<style>p { margin: 0; }span.fr-emoticon.fr-emoticon-img { background-repeat: no-repeat !important; font-size: inherit; height: 1em; width: 1em; min-height: 20px; min-width: 20px; display: inline-block; margin: -0.1em 0.1em 0.1em; line-height: 1; vertical-align: middle; } span.fr-emoticon { font-weight: normal; font-family: "Apple Color Emoji", "Segoe UI Emoji", "NotoColorEmoji", "Segoe UI Symbol", "Android Emoji", "EmojiSymbols"; display: inline; line-height: 0; } blockquote { border-left: solid 2px #5e35b1; color: #5e35b1; margin-left:0; padding-left:5px;}blockquote blockquote{ border-color: #00bcd4; color: #00bcd4;}blockquote blockquote blockquote{ border-color: #43a047; color: #43a047;} table.grid{ border-collapse: collapse;} table.grid td, table.grid th { border: 1px solid #ddd;} .fr-fic.fr-dib{ display: block; margin: 5px auto;}.fr-fic.fr-dib.fr-fir{ text-align: right; margin: 5px 0 5px auto;}.fr-fic.fr-dib.fr-fil{ text-align: left; margin: 5px auto 5px 0;}.fr-fic.fr-dii{ float: none; margin: 5px auto;}.fr-fic.fr-dii.fr-fil{ float: left; margin: 5px auto;}.fr-fic.fr-dii.fr-fir{ float: right; margin: 5px auto;}img.fr-dib.fr-fir { margin-right: 0; text-align: right;}img.fr-dib.fr-fil { margin-left: 0; text-align: left;}img.fr-dib { margin: 5px auto; display: block; float: none;}img.fr-bordered { box-sizing: content-box; border: solid 5px #CCC;}img.fr-shadow { box-shadow: 10px 10px 5px 0px #cccccc;}img.fr-rounded { border-radius: 10px; -moz-border-radius: 10px; -webkit-border-radius: 10px; -moz-background-clip: padding; -webkit-background-clip: padding-box; background-clip: padding-box;}</style><style> p { margin: 0; } span.fr-emoticon.fr-emoticon-img { background-repeat: no-repeat !important; font-size: inherit; height: 1em; width: 1em; min-height: 20px; min-width: 20px; display: inline-block; margin: -0.1em 0.1em 0.1em; line-height: 1; vertical-align: middle; } span.fr-emoticon { font-weight: normal; font-family: "Apple Color Emoji", "Segoe UI Emoji", "NotoColorEmoji", "Segoe UI Symbol", "Android Emoji", "EmojiSymbols"; display: inline; line-height: 0; } blockquote { border-left: solid 2px #5e35b1; color: #5e35b1; margin-left: 0; padding-left: 5px; } blockquote blockquote { border-color: #00bcd4; color: #00bcd4; } blockquote blockquote blockquote { border-color: #43a047; color: #43a047; } table.grid { border-collapse: collapse; } table.grid td, table.grid th { border: 1px solid #ddd; } .fr-fic.fr-dib { display: block; margin: 5px auto; } .fr-fic.fr-dib.fr-fir { text-align: right; margin: 5px 0 5px auto; } .fr-fic.fr-dib.fr-fil { text-align: left; margin: 5px auto 5px 0; } .fr-fic.fr-dii { float: none; margin: 5px auto; } .fr-fic.fr-dii.fr-fil { float: left; margin: 5px auto; } .fr-fic.fr-dii.fr-fir { float: right; margin: 5px auto; } img.fr-dib.fr-fir { margin-right: 0; text-align: right; } img.fr-dib.fr-fil { margin-left: 0; text-align: left; } img.fr-dib { margin: 5px auto; display: block; float: none; } img.fr-bordered { box-sizing: content-box; border: solid 5px #CCC; } img.fr-shadow { box-shadow: 10px 10px 5px 0px #cccccc; } img.fr-rounded { border-radius: 10px; -moz-border-radius: 10px; -webkit-border-radius: 10px; -moz-background-clip: padding; -webkit-background-clip: padding-box; background-clip: padding-box; } </style><p><strong>In this guide we will cover:</strong></p><p><strong>- What is the SentinelOne integration?</strong></p><p><strong>- How to connect to SentinelOne</strong></p><p><strong>- Import customers from SentinelOne</strong></p><p><strong>- Import Endpoints (Assets) from SentinelOne</strong></p><p><strong>- Syncing alerts&nbsp;</strong></p><p><strong>- Outbound Request tab</strong></p><p><br></p><p><br></p><p><strong><span style="font-size: 14pt;">What is the SentinelOne Integration?