The Azure Sentinel integration is now available in Configuration > Integrations.
Syncing Incidents from Halo to Sentinel
When you navigate to the page you should be able to auhorize in the same manner as Azure Active Directory and other Microsoft Integrations. You'll need to create a partner application in your Azure Portal with the following permissions:
You can then use the details from this application and your Azure tenant id to authorize. After authorizing you should be shown Ticket field mappings where there are 4 mandatory fields to be set for importing and exporting to Azure Sentinel:
After Setting these, navigate to the bottom of the page regarding enabling the integrator, once enabled this will then import the last 7 days of Sentinel Incidents if never run before. If it's previously run, it'll import all incidents modified between now and the previous update time. This import will also pull any new comments adding in Sentinel but not in Halo yet:
The integrator now setup to sync Sentinel Incidents to Halo. Note that when importing incidents from Sentinel it will attempt to match priority, status and agent to halo by names. Note that it'll use the SLA present on the default ticket type for priority matching.
Syncing comments and closure actions from Halo to Sentinel
Before setting up actions to sync, any agent that has an account with contributor permissions to Azure Sentinel will need to individually login to their Microsoft account under the integrations tab in the my account section:
This will redirect them to login such that any comments they add are directly linked to their account rather than the admin account.
With regards to actions syncing to Sentinel, there are several key action level fields to be aware of:
Sync to Sentinel - will sync the current action to Sentinel, either as a comment or as a closing action if the Halo status is set to closed/resolved.
Azure Sentinel Classification - The classification to be set in Sentinel if the incident is being closed, if not set when closing a ticket in Halo, it'll fall-back to the default set above.
Azure Sentinel Classification Reason - The Classification reason to be set in Sentinel if the incident is being closed, works the same as above for the default.
Please note the two above fields must work as a matching pair in Sentinel. E.g. Classification Undetermined should only be used with Reason N/A.
Note - This will be used for the comment text or the classification comment depending on whether the ticket is being closed in halo or not.
Status - Setting this to Closed/Resolved in Halo will attempt to close the incident in Halo.
Priority - Note that when syncing a closure action, the priority name from halo must match a priority name in Sentinel (High, Medium, Low, Informational)
The recommended way to setup an azure sentinel closure action would be something like the below:
Whereas a comment action could remove the classification and classification reason.