Table | Description | Sync method | Incremental field | Primary key |
|---|---|---|---|---|
threats | A threat detected by SentinelOne, with detection details, classification, and mitigation status. | Incremental, Full refresh | updatedAt, createdAt | — |
agents | A SentinelOne agent — an endpoint (workstation or server) with its inventory, health, and protection state. | Incremental, Full refresh | updatedAt, createdAt | — |
activities | The activity log — an append-only audit trail of console and agent events (logins, policy changes, mitigations, and more). | Incremental, Full refresh | createdAt | — |
groups | A group — a policy-scoped collection of agents within a site. | Full refresh | — | — |
sites | A site — a tenant subdivision with its own licensing, policies, and users. | Full refresh | — | — |
Troubleshooting
- If you get an authorization error, your API token is invalid or expired. Generate a new token under My User > Actions > API Token Operations, then reconnect.
- If some records are missing, your token's user may be scoped to a specific site or group. Reconnect with a token from a user scoped to the account level to sync everything.
If your sync is failing or data looks wrong, see the Data warehouse troubleshooting guide. If that doesn't help, contact support – we're happy to help.