Browse Guides

Loading list...
X
Supplier Import - CSV/XLS/Spreadsheet Method
Generating Agreement References
Introduction to Halo Guides
Ticket/Action Import - CSV/XLS/Spreadsheet Method
Client, Sites & Users Import - CSV/XLS/Spreadsheet Method
Pre-Pay V2
Deferring Project Revenue
Contents of Knowledge Base Guides
Iru Integration (Kandji)
Remote Support
Coralogix Integration
Start to Finish: Self-Service Portal
Grouping Tickets by Ticket Type in a Column Profile
Specifying Decimal Format in PDFs
Using Dollar Variables in Actions
Process Street Integration
SQL Imports - Licences and Subscriptions
HTML for 'Today's Date'
Runbook: Append a Recurring Invoice from Sales Order lines
Automated New Starter Requests into Microsoft Entra
Group Invoice Lines by Product Group
Managing a Recurring Invoice's Lines Quantity, Price and Cost for Subscriptions
Parent and Child Projects from Sales Orders
Project Task Creation Rules Based on a Multi-Select Field
Custom SQL Query for Licence/Subscription Count on Recurring Invoice Lines
Example Pay As You Go Client
Example Pre-Pay Client
Example All You Can Eat Agreement Client
Example Combination Client
Performing Ticket Approvals via API
Automated Tickets - Next Call Date
Linking one Appointment to a Ticket to Link all Appointments in the Same Series
Using QR Codes on PDF Templates
Annotating Images in Actions
Azure Actions
Custom Table Examples
Worked Example - Receiving & Delivering Stock with Assets Created at The Point of Consignment
How to change the colour of 'How can we help you today?' on the Portal
Ticket Category Defaults and Overrides
IronPDF Errors
3CX Integration
Email General Settings
Billing Templates
Asset Fields
Pax8 Integration
Agents
Importing Data
Asset Statuses
Asset Relationships
Syncing Exchange Calendars using the Microsoft Graph API
Using your Knowledge Base
Customer Types
CSV Templates
PDF Templates
Accounts Codes
Asset Types
Expenses
Actions
Google Mail Setup (Setting up Google Application)
Datto RMM Integration
Ticket Area Breakdown
Sites
Tax Rates
Using Category Group as Ticket Rule Criteria
Users
User Roles
Purchase Orders
Charge Types
Quotations General Settings
Approval Processes
TeamViewer Integration
Email Rules
A Step-by-Step Guide to Make a Bulk Change in the Halo Database Through the API Using JSON in Postman
Okta Integration
Open AI Integration
Active Directory Integration (LDAP)
Departments and Teams
Adding a Mailbox Without The Use of Azure or Google
Create Knowledge Base Articles using files/documents
GitHub Integration
Mail Processing FAQs
Populating Invoice Lines from $-Variables
Menu Buttons
PDF Templates
Notification Templates
Drag and Drop Tickets Onto a Calendar to Create Appointments
Email Threading
Agents
Holiday Management
ManageEngine Endpoint Central Integration
Canned Text
Chat Profiles
Organisational Chart
How To Bulk Update Tickets, Drag and Drop Tickets Into Different Queues, An Explanation of Ticket Symbols
Sales Mailboxes
Access Restrictions on Suppliers
Document Management
Automating Procurement
Custom Tables
Suppliers
An Introduction to Halo
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Using and Configuring Halo
Using and Configuring Halo
Integrations
Integrations
Configuration Settings Guides
Configuration Settings Guides
On-Premises Guides
On-Premises Guides
About Halo
About Halo
Azure Sentinel Integration
Reading mode
Copy Link
Link Copied!
Print
Feedback
This guide has multiple versions available:
<style>p { margin: 0; }span.fr-emoticon.fr-emoticon-img { background-repeat: no-repeat !important; font-size: inherit; height: 1em; width: 1em; min-height: 20px; min-width: 20px; display: inline-block; margin: -0.1em 0.1em 0.1em; line-height: 1; vertical-align: middle; } span.fr-emoticon { font-weight: normal; font-family: "Apple Color Emoji", "Segoe UI Emoji", "NotoColorEmoji", "Segoe UI Symbol", "Android Emoji", "EmojiSymbols"; display: inline; line-height: 0; } blockquote { border-left: solid 2px #5e35b1; color: #5e35b1; margin-left:0; padding-left:5px;}blockquote blockquote{ border-color: #00bcd4; color: #00bcd4;}blockquote blockquote blockquote{ border-color: #43a047; color: #43a047;} table.grid{ border-collapse: collapse;} table.grid td, table.grid th { border: 1px solid #ddd;} .fr-fic.fr-dib{ display: block; margin: 5px auto;}.fr-fic.fr-dib.fr-fir{ text-align: right; margin: 5px 0 5px auto;}.fr-fic.fr-dib.fr-fil{ text-align: left; margin: 5px auto 5px 0;}.fr-fic.fr-dii{ float: none; margin: 5px auto;}.fr-fic.fr-dii.fr-fil{ float: left; margin: 5px auto;}.fr-fic.fr-dii.fr-fir{ float: right; margin: 5px auto;}img.fr-dib.fr-fir { margin-right: 0; text-align: right;}img.fr-dib.fr-fil { margin-left: 0; text-align: left;}img.fr-dib { margin: 5px auto; display: block; float: none;}img.fr-bordered { box-sizing: content-box; border: solid 5px #CCC;}img.fr-shadow { box-shadow: 10px 10px 5px 0px #cccccc;}img.fr-rounded { border-radius: 10px; -moz-border-radius: 10px; -webkit-border-radius: 10px; -moz-background-clip: padding; -webkit-background-clip: padding-box; background-clip: padding-box;}</style><style> p { margin: 0; } span.fr-emoticon.fr-emoticon-img { background-repeat: no-repeat !important; font-size: inherit; height: 1em; width: 1em; min-height: 20px; min-width: 20px; display: inline-block; margin: -0.1em 0.1em 0.1em; line-height: 1; vertical-align: middle; } span.fr-emoticon { font-weight: normal; font-family: "Apple Color Emoji", "Segoe UI Emoji", "NotoColorEmoji", "Segoe UI Symbol", "Android Emoji", "EmojiSymbols"; display: inline; line-height: 0; } blockquote { border-left: solid 2px #5e35b1; color: #5e35b1; margin-left: 0; padding-left: 5px; } blockquote blockquote { border-color: #00bcd4; color: #00bcd4; } blockquote blockquote blockquote { border-color: #43a047; color: #43a047; } table.grid { border-collapse: collapse; } table.grid td, table.grid th { border: 1px solid #ddd; } .fr-fic.fr-dib { display: block; margin: 5px auto; } .fr-fic.fr-dib.fr-fir { text-align: right; margin: 5px 0 5px auto; } .fr-fic.fr-dib.fr-fil { text-align: left; margin: 5px auto 5px 0; } .fr-fic.fr-dii { float: none; margin: 5px auto; } .fr-fic.fr-dii.fr-fil { float: left; margin: 5px auto; } .fr-fic.fr-dii.fr-fir { float: right; margin: 5px auto; } img.fr-dib.fr-fir { margin-right: 0; text-align: right; } img.fr-dib.fr-fil { margin-left: 0; text-align: left; } img.fr-dib { margin: 5px auto; display: block; float: none; } img.fr-bordered { box-sizing: content-box; border: solid 5px #CCC; } img.fr-shadow { box-shadow: 10px 10px 5px 0px #cccccc; } img.fr-rounded { border-radius: 10px; -moz-border-radius: 10px; -webkit-border-radius: 10px; -moz-background-clip: padding; -webkit-background-clip: padding-box; background-clip: padding-box; } </style><style> p { margin: 0; } span.fr-emoticon.fr-emoticon-img { background-repeat: no-repeat !important; font-size: inherit; height: 1em; width: 1em; min-height: 20px; min-width: 20px; display: inline-block; margin: -0.1em 0.1em 0.1em; line-height: 1; vertical-align: middle; } span.fr-emoticon { font-weight: normal; font-family: "Apple Color Emoji", "Segoe UI Emoji", "NotoColorEmoji", "Segoe UI Symbol", "Android Emoji", "EmojiSymbols"; display: inline; line-height: 0; } blockquote { border-left: solid 2px #5e35b1; color: #5e35b1; margin-left: 0; padding-left: 5px; } blockquote blockquote { border-color: #00bcd4; color: #00bcd4; } blockquote blockquote blockquote { border-color: #43a047; color: #43a047; } table.grid { border-collapse: collapse; } table.grid td, table.grid th { border: 1px solid #ddd; } .fr-fic.fr-dib { display: block; margin: 5px auto; } .fr-fic.fr-dib.fr-fir { text-align: right; margin: 5px 0 5px auto; } .fr-fic.fr-dib.fr-fil { text-align: left; margin: 5px auto 5px 0; } .fr-fic.fr-dii { float: none; margin: 5px auto; } .fr-fic.fr-dii.fr-fil { float: left; margin: 5px auto; } .fr-fic.fr-dii.fr-fir { float: right; margin: 5px auto; } img.fr-dib.fr-fir { margin-right: 0; text-align: right; } img.fr-dib.fr-fil { margin-left: 0; text-align: left; } img.fr-dib { margin: 5px auto; display: block; float: none; } img.fr-bordered { box-sizing: content-box; border: solid 5px #CCC; } img.fr-shadow { box-shadow: 10px 10px 5px 0px #cccccc; } img.fr-rounded { border-radius: 10px; -moz-border-radius: 10px; -webkit-border-radius: 10px; -moz-background-clip: padding; -webkit-background-clip: padding-box; background-clip: padding-box; } </style><style> p { margin: 0; } span.fr-emoticon.fr-emoticon-img { background-repeat: no-repeat !important; font-size: inherit; height: 1em; width: 1em; min-height: 20px; min-width: 20px; display: inline-block; margin: -0.1em 0.1em 0.1em; line-height: 1; vertical-align: middle; } span.fr-emoticon { font-weight: normal; font-family: "Apple Color Emoji", "Segoe UI Emoji", "NotoColorEmoji", "Segoe UI Symbol", "Android Emoji", "EmojiSymbols"; display: inline; line-height: 0; } blockquote { border-left: solid 2px #5e35b1; color: #5e35b1; margin-left: 0; padding-left: 5px; } blockquote blockquote { border-color: #00bcd4; color: #00bcd4; } blockquote blockquote blockquote { border-color: #43a047; color: #43a047; } table.grid { border-collapse: collapse; } table.grid td, table.grid th { border: 1px solid #ddd; } .fr-fic.fr-dib { display: block; margin: 5px auto; } .fr-fic.fr-dib.fr-fir { text-align: right; margin: 5px 0 5px auto; } .fr-fic.fr-dib.fr-fil { text-align: left; margin: 5px auto 5px 0; } </style><p><strong>In this guide we will cover:</strong></p><p><strong>- What is the Azure Sentinel Integration?