HaloPSA

HaloPSA Guides

Documentation to assist with the setup and configuration of the HaloPSA platform

Guides > Azure Sentinel Integration

Azure Sentinel Integration

Note: As of v2.182.1+, the Sentinel Integration can run off of webhooks instead of the Halo Integrator. This allows for immediate syncing, and the guide for this is here "Azure Sentinel Webhooks".


In this guide we will cover:

- Enabling the Integration

- Syncing Incidents

- Syncing Comments and Closure Actions

- Client Configuration



The Azure Sentinel Integration is available in Configuration > Integrations. Make sure to enable the module via the '+' icon.


Fig 1. Enabling the module.


Syncing Incidents from Halo to Sentinel

When you navigate to the page you should be able to authorize in the same manner as Entra ID and other Microsoft Integrations. You'll need to create a partner application in your Azure Portal, this application will need to be multi-tenanted and have a redirect URI of type 'Web'. The redirect URI used will differ depending on the version of Halo you are using. 


On versions prior to v2.200 the following redirect URI will need to be used:

On versions v2.200+ you the following redirect URI will need to be used:

But the exact redirect URI you need can be found on the setup page for the integration in Halo.

Fig 2. New Azure application.


The application will then with then need to be registered and given the permissions shown in figure 2. Again, the exact permissions needed can be seen on the integration setup page. 


Note: The below Data.Read Permission should be a delegated permission, not an Application permission.


Fig 3. Permissions.


You can then use the details from this application and your Azure tenant id to authorize. After authorizing you should be shown Ticket field mappings where there are 4 mandatory fields to be set for importing and exporting to Azure Sentinel.


Fig 4. Mappings.


After Setting these, navigate to the bottom of the page regarding enabling the integrator, once enabled this will then import the last 7 days of Sentinel Incidents if never run before. If it's previously run, it'll import all incidents modified between now and the previous update time. This import will also pull any new comments adding in Sentinel but not in Halo yet.


Fig 5. Enabling the integrator.


The integrator now setup to sync Sentinel Incidents to Halo. Note that when importing incidents from Sentinel it will attempt to match priority, status and agent to halo by names. Note that it'll use the SLA present on the default ticket type for priority matching.


Syncing Comments and Closure Actions from Halo to Sentinel

With regards to actions syncing to Sentinel, there are several key action level fields to be aware of:


  • Sync to Sentinel - will sync the current action to Sentinel, either as a comment or as a closing action if the Halo status is set to closed/resolved.
  • Azure Sentinel Classification - The classification to be set in Sentinel if the incident is being closed, if not set when closing a ticket in Halo, it'll fall-back to the default set above.
  • Azure Sentinel Classification Reason - The Classification reason to be set in Sentinel if the incident is being closed, works the same as above for the default.
  • Please note the two above fields must work as a matching pair in Sentinel. E.g. Classification Undetermined should only be used with Reason N/A.
  • Note - This will be used for the comment text or the classification comment depending on whether the ticket is being closed in halo or not.
  • Status - Setting this to Closed/Resolved in Halo will attempt to close the incident in Sentinel.
  • Priority - Note that when syncing a closure action, the priority name from halo must match a priority name in Sentinel (High, Medium, Low, Informational)


The recommended way to setup an azure sentinel closure action would be something like the below:


Fig 6. Action on a ticket.


Whereas a comment action could remove the classification and classification reason. 


Client Configuration

For all these syncs to be possible each client that is supposed to sync to sentinel will need to be configured in client settings.


Fig 7. Sentinel configuration on a customer.


The connection name refers to which multi-tenancy connection of Sentinel is used. The other fields can all be found in Azure and are needed to know where to pull incidents from in Sentinel.

Popular Guides