</span></strong></p><p>The SentinelOne integration allows you to import customers, sites and endpoints (assets) from SentinelOne into Halo. Alerting is also supported, alerts and threats in SentinelOne can create tickets in Halo, alerts/threats can be updated from Halo and when the respective ticket is closed in Halo this will then resolve the alert in SentinelOne.&nbsp;</p><p><br></p><p>This integration is multi-tenanted, allowing you to connect multiple SentinelOne instances to a single Halo instance.&nbsp;</p><p><br></p><p><strong><span style="font-size: 14pt;">How to connect to SentinelOne</span></strong></p><p>First head to configuration &gt; integrations, and enable the SentinelOne integration module. Once enabled click into the integration module and create a new tenant to begin configuring the connection.&nbsp;</p><p><img src="https://halo.haloservicedesk.com/api/attachment/image?token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6IjY4NGNhODYzLWUxMjQtNDdmMy1hZWFlLTc1ZWY2M2U4N2UzMCJ9.fN7H8PGSZbOcBQppa4nFLA-JKqo5fYBufCSOQwXXNn8" class="fr-fic fr-fil fr-dib" width="291" height="144"></p><p><strong><span style="font-size: 10pt;">Fig 1. Enable integration module</span></strong></p><p><br></p><p>Under the details tab you will need to enter the URL of your SentinelOne instance along with an API Token.&nbsp;<img src="https://halo.haloservicedesk.com/api/attachment/image?token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6IjMzZWZhMzc2LTE2ZTItNGZhYy1hZTdlLWI0MjE2MjRhNzVkYiJ9.BjcSRtwshg3oJXtuPCJFRKnLSJJivUG46Ko8pWt04-U" class="fr-fic fr-fil fr-dib" width="902" height="308"></p><p><strong><span style="font-size: 10pt;">Fig 2. Connection details for SentinelOne</span></strong></p><p><br></p><p>The URL will be the URL you use to access your SentinelOne instance.</p><p><br></p><p>There are two ways an API token can be generated in SentinelOne, either from a console user account or a service user account.</p><p><br></p><p>If you are generating the token from a console user account the token will expire after 31 days, this means a new token will need to be generated (and updated in Halo) every 30 days. Regenerating the API token every 30 days is recommended for security purposes.&nbsp;</p><p><br></p><p>The token can also be generated from a service user account, when generating this way you can choose the lifetime of the token so it does not need to be re-generated as often. To do this you will need to create a new service user in SentinelOne.&nbsp;</p><p><br></p><p><strong><span style="font-size: 12pt;">Generate API token from console User</span></strong></p><p>Head into your SentinelOne management console &gt; select your user profile in the top right &gt; actions &gt; API Token Operations &gt; select &#39;Generate API token&#39; copy this token to a clipboard. If you have previously generated a token the button will be titled &#39;Regenerate API token&#39;. Navigate back to Halo and paste the token into the &#39;API Token&#39; field.</p><p><br></p><p><img src="https://halo.haloservicedesk.com/api/attachment/image?token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6IjkxNjI2NWFlLTEzNGUtNDUwMC1hMzdkLTk1ZTRmZjUyZjhkOSJ9.Vzoepuh4exrUAEFJ0hM2FfMRncSf3RGLMdkR6Z9K_hQ" class="fr-fic fr-fil fr-dib" width="738" style="width: 740px; height: 509.479px;" height="509"></p><p><strong><span style="font-size: 10pt;">Fig 3. Generate API token from console user</span></strong></p><p><br></p><p><strong><em>Note: The user logged in and generating the token must have Admin-level access.&nbsp;</em></strong></p><p><br></p><p><strong><span style="font-size: 12pt;">Generate API token from service User</span></strong></p><p>Head into your SentinelOne management console &gt; Settings &gt; Users &gt; Service users &gt; Actions &gt; Create New Service User.