Sentinel raises the alert. Halo turns it into a ticket.
Halo's native Azure Sentinel integration creates ITSM tickets automatically from security incidents — and keeps both systems in sync. Comments, closures, and priorities flow both ways. Your SOC team works in Halo; your security data stays in Sentinel.
✓ Auto ticket creation from Sentinel✓ Two-way incident sync✓ Real-time via webhooks✓ Comment & closure sync✓ Priority & field mapping✓ First-party — included in every licence
What you get
A full two-way bridge between Sentinel and Halo.
This isn't a one-way alert feed. Halo and Azure Sentinel stay in sync — tickets, comments, closures, and priorities all travel in both directions.
Auto Ticket Creation
Every Sentinel incident becomes a Halo ticket
When Azure Sentinel raises a security incident, Halo creates a ticket automatically — with priority, classification, and assigned agent matched from Sentinel data. Your SOC team gets to work in Halo immediately, without logging into Sentinel.
✓Tickets created in Halo the moment a Sentinel incident fires
✓Priority, status, and assigned agent matched automatically
✓Sentinel incident ID linked inside the Halo ticket
Two-Way Sync
Comments and closures sync in both directions
Notes added in Halo sync to the linked Sentinel incident as comments. When a ticket is closed in Halo — with classification and closure reason — the Sentinel incident closes too. The reverse applies: updates in Sentinel flow back into Halo automatically.
✓Notes on Halo tickets sync as comments in Sentinel
✓Closure in Halo closes the Sentinel incident (with classification)
✓Sentinel comment updates import back into Halo
Real-Time Webhooks
Instant alerts via Azure Logic Apps and Sentinel Automations
For real-time incident delivery, Halo supports webhook-based integration using Azure Logic Apps and Sentinel Automation Rules. When an incident is created or updated in Sentinel, the Logic App fires instantly — a Halo ticket appears in seconds, not minutes.
✓Triggered on incident creation and incident update
✓Uses Azure Logic Apps with HTTP POST to the Halo API
✓Alternatively: Halo Integrator polls every 15 minutes
Field & Priority Mapping
Map Sentinel data to exactly the right Halo fields
Configure which Sentinel fields map to which Halo fields — including custom fields you create specifically for Sentinel data. Sentinel priorities map to Halo priorities so tickets land with the correct urgency. Supports multiple Sentinel workspaces, each linked to a different client.
✓Sentinel severity maps to Halo priority automatically
✓Custom field mapping for all Sentinel incident data
A first-party Halo integration — active from day one, included in your Halo licence, with no extra subscriptions or middleware.
Incident-to-ticket automation
Sentinel incidents create Halo tickets automatically — no manual logging, no copy-paste. Priority, agent, and classification are matched from Sentinel data.
Push tickets to Sentinel
Tickets raised in Halo can be sent to Sentinel as incidents. A single action syncs the ticket across — Halo remains the system of record.
Bidirectional comment sync
Notes added to a Halo ticket sync as comments in the linked Sentinel incident. Sentinel comments import back into Halo on the next sync run.
Closure sync
Closing a ticket in Halo closes the linked Sentinel incident, passing classification and classification reason. Closing in Sentinel closes the Halo ticket too.
Sentinel priority → Halo priority
Map each Sentinel severity level (High, Medium, Low, Informational) to the corresponding Halo priority number. Tickets always arrive at the correct urgency.
Sentinel classification support
Closures include Sentinel Classification and Classification Reason — True Positive, False Positive, Benign Positive, or Undetermined — matched to Microsoft's allowed value pairs.
Custom field mapping
Map any Sentinel incident field to a Halo custom field. Sentinel data lands exactly where you need it — in your ticket type, visible to your agents.
Per-client workspace config
Each Halo client record can be linked to a different Sentinel workspace. Multiple Sentinel instances across customers or departments are all supported.
Real-time webhooks
The webhook method (via Azure Logic Apps) delivers Sentinel incidents to Halo in seconds. Automation rules trigger on incident create and incident update.
Scheduled Integrator
The Halo Integrator option polls Sentinel every 15 minutes — importing new incidents and comment updates. Simpler to set up; suitable where real-time delivery isn't required.
Sentinel ID in Halo ticket
Every ticket created from a Sentinel incident displays the linked Sentinel ID with a direct link to open the incident in the Azure portal — for fast context switching.
Comment-only mode
Enable "Only import comments" to prevent new tickets being created automatically — useful when tickets are always raised in Halo and only comment syncing from Sentinel is needed.
Dedicated ticket type for Sentinel
Create a dedicated Halo ticket type for Sentinel incidents — with custom fields, SLAs, and workflow rules specific to your security response process.
Works across HaloITSM & HaloPSA
The Azure Sentinel integration is available across both HaloITSM and HaloPSA — bringing Sentinel incident management into the same platform as your broader service operations.
No extra cost — ever
The Azure Sentinel integration is a first-party Halo feature included in every standard Halo licence. No middleware to buy, no connector subscription, no add-on fee.
Getting connected
How the integration is configured
Setup requires an Azure App Registration and a Sentinel Contributor account. Allied ESM can handle the full configuration as part of your Halo project.
Choose your import method:
⚡ Real-time
Webhooks (recommended)
Sentinel incidents arrive in Halo within seconds, via Azure Logic Apps and Sentinel Automation Rules. Requires a brief additional setup in Azure.