</strong></p><p><strong>- Connecting Azure Sentinel to Halo&nbsp;</strong></p><p><strong>- Client Configuration</strong></p><p><strong>- Field Mappings</strong></p><p><strong>- Imports</strong></p><p><strong>- Sending Tickets and Updates to Sentinel</strong></p><p><strong>- Only Import Comments</strong></p><p><br></p><p><br></p><p><strong><span style="font-size: 14pt;">What is the Azure Sentinel Integration?</span></strong></p><p>The Azure Sentinel Integration allows a two way sync of incidents between Halo and Azure Sentinel. Tickets can be created in Halo automatically for each incident logged in Sentinel. Similarly, tickets in Halo can be sent to (created in) Sentinel as incidents. The integration also supports the syncing of comments and closures between Halo tickets and Sentinel incidents, when a comment is logged in one system, this can be synced over to the ticket/incident in the respective system. When a ticket/incident is closed in one system the respective ticket/incident will be closed in the other system.&nbsp;</p><p><br></p><p><strong><span style="font-size: 14pt;">Connecting Azure Sentinel to Halo&nbsp;<br></span></strong></p><p id="isPasted">To enable the Azure Sentinel Integration head to Configuration &gt; Integrations and enable the integration using the &#39;+&#39; icon.</p><p><img src="https://halo.haloservicedesk.com/api/attachment/image?token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6Ijc1ODg5NDM3LTQyOTQtNGI0OS05OGZkLWI2NzQ0ZGM4ZmUxMCJ9.vRoq3OOlZy6iR9HF1pTo68jq41_K_Nmf_u6I9lWQcH4" class="fr-fic fr-fil fr-dib" width="522" height="262"></p><p><strong><span style="font-size: 10pt;">Fig 1. Enabling the module.</span></strong></p><p><br></p><p>Once enabled click into the module to begin configuration.&nbsp;</p><p><br></p><p>To begin, you will need to create a partner managed Azure Application to authorise the connection between Halo and Azure Sentinel.&nbsp;</p><p><br></p><p>Head to your <a data-fr-linked="true" href="https://portal.azure.com/#home" id="isPasted">https://portal.azure.com/#home</a> and create a new app registration. This will need to be a multi-tenanted application. You will also need to add a web redirect URI.</p><p><br></p><p id="isPasted">On versions prior to v2.200 the following redirect URI will need to be used:</p><ul><li id="isPasted"><a data-fr-linked="true" href="https://YOURHALODOMAIN/authcallback">https://YOURHALODOMAIN/</a>azure/auth</li></ul><p>On versions v2.200+ you the following redirect URI will need to be used:</p><ul><li><a data-fr-linked="true" href="https://YOURHALODOMAIN/authcallback">https://YOURHALODOMAIN/authcallback</a></li></ul><p>But the exact redirect URI you need can be found on the setup page for the integration in Halo.</p><p><img src="https://halo.haloservicedesk.com/api/attachment/image?token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6IjZiOTM4NDY4LWUxM2MtNDYzMC1hYThjLThmNTRiZWI4MDdjYyJ9.16-a66FrhNW4co6aKLLAcTlkzao9MqczBSAmPjP0m7w" class="fr-fic fr-fil fr-dib" width="798" style="width: 800px; height: 509.795px;" height="510"></p><p><strong><span style="font-size: 10pt;">Fig 2. New Azure application.</span></strong></p><p><br></p><p><strong><span style="font-size: 10pt;"><img src="https://halo.haloservicedesk.com/api/attachment/image?token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6ImRmMzk5MjE0LTFiNTQtNGRkNS05ZDk1LTZkOGQ1Y2M5ODdlYSJ9.7P4ujdhLHU5QjcxFvCVg-nVlJyNnkoTt-9KclX5nB5Q" class="fr-fic fr-fil fr-dib" width="685" style="width: 687px; height: 441.643px;" height="442"></span></strong></p><p><strong><span style="font-size: 10pt;">Fig 3. Redirect URI needed for Azure application.</span></strong></p><p><br></p><p>Once you have registered your application, you will need to give it the following permissions:</p><ul><li id="isPasted">Azure Service Management: user_impersonation (Delegated)</li><li>Log Analytics API: Data.Read (Delegated)</li><li>Graph API: offline_access (Delegated)</li></ul><p>The exact permissions needed can also be found on your integration setup page, as shown in figure 3.&nbsp;</p><p><br></p><p>Once permissions are set generate a secret for the application (under the &#39;Certificates and Secrets&#39; tab). Copy the secret value and paste this into the &#39;Azure Application Secret&#39; field in the integration setup page in Halo.&nbsp;</p><p><br></p><p>You will also need to obtain your application (client) ID and tenant ID, paste these into the respective fields on the integration setup page in Halo.&nbsp;</p><p><img src="https://halo.haloservicedesk.com/api/attachment/image?token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6IjdhM2YzNzAwLTNjOGMtNDRjNi05MDE0LTI4ZjMwYWYzZjNkMCJ9.PLdiP2-4n65RD19QnlJHtxqYpGxj6rCwDuHQwKArXe8" class="fr-fic fr-fil fr-dib" width="1235" style="width: 1237px; height: 374.798px;" height="375"></p><p><strong><span style="font-size: 10pt;">Fig 4. Application ID and tenant ID.