&nbsp;</p><p><br></p><p><img src="https://halo.haloservicedesk.com/api/attachment/image?token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6IjhjMDRjZWM2LTU5NWUtNGJlMy1iMWU2LWM3MjEwOGVkMDRmNyJ9.euaWrDzOBLuk5BuQSCfJJc2to1vb8UcKS6XLR8T095s" class="fr-fic fr-fil fr-dib" width="965" style="width: 967px; height: 567.1px;" height="567"></p><p><strong><span style="font-size: 10pt;">Fig 4. Create new service user in SentinelOne</span></strong></p><p><br></p><p>When creating the service user you can set the expiry date of the user, this will determine when the token generated from this user will expire.&nbsp;</p><p><br></p><p><img src="https://halo.haloservicedesk.com/api/attachment/image?token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6ImQ0ODQzYjE5LTk4NjEtNGU3MC1hYTRjLWI3NmUwMzkzNTc4MyJ9.-qYq0filJpWT4mrtWPWZ6JXs8gAK_pSWGBtd-AgEFPg" class="fr-fic fr-fil fr-dib" width="568" style="width: 570px; height: 548.826px;" height="549"></p><p><strong><span style="font-size: 10pt;">Fig 5. Create new service user in SentinelOne</span></strong></p><p><br></p><p>The service user will need &#39;Account&#39; scope of access and you will need to assign the user a role that has access to view all your endpoints, agents and accounts as well as create/edit/resolve alerts.&nbsp;</p><p><br></p><p><strong><em>Note: The permissions of the service user will be given to Halo therefore if the service user does not have permission to view certain endpoints Halo will not be able to import these endpoints as assets.</em></strong></p><p><br></p><p><img src="https://halo.haloservicedesk.com/api/attachment/image?token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6IjYyM2UxMzdkLTU3ZTQtNDE5NS04NDdkLWQ3MTdiNWQyNjAxMCJ9.-ZVhVVfENAIOf9fM7BHknUpxpobGqMrdDS2EezbXAEY" class="fr-fic fr-fil fr-dib" width="479" style="width: 481px; height: 631.529px;" height="632"></p><p><strong><span style="font-size: 10pt;">Fig 6. Scope of access for service user</span></strong></p><p><br></p><p>Once you have given the service user the correct access hit &#39;Create User&#39;, a pop-up window will now appear containing the API token for the user. Copy and paste this token into Halo.&nbsp;</p><p><br></p><p>Once the details are entered save these, the &#39;Test Configuration&#39; button can be used to confirm you have connected successfully.&nbsp;</p><p><br></p><p><strong><span style="font-size: 14pt;">Import/Map Customers from SentinelOne</span></strong></p><p>SentinelOne accounts or sites can be mapped to Halo customers, this allows assets to be assigned to the correct customer/site in Halo when imported. This also allows for alerts/threats to be assigned to the respective customer/site when a ticket is created for the alert/threat in Halo. This also allows for changes to accounts in SentinelOne to be synced to Halo and update the mapped customer. Customer updates/syncing will only occur when sites/customers are imported manually using the &#39;Import Customers&#39; and &#39;Import Sites&#39; buttons under the &#39;Customers&#39; tab.&nbsp;</p><p><br></p><p>The option to map SentinelOne sites to a Halo customer is available. Mappings can be done in this way when your SentinelOne instance is organised so that each customer is represented by a &#39;site&#39; in SentinelOne. With each site under a single customer.&nbsp;</p><p><br></p><p id="isPasted">To create customer mappings head to the &#39;Customers&#39; tab, here you will see the customer and site mappings table.</p><p><br></p><p>First you will need to choose the &#39;Customer/Site Matching Method&#39;</p><ul><li><strong>SentinelOne Account to Halo Customer</strong> - Use this method when you have a SentinelOne account per customer.