HaloITSM Guides
Documentation to assist with the setup and configuration of the HaloITSM platform
Azure Sentinel Integration
The Azure Sentinel Integration is now available in Configuration > Integrations. Make sure to enable the module via the '+' icon:
Syncing Incidents from Halo to Sentinel
When you navigate to the page you should be able to auhorize in the same manner as Azure Active Directory and other Microsoft Integrations. You'll need to create a partner application in your Azure Portal with the following permissions
The below Data.Read Permission should be a delegated permission, not an Application permission:
You can then use the details from this application and your Azure tenant id to authorize. After authorizing you should be shown Ticket field mappings where there are 4 mandatory fields to be set for importing and exporting to Azure Sentinel:
After Setting these, navigate to the bottom of the page regarding enabling the integrator, once enabled this will then import the last 7 days of Sentinel Incidents if never run before. If it's previously run, it'll import all incidents modified between now and the previous update time. This import will also pull any new comments adding in Sentinel but not in Halo yet:
The integrator now setup to sync Sentinel Incidents to Halo. Note that when importing incidents from Sentinel it will attempt to match priority, status and agent to halo by names. Note that it'll use the SLA present on the default ticket type for priority matching.
Syncing comments and closure actions from Halo to Sentinel
With regards to actions syncing to Sentinel, there are several key action level fields to be aware of:
- Sync to Sentinel - will sync the current action to Sentinel, either as a comment or as a closing action if the Halo status is set to closed/resolved.
- Azure Sentinel Classification - The classification to be set in Sentinel if the incident is being closed, if not set when closing a ticket in Halo, it'll fall-back to the default set above.
- Azure Sentinel Classification Reason - The Classification reason to be set in Sentinel if the incident is being closed, works the same as above for the default.
- Please note the two above fields must work as a matching pair in Sentinel. E.g. Classification Undetermined should only be used with Reason N/A.
- Note - This will be used for the comment text or the classification comment depending on whether the ticket is being closed in halo or not.
- Status - Setting this to Closed/Resolved in Halo will attempt to close the incident in Sentinel.
- Priority - Note that when syncing a closure action, the priority name from halo must match a priority name in Sentinel (High, Medium, Low, Informational)
The recommended way to setup an azure sentinel closure action would be something like the below:
Whereas a comment action could remove the classification and classification reason.
Client Configuration In Halo:
For all these syncs to be possible each client that is supposed to sync to sentinel will need to be configured in client settings :
The connection name is only available on version 2.77.1 and later as on this version multi-tenancy was added to Sentinel. These 3 fields can all be found in Azure and are needed to know where to pull incidents from in Sentinel.
Popular Guides
- Asset Import - CSV/XLS/Spreadsheet Method
- Call Management in Halo
- Creating a New Application for API Connections
- Creating Agents and Editing Agent Details
- Departments and Teams
- Halo Integrator
- Importing Data
- Multiple New Portals with different branding for one customer [Hosted]
- NHServer Deprecation User Guide
- Organisation Basics
- Organising Teams of Agents
- Step-by-Step Configuration Walk Through
- Suppliers