&nbsp;</span></strong></p><p><br></p><p>Once these details are entered into Halo save the page and you will have an option to &#39;Sign in with Microsoft&#39;. A Sentinel Contributor will need to sign in here to finalise authorising the connection.&nbsp;</p><p><img src="https://halo.haloservicedesk.com/api/attachment/image?token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6IjUzNzZmNzljLTFlODAtNGMxZS1iMWZhLWU4YTlkZmM3ZWYzYiJ9.5RpU2m5OLkpBCUIIPJtDCDM0XZfQMA98ay85AyTqWhs" class="fr-fic fr-fil fr-dib" width="711" style="width: 713px; height: 713px;" height="713"></p><p><strong><span style="font-size: 10pt;">Fig 5. Sign in with Microsoft.</span></strong></p><p><br></p><p>Once you have authorised the &#39;Sign in with Microsoft&#39; Button will be replaced with a &#39;Disconnect from application&#39; button.&nbsp;</p><p><br></p><p><strong><span style="font-size: 14pt;">Client Configuration</span></strong></p><p>After authorising you will need to set the Sentinel details against each client in Halo incidents will be created for. To do this, head to the settings tab of the relevant Client, and expand the &#39;Azure Sentinel&#39; section.&nbsp;</p><p><img src="https://halo.haloservicedesk.com/api/attachment/image?token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6ImZiYWI0NmE4LTllMTQtNDE0Ni04ZTYwLTJmNWNjZDhjMDc4MCJ9.II-ZWAVZ7NKrp5Oyc55rJfmaRL1DxBBe2RpaEfX_mvc" class="fr-fic fr-fil fr-dib" width="1120" style="width: 1122px; height: 541.183px;" height="541"></p><p><strong><span style="font-size: 10pt;">Fig 6. Sentinel configuration on a customer.</span></strong></p><p><br></p><p>The connection name refers to which Sentinel connection is used. The other fields can all be found in Azure and are needed to know where to pull incidents from in Sentinel. This will be the client tickets are logged against in Halo for all incidents imported from this Sentinel instance.&nbsp;</p><p><br></p><p>If you are connecting multiple Sentinel instances, you will need to complete this setup for each client the instance relates to.&nbsp;</p><p><br></p><p><strong><span style="font-size: 14pt;">Field Mappings</span></strong></p><p>After authorizing head to the &#39;Field Mappings&#39; tab. Here you can map Azure Sentinel fields to Halo fields to control what fields ticket/incident data is stored in when synced across.&nbsp;</p><p><br></p><p>Data in fields will be synced both when tickets/incidents are initially created and when they are updated with an action (provided the field is contained within the action). Action/comment syncing will be covered in more detail later on.&nbsp;</p><p><br></p><p><strong><span style="font-size: 12pt;">Ticket Field Mappings</span></strong></p><p>The fields shown in figure 7 are mandatory fields in order to allow tickets/incidents to be imported/exported between Sentinel and Azure.&nbsp;</p><p><img src="https://halo.haloservicedesk.com/api/attachment/image?token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6ImU5MWRjYzc0LWY2MDQtNDNlNS1hNjI1LTRiMTQ0ODg5MmMzYSJ9.E1KYhV8PbAEzNCisNPfA9mqfnlYd4aiK6ZdqfQxW2U4" class="fr-fic fr-fil fr-dib" width="823" style="width: 825px; height: 493.567px;" height="494"></p><p><strong><span style="font-size: 10pt;">Fig 7. Ticket field mappings.</span></strong></p><p><br></p><p><strong>Ticket Type for Sentinel Incidents -</strong> Choose the ticket type you would like Sentinel incidents to be logged using in Halo. You may wish to create a new ticket type dedicated to Sentinel Alerts.&nbsp;</p><p><br></p><p><strong>Default Classification for closed Sentinel incidents -</strong> Choose the default Classification you would like Sentinel incidents to be given when the incident is closed from Halo. This provides a default but you can set this each time you close the ticket if you have mapped the &#39;Classification&#39; field to a Halo custom field.&nbsp;</p><p><br></p><p><strong>Default Classification Reason for closed Sentinel incidents -</strong> Choose the default Classification Reason you would like Sentinel incidents to be given when the incident is closed from Halo. This provides a default but you can set this each time you close the ticket if you have mapped the &#39;Classification Reason&#39; field to a Halo custom field.&nbsp;</p><p><br></p><p><strong>Default Sentinel Severity for closed Sentinel incidents -&nbsp;</strong>Choose the default Severity you would like Sentinel incidents to be given when the incident is closed from Halo. This provides a default but you can set this each time you close the ticket if you have mapped the &#39;Severity&#39; field to a Halo custom field.