&nbsp;</li><li><strong>SentinelOne Site to Halo Customer&nbsp;</strong>- Use this method when you have a single SentinelOne account that contains a site for each customer.&nbsp;</li></ul><p><strong><em>Note: &nbsp;When using the &#39;SentinelOne Site to Halo Customer&#39; method, when assets get imported, they will be created under the main site of the customer in Halo the SentinelOne site is mapped to. You will not be able to choose which Halo site they are created under.&nbsp;</em></strong></p><p><br></p><p>If you already have customers and sites setup in your Halo instance you will need to map each SentinelOne account/site to their respective Halo customer/site.</p><p><br></p><p>If you do not have your customers/sites setup in Halo you can import them from SentinelOne using the &#39;Import Customers&#39; and &#39;Import Sites&#39; buttons, customers must be imported before sites. When a customer/site has been imported they will automatically be added to the mappings table.</p><p><br></p><p><img src="https://halo.haloservicedesk.com/api/attachment/image?token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6IjExZDQ2NmY2LTljZDctNGU5Yy1iNjM3LTI4M2NkYWQ5ODdmMiJ9.zYSUIYTr17ev3fMlXJXUpICPMZOF8sOVq0HHXnf2mKw" class="fr-fic fr-fil fr-dib" width="1181" style="width: 1183px; height: 543.191px;" height="543"></p><p><strong><span style="font-size: 10pt;">Fig 7. Import customers</span></strong></p><p><br></p><p><strong><span style="font-size: 14pt;">Import Endpoints&nbsp;(Assets)</span></strong></p><p>Endpoints from SentinelOne can be imported into Halo as assets. Head to the &#39;Assets&#39; tab to begin configuring the import.&nbsp;</p><p><br></p><p><img src="https://halo.haloservicedesk.com/api/attachment/image?token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6IjY4OGE1NjNmLTdiNzYtNDgxOC1hYTgwLTc1N2FlNjBmNjFjNiJ9.xywFgnBdAprqENGCjzhfwxd9eVadXOGswU8Peg9-n-w" class="fr-fic fr-fil fr-dib" width="1214" style="width: 1216px; height: 696.31px;" height="696"></p><p><strong><span style="font-size: 10pt;">Fig 8. Asset import configuration</span></strong></p><p><br></p><p id="isPasted"><strong>Asset matching Field</strong> - Here you can set which field is used to match assets in SentinelOne to assets in Halo. The asset unique identifier field should be selected here.&nbsp;</p><p><strong>Default Site</strong> - Here you will need to set the site Assets will be created under if they cannot be matched to a Halo site.&nbsp;</p><p><br></p><p>The site the asset is imported to will be determined on the customer/site mappings configured earlier. The site the endpoint is assigned to in SentinelOne will be checked, if there is a mapping for this site the asset will be created under the mapped Halo site. If no mapping exists the asset will be created under the chosen default site.&nbsp;</p><p id="isPasted"><br></p><p><strong>Don&#39;t update the asset site for existing or matched assets</strong> - When this setting is enabled assets will be imported to a site in line with the site mappings, but after the initial import their site will not change. This allows you to change the endpoint site in SentinelOne without this changing the site of the asset in Halo.&nbsp;</p><p><br></p><p><strong><span style="font-size: 12pt;">Asset Fields</span></strong></p><p>Mappings can be configured to ensure data from SentinelOne fields are imported into a chosen Halo field. Create a mapping by adding to the &#39;Field mappings&#39; table.&nbsp;</p><p><br></p><p><strong>Field Type</strong> - This will be the type of Halo field the data will be imported into. See our guide on <a data-fr-linked="true" href="https://usehalo.com/haloitsm/guides/1785/" id="isPasted" target="_blank" rel="noopener noreferrer"><strong>Asset Fields</strong></a> if you are unsure on the difference between asset fields and custom fields in Halo.