&nbsp;</p><p><br></p><p><strong>Priority Mappings</strong></p><p>Sentinel priorities can be mapped to Halo priorities to ensure the ticket in Halo is logged with the correct priority based on the Sentinel incident it was created from. This also applies when creating incidents in Sentinel from Halo and when syncing actions.&nbsp;</p><p><img src="https://halo.haloservicedesk.com/api/attachment/image?token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6ImU5ZThjYTRlLTA3NDMtNDkzMC1hODUzLTRiMTllMzgzMzY0NSJ9.ER2jSGpFsi7RkpI7YWGjbPNWoV9bNFluRI8p15titp8" class="fr-fic fr-fil fr-dib" width="1366" style="width: 1368px; height: 351.072px;" height="351"></p><p><strong><span style="font-size: 10pt;">Fig 8. Priority Mappings.</span></strong></p><p><br></p><p>When setting up mappings, simply add to the table, choose the Sentinel priority you would like to map and enter the Halo priority number this corresponds to.&nbsp;</p><p><br></p><p><strong><span style="font-size: 12pt;">Other Field Mappings</span></strong></p><p>Various Sentinel fields can be mapped to custom fields in Halo. Allowing you control which fields data is stored in when an incident/ticket is synced from one tool to the other.&nbsp;</p><p><br></p><p>To add a field mapping simply add to the mappings table, select the Sentinel field you would like to map and the Halo field this corresponds to.&nbsp;</p><p><img src="https://halo.haloservicedesk.com/api/attachment/image?token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6IjdlOTQzZjAzLWI3YTAtNDk5MS1iOTMwLTdiMzhhN2UxNmYzOSJ9.VuVj8iLadR1UWT8FJUiLHjiCSvG3cyc20YMHRHsKOpI" class="fr-fic fr-fil fr-dib" width="1333" style="width: 1335px; height: 678.529px;" height="679"></p><p><strong><span style="font-size: 10pt;">Fig 9. Field mappings.</span></strong></p><p><br></p><p>Sentinel fields can only be mapped to Halo custom fields, therefore you may wish to create some new custom fields dedicated for storing Sentinel data.&nbsp;</p><p><br></p><p>Make sure any fields you have mapped are present in the field list for the ticket type that is being used to log Sentinel Incidents.&nbsp;</p><p><br></p><p><strong><span style="font-size: 14pt;">Imports</span></strong></p><p>Once field mappings are complete head to the &#39;Imports&#39; tab to begin configuring how data is imported.&nbsp;</p><p><br></p><p>The &#39;Import type&#39; field allows you to determine how data is imported.&nbsp;</p><p><img src="https://halo.haloservicedesk.com/api/attachment/image?token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6ImQ1YTk4NWNjLWI3NDQtNDljNy05MmRlLTdkNDcyYzExZDJhZCJ9.n2Gn851q7PEGACwAXs_Sh6CeLxuqmdrogRq3M3xitaA" class="fr-fic fr-fil fr-dib" width="632" height="312"></p><p><strong><span style="font-size: 10pt;">Fig 10. Import Type options.</span></strong></p><p><br></p><p><strong>Halo Integrator -</strong> When chosen, incidents from Sentinel will be imported using the Halo integrator, which will run an import on a set schedule. Incidents will be imported every 15 minutes. When an import is run this will import new incidents in Sentinel and create these as tickets. Any comment updates on these incidents will also be imported each time the sync runs.&nbsp;</p><p><strong>Webhooks -&nbsp;</strong>When chosen, incidents from Sentinel will be imported and updated using webhooks. This will create a ticket in Halo as soon as an incident is raised in Sentinel. Any updates to incidents will also be synced to Halo almost instantly. Using this Import type requires setting up webhooks in Sentinel.&nbsp;</p><p><br></p><p><strong><span style="font-size: 12pt;">Halo Integrator</span></strong></p><p>When this is chosen as the import type you will need to check &#39;Enable the Halo Integrator for the Azure Sentinel integration&#39;.</p><p><img src="https://halo.haloservicedesk.com/api/attachment/image?token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6IjNmMjU2ZDQyLWE4ZDYtNDFlMS1hZGYyLTRhN2M5MDQ1NDllOSJ9.zS48nQuPaDtEckQSRq2EkMa5RfYucJcWUFbvO_wiGP4" class="fr-fic fr-fil fr-dib" width="1081" style="width: 1083px; height: 659.179px;" height="659"></p><p><strong><span style="font-size: 10pt;">Fig 11. Enable the Halo Integrator for the Azure Sentinel integration.&nbsp;</span></strong></p><p><br></p><p>Once enabled for the first time this will import the last 7 days of Sentinel Incidents. If it&#39;s previously run, it&#39;ll import all incidents modified between now and the previous update time.&nbsp;</p><p><br></p><p>Now, any incidents created in Sentinel will be created in Halo automatically each time the sync runs (every 15 minutes). This import will also pull any new comments added in Sentinel but not in Halo yet.</p><p><br></p><p>When importing incidents from Sentinel the ticket created will attempt to match priority, status and assigned agent in Halo by names. The SLA assigned to the default ticket type will be used for priority matching. All other fields will match in line with field mappings.&nbsp;</p><p><br></p><p><strong><span style="font-size: 12pt;">Webhooks</span></strong></p><p>When this this chosen you will need to configure webhooks in Azure Sentinel to create and update tickets in your Halo instance. You will need to be able to create Logic apps and Sentinel Automations to do this.</p><p><br></p><p><strong><span style="font-size: 11pt;">Creating a Logic App in Microsoft Azure</span></strong></p><p><span style="font-size: 11pt;">Before you begin creating a Logic App you will first need to obtain the authentication credentials for the webhook. This will be authorised using basic auth. Under the &#39;Imports&#39; tab on the integration setup page in Halo enter a username and generate a password.&nbsp;</span></p><p><span style="font-size: 11pt;"><img src="https://halo.haloservicedesk.com/api/attachment/image?token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6IjFlNDgzYzhiLTkxMzgtNDM3My04OWYwLTZhZjk3NGZkOTYzZSJ9.O6gm2BIgl97GAz1egojViHc95NamRI_nH-4h8w7ZJRg" class="fr-fic fr-fil fr-dib" width="1030" style="width: 1032px; height: 635.077px;" height="635"></span></p><p><strong><span style="font-size: 10pt;">Fig 12. Authentication credentials for webhook.</span></strong></p><p><br></p><p>Once you have a username and password these will need to be base 64 encoded. Once encoded keep a note of this as they will be used later.</p><p><br></p><p>Create a new logic app in Microsoft Azure and select the Multi-tenant Consumption hosting option.</p><p><br></p><p><img src="https://halo.haloservicedesk.com/api/attachment/image?token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6Ijk0YzExNmNiLTM0NDEtNDQ0ZS04NjgyLWM3YjliYTMxYjkyZiJ9.giAAgCK4-jKoyuLBtg0VRHhj2DTLvxwwrQxZm0sSFIE" width="1010" style="width: 1012px; height: 325.85px;" class="fr-fic fr-dii" height="326"></p><p><strong><span style="font-size: 10pt;">Fig 13. Creating a new logic app.</span></strong></p><p><br></p><p>Fill out the Project and Instance details.</p><p><br></p><p><img src="https://halo.haloservicedesk.com/api/attachment/image?token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6ImZmNGEzOGRkLWRjZmQtNGNiNi05NjMzLTZiMWU1MDQ5YThjNyJ9.q--Ah6y3BbU3sjYH3qCtnx5cWiGeFj0zRmja5REn68c" width="630" style="width: 632px; height: 550.779px;" height="551" class="fr-fic fr-dii"></p><p><strong><span style="font-size: 10pt;">Fig 14. Logic app details.</span></strong></p><p><br></p><p>Once your Logic app has been deployed, go to the Logic app designer section under the &#39;Development Tools&#39; tab.</p><p><br></p><p>Add a trigger and select the &ldquo;Microsoft Sentinel incident&rdquo; option.</p><p><br></p><p><img src="https://halo.haloservicedesk.com/api/attachment/image?token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6IjUwZWEzZGMyLTkwNDctNDU3Mi1iODU0LWRiYTA4YmVmYmFiZiJ9.AF4DvBIQhoMXvqr9vofeAxueMucgD8qAWC_255uzIQE" width="644" style="width: 646px; height: 314.325px;" height="314" class="fr-fic fr-dii"></p><p><strong><span style="font-size: 10pt;">Fig 15. Add a Trigger.</span></strong></p><p><br></p><p>Add a new step after the Sentinel trigger and search for &ldquo;HTTP&rdquo;:</p><p><br></p><p><img src="https://halo.haloservicedesk.com/api/attachment/image?token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6ImQxYTZkMzBiLWUwY2MtNDM1NC04YWU3LTE4ZjFkZjI4NWE1YiJ9.ctowE2FG0DeuBWbZyGOc5bQEZLsZB1p6XubRCseLnu0" width="683" style="width: 685px; height: 264.77px;" height="265" class="fr-fic fr-dii"></p><p><strong><span style="font-size: 10pt;">Fig 16. Adding a step to a trigger.</span></strong></p><p><br></p><p>Fill out the HTTP action as follows:</p><p><br></p><p><strong>URI</strong>: https://YOURHALOURL/api/Notify/AzureSentinel</p><p><br></p><p><strong>Method</strong>: POST</p><p><br></p><p><strong>Headers</strong>:&nbsp;</p><ul><li>Key = <em>Authorization</em></li><li>Value = <em>&ldquo;username:password&rdquo;</em>&nbsp;<ul><li>This must be bas64 encoded (use the username and password entered in Halo/generated from Halo earlier)</li></ul></li></ul><p><br></p><p><img src="https://halo.haloservicedesk.com/api/attachment/image?token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6ImFlMGY1NWUyLTJiMjItNDBiNS05ZmIwLTRhMWNiYjQ2NGQ2MCJ9.4onZtSL2ID9hSv0_rTRtzBqvgZ3h_77US2_75HtFQrw" class="fr-fic fr-fil fr-dib" width="610" style="width: 612px; height: 511.982px;" height="512"></p><p><strong><span style="font-size: 10pt;">Fig 17. Parameters.</span></strong></p><p><br></p><p>For the body, press the lightning icon to add objects from the previous step, choosing the body of the Sentinel trigger.