&nbsp;</p><p><br></p><p><img src="https://halo.haloservicedesk.com/api/attachment/image?token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6IjVmNmJkZmI1LTBkYjAtNDdlMy1iNjRjLTVhZWU0M2UwYjMwYyJ9.R2u3recTZ2TR_e5VpxxX2w_R7ZCEEuuan2FH7yOO0Dg" class="fr-fic fr-fil fr-dib" width="1218" style="width: 1220px; height: 508.815px;" height="509"></p><p><strong><span style="font-size: 10pt;">Fig 9. Asset field mappings</span></strong></p><p><br></p><p id="isPasted"><strong><span style="font-size: 12pt;">Determine an Asset&#39;s type</span></strong></p><p>When assets are imported from SentinelOne a new asset in Halo will be created, as SentinelOne does not have a concept of &#39;asset types&#39; we will need to configure how the type of new assets created from SentinelOne are determined. This is done using the &#39;Determining an Asset&#39;s type&#39; field.&nbsp;</p><p><img src="https://halo.haloservicedesk.com/api/attachment/image?token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6IjI2YmY1NDY1LWMxNzYtNDVjMy04OTBlLTdjYTc4ZmY2OGY5OSJ9.H624YfNUiPKQHD-W6NmKfwcOUnyUUhic5pLzqjplK58" class="fr-fic fr-fil fr-dib" width="460" style="width: 462px; height: 196.778px;" height="197"></p><p><strong><span style="font-size: 10pt;">Fig 10. &nbsp;&#39;Determining an Asset&#39;s type&#39; field</span></strong></p><p><br></p><p><strong>Use the same type for all Assets</strong></p><p>If you would like all imported assets to have the same asset type when imported set the &#39;Determining an Asset&#39;s type&#39; field to be &#39;use the same type for all Assets&#39; then set the &#39;Default Asset Type&#39; field to be the asset type you would like assets from SentinelOne to be. In the figure 11 example all assets will be created as &#39;Application service&#39; asset types.&nbsp;</p><p><img src="https://halo.haloservicedesk.com/api/attachment/image?token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6IjQzOWM5NjU0LTdiM2EtNDRjYi05Y2Y1LTFlNjM1MDZhZTk5ZiJ9.Gkm_MJ0EfBO7H4OHcuOmkpaVbgQg0oY4gY-6V3_jz0U" class="fr-fic fr-fil fr-dib" width="1120" style="width: 1122px; height: 515.357px;" height="515"></p><p><strong><span style="font-size: 10pt;">Fig 11. Use the same time for all assets example</span></strong></p><p><br></p><p><strong>Use a field to determine each Asset&#39;s type</strong></p><p>If you would like all imported assets&#39; types to be determined by a particular field, set the set the &#39;Determining an Asset&#39;s type&#39; field to be &#39;Use a field to determine each Asset&#39;s type&#39;. This setting is used if you have a field in SentinelOne that already determines an asset&#39;s type and you would like the types to be consistent between Halo and SentinelOne. Then in &#39;Field for determining an Asset&#39;s type&#39; choose the field you would like the type to depend on. The field you choose must contain the name of the desired asset type, if this name can be matched to an existing asset type in Halo, it will be assigned this asset type. If the name is not the same as an asset type in Halo, a new asset type will be created. Note that the names must be identical in order to match. You will still need to populate the default asset type and group fields as assets that do not have the selected field populated will be imported as the default asset type. New asset types created by SentinelOne will be created under the default asset group.&nbsp;</p><p><br></p><p>In the figure 12 example new assets will be assigned to an asset type in Halo based on their &#39;machineType&#39; field. If the data in the machineType field matches the name of an asset type in Halo this asset will be created under the matched asset type. If a match cannot be made a new asset type will be created, under the asset group &#39;Network Equipment&#39;. If the asset does not have the &#39;machineType&#39; field populated the asset will be created under the default asset type, &#39;Application Server&#39;.