</p><p><br></p><p><img src="https://halo.haloservicedesk.com/api/attachment/image?token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6Ijk4NDQwOTBkLWM1N2YtNDk2Ny1iYzllLTlhNmE1NWZiZGYzOSJ9.n-ljCDW85MTHw_2RiDngy-UE1OdqjIzycXZc8GDQh7c" width="522" style="width: 524px; height: 124.762px;" height="125" class="fr-fic fr-dii"></p><p><strong><span style="font-size: 10pt;">Fig 18. Body.</span></strong></p><p><br></p><p>Save the Logic app.</p><p><br></p><p><strong><span style="font-size: 11pt;">Sentinel Automation Rules</span></strong></p><p>Navigate to the Microsoft Sentinel resource and select the &ldquo;Automations&rdquo; section under the &ldquo;Configuration&rdquo; group.</p><p><br></p><p>Create a new Automation rule for each of the following triggers:</p><ul><li>When incident is created</li><li>When incident is updated</li></ul><p><br></p><p>Add an action to &ldquo;Run playbook&rdquo; and choose the playbook (Logic app) that was made previously.</p><p><br></p><p><img src="https://halo.haloservicedesk.com/api/attachment/image?token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6Ijc2MjkxZjg2LTRjZTktNGJjYi1hMDAwLWU1MDRiODUzMTg4MSJ9.EFBAnoT1IWCHE8Lt6YA1TBl9iSQ9ZtHgUTvZE5dMpd4" width="535" style="width: 537px; height: 371.769px;" height="372" class="fr-fic fr-dii"></p><p><strong><span style="font-size: 10pt;">Fig 19. Creating an automation rule.</span></strong></p><p><br></p><p>Save the automation rules.</p><p><br></p><p>Now whenever a Sentinel Incident is created or updated, the playbook will send a request to the Halo API and create/update a ticket in Halo.</p><p><br></p><p id="isPasted">When created, incidents from Sentinel will attempt to match priority, status and assigned agent in Halo by names. The SLA assigned to the default ticket type will be used for priority matching. All other fields will match in line with field mappings.&nbsp;</p><p><br></p><p><strong><span style="font-size: 12pt;">See if a Ticket is made from Sentinel</span></strong></p><p>When a ticket in Halo has been created by Sentinel the Sentinel ticket ID will be visible against the ticket in Halo, with a link to open the incident in Sentinel.&nbsp;</p><p><img src="https://halo.haloservicedesk.com/api/attachment/image?token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6IjQyMjQ1Y2E1LTdkMjktNDkxOS05MTg4LWJhMWFjZmRlZjkyMSJ9.VnRLUmmGFPtSZ4qApg49XTQkbtjPsD2vNoVIibff6UA" class="fr-fic fr-fil fr-dib" width="986" style="width: 988px; height: 629.299px;" height="629"></p><p><strong><span style="font-size: 10pt;">Fig 20. Sentinel incident ID against ticket in Halo.&nbsp;</span></strong></p><p><br></p><p>If you have created an incident in Sentinel from the ticket in Halo, the Sentinel ID will also show once the Sentinel incident is created.&nbsp;</p><p><br></p><p><strong><span style="font-size: 14pt;">Sending Tickets and Updates to Sentinel</span></strong></p><p><span style="font-size: 11pt;">Tickets in Halo can be sent to and created in Sentinel. Actions and updates to tickets in Halo can also be sent to Sentinel, this includes notes (which will be added to a Sentinel incident as a comment) and closures.&nbsp;</span></p><p><br></p><p><strong><span style="font-size: 12pt;">Syncing Comments</span></strong></p><p>Notes on tickets in Halo that are added using actions can be synced to the linked Sentinel incident as comments. To do this you will need to configure an action that is set to sync to Sentinel. The action will need:</p><ul><li>System use - No system Use</li><li>Field - Sync to Azure Sentinel</li></ul><p><br></p><p>To configure an action sync to Sentinel head to Configuration &gt; Tickets &gt; Actions &gt; select the action you would like to sync. The action will need the field &#39;Sync to Azure Sentinel&#39; in it&#39;s field list. This will allow agents to toggle whether the action syncs to Sentinel or not.&nbsp;</p><p><br></p><p>The &#39;Sync to Azure Sentinel&#39; field will also need to be added to the field list of the ticket type. This field can be defaulted to on or off using the setting &#39;Sync to Azure Sentinel&#39;, found under the defaults tab of the ticket type.&nbsp;</p><p><br></p><p>Ensure the action also contains any other fields you would like to be synced, including any mapped custom fields.&nbsp;</p><p><br></p><p>If you would like to sync a comment ensure the &#39;Note&#39; field is also on the action. Only text in the &#39;Note&#39; field will be added to a Sentinel incident as a comment.&nbsp;</p><p><br></p><p>The action shown in figure 21 will sync a comment to Sentinel.&nbsp;</p><p><img src="https://halo.haloservicedesk.com/api/attachment/image?token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6ImMxNjllNzY1LTFkZGEtNDBhNy1iMzJlLWUyODdhMGU2ZDY1ZiJ9.KgudALhU0yY5xV4GIIqn-qpw5fzDU_mSmTeE5KwdFGU" class="fr-fic fr-fil fr-dib" width="1325" style="width: 1327px; height: 393.25px;" height="393"></p><p><strong><span style="font-size: 10pt;">Fig 21. Action to sync comment to Sentinel.