&nbsp;</p><p><img src="https://halo.haloservicedesk.com/api/attachment/image?token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6ImFkY2IyNTVhLWZkNDQtNGRhOS05ZWZlLTQ2NGY4YTFjYjBlOCJ9.nRyT9yyQUQYfeGDRGQdzL63EovQalH16nl0VUwju46M" class="fr-fic fr-fil fr-dib" width="1183" style="width: 1185px; height: 621.254px;" height="621"></p><p><strong><span style="font-size: 10pt;">Fig 12. Using field to determine asset&#39;s type example</span></strong></p><p><br></p><p><strong>Determine Asset type using rules</strong></p><p>If you would like asset types to be determined by asset rules set the set the &#39;Determining an Asset&#39;s type&#39; field to be &#39;Determine asset type using rules&#39;. Now a table will appear and you will be able to set asset&#39;s types based on rules, These rules are based on field values, and if matched will assign an asset to the chosen asset type. When creating a rule first add criteria for the rule, select the Halo field that you would like to base the criteria on, then set the rule type and the outcome needed in the field to match the rule. If an asset matches this rule it will be imported as this asset type.</p><p><br></p><p>When adding an asset type rule you will notice the option *Determine Asset Type using a field*. When this is selected you can choose a SentinelOne field, an asset type will be created using the data within this SentinelOne field. If this field matches the name of an existing Halo asset type the asset will be created under this type, otherwise a new asset will be created. This works in the same way as when &#39;Use a field to determine each Asset&#39;s type&#39; is selected in the &#39;Determining an Asset&#39;s type&#39; field. This is available as an additional rule as more rules can be configured for assets that do not have this field or have data in this field. That is, some asset types can be determined based on a field, for other assets that do not use this field their type can be determined by other rules or another field.&nbsp;</p><p><br></p><p>If an asset is imported that does not match any of these rules, it will be created under the default asset type.&nbsp;</p><p><br></p><p><strong><span style="font-size: 12pt;">Miscellaneous settings</span></strong></p><p><img src="https://halo.haloservicedesk.com/api/attachment/image?token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6IjRkZWIyM2FlLTdmNGEtNDE0NC04MjgyLWQ5YzA2NzZlMTZkYSJ9.MpN20Jpa-hiMjwBl3zJ5z0zoRh1j7kb2QlCE-Yyp9Xc" class="fr-fic fr-fil fr-dib" width="630" height="234"></p><p><strong><span style="font-size: 10pt;">Fig 13. Miscellaneous settings for asset imports</span></strong></p><p><br></p><p><strong>Don&#39;t create new Assets</strong> - When enabled assets will only be updated, no new assets will be created by SentinelOne</p><p><strong>Status of New Assets</strong> - This determines the status assets will have when imported from SentinelOne</p><p><strong>Deactivate Assets in Halo when they are deleted from SentinelOne (Halo Integrator only)</strong> - When enabled assets will be deactivated in Halo (status change to &#39;Inactive&#39;) when they are deleted in SentinelOne. This setting works in conjunction with the Halo integrator, and assets will only be disabled when a sync runs using the integrator.&nbsp;</p><p><br></p><p><strong><span style="font-size: 12pt;">Import/update assets on a schedule</span></strong></p><p>To have assets imported/update on a recurring schedule head to the &#39;Syncing&#39; tab and enable &#39;Enable the Halo Integrator for the SentinelOne integration&#39;. Once enabled ensure &#39;Assets&#39; are selected in the following field. The integrator will run daily for asset updates.