&nbsp;</span></strong></p><p><br></p><p>The agent that adds the action in Halo will not translate over to Sentinel. Instead when the comment is added in Sentinel it will appear to be added by the agent who authorised the connection between Halo and Sentinel for that tenant. If you have multiple Sentinel tenants set up the agent who authorised the applicable tenant will appear as the agent who added the comment.&nbsp;</p><p><br></p><p><strong><span style="font-size: 12pt;">Syncing Closures</span></strong></p><p>Actions in Halo can also sync to incidents in Sentinel as closure actions. For an action to sync as a closure action rather than a comment the action must change the status of the ticket to closed.&nbsp;</p><p><br></p><p>You will also be able to add the fields &#39;Azure Sentinel Classification&#39; and &#39;Azure Sentinel Classification&#39;, which will allow you to set the classification and classification reason the incident in Sentinel will be updated with when closing. These fields must work as a matching pair in Sentinel. E.g. Classification Undetermined should only be used with Reason N/A.</p><p><br></p><p>The action configured in figure 22, is configured to close a ticket off in Halo and have this closure sync to Sentinel. When the &#39;status&#39; field is set to contain the closed status this will close the incident in Sentinel.&nbsp;</p><p><img src="https://halo.haloservicedesk.com/api/attachment/image?token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6IjBiMTQ3NTI4LTFlZGItNGU0MC1iYzZiLTRlNTNiM2ZhNDU1NSJ9.roYFMQFmboJsQCg-oRvFuxRqQDKCeWQQK0X9EHUpqQY" class="fr-fic fr-fil fr-dib" width="1315" style="width: 1317px; height: 512.6px;" height="513"></p><p><strong><span style="font-size: 10pt;">Fig 22. Example closure action field list.</span></strong></p><p><br></p><p><strong><em>Note: You do not need to close tickets in Halo using an action for this to sync to Sentinel. As soon as the ticket&#39;s status is changed to closed this will update the incident in Sentinel.&nbsp;</em></strong></p><p><br></p><p>It is important to ensure the Azure Sentinel Classification and Azure Sentinel Classification Reason match the allowed values by Microsoft. These combinations are outlined by Microsoft <a href="https://learn.microsoft.com/en-us/azure/sentinel/investigate-cases" target="_blank" rel="noopener noreferrer">here</a>, and below:</p><ul><li id="isPasted">True Positive - suspicious activity</li><li>Benign Positive - suspicious but expected</li><li>False Positive - incorrect alert logic</li><li>False Positive - incorrect data</li><li>Undetermined</li></ul><p><br></p><p><strong><span style="font-size: 12pt;">Create an incident in Sentinel from Halo</span></strong></p><p>To have a ticket in Halo create an incident in Sentinel, you will need to complete an action on the ticket that contains the field &#39;Sync to Azure Sentinel&#39; and this field is checked. You could create a new action just to sync the ticket across or you could use an action that syncs comments too.</p><p><br></p><p>As soon as the action is used in Halo, the incident will be created in Sentinel.&nbsp;</p><p><br></p><p><strong><span style="font-size: 14pt;">Only Import Comments&nbsp;</span></strong></p><p>If you would only like comments to sync between Halo and Sentinel and prevent new tickets/incidents tickets being created you can enable the option to &#39;Only import comments from Azure Sentinel&#39;.&nbsp;</p><p><img src="https://halo.haloservicedesk.com/api/attachment/image?token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6IjBiOTk1NmNhLTRlMmEtNGFlZC05NmUzLWFmNDdjZTNkMDdjMSJ9.P1t2sZ_-jy7DjjWOLtIMf0qt4-162SjZAoRvUWfEsOk" class="fr-fic fr-fil fr-dib" width="993" style="width: 995px; height: 612.617px;" height="613"></p><p><strong><span style="font-size: 10pt;">Fig 23. Only import comments.&nbsp;</span></strong></p><p><br></p><p>When enabled new tickets will not be made in Halo from Sentinel, only comments will be pulled in. Used when you would always like to raise incidents in Halo (and send these to Sentinel manually) but comments will be added in Sentinel so you would like these to be imported.&nbsp;</p><p><br></p>
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Platform
Platform Capabilities >
Use Cases
View all Use Cases >
Resources
Halo
Subscribe to Halo for latest news

By submitting, you are agreeing to our privacy policy.

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Follow
© 2026 Halo Service Solutions. All Rights Reserved.
Terms & ConditionsPrivacy PolicySecurityTrust CentreGDPRAccessibilityModern Slavery StatementService Status