&nbsp;</p><p><img src="https://halo.haloservicedesk.com/api/attachment/image?token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6IjNkYzNiMTUzLTZiYTItNGM0My04OGFiLWRiNTM5ZGQyZjA4MiJ9.2gttlOOH7lFRTfziZjqODJSgMgOsc-Ay2uhZgO3dQBE" class="fr-fic fr-fil fr-dib" width="944" style="width: 946px; height: 491.066px;" height="491"></p><p><strong><span style="font-size: 10pt;">Fig 14. Enable asset syncing&nbsp;</span></strong></p><p><br></p><p><strong><span style="font-size: 14pt;">Alerting</span></strong></p><p>Alerts and threats raised in SentinelOne can log tickets in Halo allowing technicians to manage these alerts and threats from Halo.&nbsp;</p><p><br></p><p>To configure how these tickets are created head to the &#39;Syncing&#39; tab.&nbsp;</p><p><img src="https://halo.haloservicedesk.com/api/attachment/image?token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6ImI0ZjIzNWNkLWZkNjQtNDQ5MS1iMGFkLWFjZmRhNzQ0MmJmNiJ9.UK3cwjZe_R1yiEl6DQ2ETcaW8SfwrnE5qEj22JqkuH0" class="fr-fic fr-fil fr-dib" width="1011" style="width: 1013px; height: 580.442px;" height="580"></p><p><strong><span style="font-size: 10pt;">Fig 15. Syncing tab</span></strong></p><p><br></p><p>In the &#39;Halo Ticket Type&#39; field choose the Halo ticket type you would like to be created for alerts and threats (you may wish to create a new ticket type for this). Many defaults for the alert/threat ticket that is logged, such as, team, SLA and priority will be taken from the ticket type chosen here. &nbsp;However, if the severity of the alert in SentinelOne has a name that matched&nbsp;</p><p><br></p><p>In the &#39;Halo User&#39; field choose the user you would like these tickets to be assigned to. It is best to choose a generic user here, then the alert/threat can be assigned to the affected user either manually or using ticket rules. See our guide on ticket rules <a data-fr-linked="true" href="https://usehalo.com/haloitsm/guides/1923/" id="isPasted" target="_blank" rel="noopener noreferrer"><strong>here</strong></a>.</p><p><br></p><p>Now to enable the sync of alerts and threats enable the Halo integrator for the integration and ensure &#39;Alerts&#39; and/or &#39;Threats&#39; are selected in the &#39;entities to sync&#39; field. Alerts and Threats will be imported in a separate schedule to assets, these will be synced more frequently than assets. These should be on a separate schedule automatically but if when enabling alerts these seem to be syncing on the same schedule as your assets contact our support team so we can have these moved to separate schedules.&nbsp;</p><p><br></p><p>Now when a threat and/or alerts is raised in SentinelOne a ticket will be logged in Halo. Technicians can work on the ticket in Halo and sync updates on the alerts/threat back to SentinelOne. When the threat/alert is resolved and the technician closes the ticket in Halo the alert/threat in SentinelOne will be marked as resolved.&nbsp;</p><p><br></p><p><strong>Alert severity/priority&nbsp;</strong></p><p>Alerts/Threats imported from SentinelOne will have their severity checked when being imported, if the severity matches the name of a priority in Halo the ticket will be created with this priority. If they cannot be matched the default priority of the ticket will be used.&nbsp;</p><p><br></p><p><strong><span style="font-size: 14pt;">Outbound Requests Tab</span></strong></p><p>Under the &#39;Outbound Requests&#39; tab you will be able to see a log of each request sent from Halo to SentinelOne. This will include alert/threat updates and closures. A log can be selected to show more detail.&nbsp;</p>