🕐 Scheduled
Halo Integrator
Halo polls Sentinel every 15 minutes and imports new incidents and comment updates. Simpler setup — no Logic Apps required.
1
Enable the Azure Sentinel integration in Halo
In Halo, go to Configuration → Integrations and enable the Azure Sentinel module using the '+' icon. The module ships with every Halo licence — nothing to download.
2
Create an Azure App Registration
In the Azure portal, create a new multi-tenanted App Registration with a web redirect URI (shown in the Halo setup page). Grant three permissions: Azure Service Management user_impersonation (Delegated), Log Analytics API Data.Read (Delegated), and Graph API offline_access (Delegated).
3
Enter credentials in Halo and sign in with Microsoft
Generate a client secret in Azure and paste it — along with your Application (Client) ID and Tenant ID — into the Halo integration setup page. Save and click 'Sign in with Microsoft'. A Sentinel Contributor account must complete this authorisation step.
4
Configure per-client Sentinel settings
In the Settings tab of each Halo client record, expand the Azure Sentinel section and enter the workspace details for that client's Sentinel instance. Repeat for each client if you are connecting multiple Sentinel workspaces.
5
Set up field mappings and priority mappings
On the Field Mappings tab, assign a dedicated Halo ticket type for Sentinel incidents, set default closure classifications, and map Sentinel severity levels to Halo priorities. Optionally map Sentinel custom fields to Halo custom fields.
6
Configure your import method and go live
On the Imports tab, choose Halo Integrator (15-minute polling) or Webhooks (real-time, requires a Logic App in Azure and Sentinel Automation Rules for the 'incident created' and 'incident updated' triggers). Once done, Sentinel incidents flow into Halo automatically.
Allied ESM configures this for you
Allied ESM can scope and deliver the full Halo + Azure Sentinel integration — Azure App Registration, field mapping, priority configuration, webhook setup, and per-client workspace linking. Whether it's part of a new Halo implementation or added to an existing environment, we handle the technical detail so your team doesn't have to.
Real-world uses
Three ways this changes the security workflow.
How organisations put the Halo + Azure Sentinel integration to work from day one.
01
SOC team works in Halo without touching Sentinel
A high-severity alert fires in Sentinel at 2am. Within seconds, a P1 ticket appears in Halo — assigned, categorised, and linked back to the Sentinel incident. The on-call analyst picks it up in Halo, adds notes, and closes it. The Sentinel incident closes automatically with classification. No one logs into the Azure portal.
Sentinel alert→Halo P1 ticket→Sentinel closed
02
Investigation notes in Halo appear in Sentinel automatically
An analyst investigating a brute force alert adds a detailed note in Halo — forensic steps taken, IPs blocked, timeframe. That note syncs to the Sentinel incident as a comment within the same sync cycle. Auditors and compliance teams reviewing in Azure see the full investigation trail, written in Halo.
Note in Halo→Synced to Sentinel→Full audit trail
03
MSP manages multiple client Sentinel workspaces in one Halo
A managed security provider supports five clients, each with their own Sentinel workspace. Each client record in Halo is linked to their respective workspace. When Sentinel fires an incident for Client A, the ticket is created under Client A in Halo — automatically categorised, prioritised, and routed to the right team without any manual triage.
Client A Sentinel→Client A in Halo→Right team alerted
Common questions
Frequently asked questions
Is the Halo + Azure Sentinel integration a one-way or two-way sync?
It is a full two-way sync. Incidents in Sentinel create tickets in Halo automatically. Tickets in Halo can also be pushed to Sentinel as incidents. Comments sync in both directions — notes added in Halo appear in Sentinel, and comments added in Sentinel import into Halo. Closures also sync both ways, including Sentinel classification and classification reason.
What are the two import methods and which should I use?
The Halo Integrator polls Sentinel every 15 minutes — simpler to set up, no extra Azure configuration needed. The Webhooks method uses an Azure Logic App and Sentinel Automation Rules to deliver incidents in real time, within seconds of the Sentinel alert firing. For security operations where speed matters, webhooks are recommended. Allied ESM can configure either approach.
Is the Azure Sentinel integration included in the standard Halo licence?
Yes. The Azure Sentinel integration is a first-party, native Halo feature included in every standard Halo licence. There is no add-on, no middleware subscription, and no third-party connector required. The only Azure-side requirement is an App Registration (free) and, for webhooks, a Logic App (minimal Azure consumption cost).
Can we connect multiple Sentinel workspaces — for example, one per client?
Yes. Each Halo client record can be linked to a different Sentinel workspace. If you manage multiple customers or departments — each with their own Sentinel instance — you configure the workspace details against each client in Halo. Incidents from each workspace create tickets under the correct client automatically, with no manual routing needed.
What permissions are required in Azure to set up the integration?
You will need to create an Azure App Registration with three delegated permissions: Azure Service Management user_impersonation, Log Analytics API Data.Read, and Graph API offline_access. A Sentinel Contributor account is required to complete the Sign in with Microsoft authorisation step. Allied ESM can walk your Azure admin through this as part of the setup.
We already have Halo live — can we add the Sentinel integration without disrupting anything?
Yes. The Azure Sentinel integration can be added to an existing live Halo environment. The setup takes place entirely within Halo's configuration area and the Azure portal — no changes to your existing ticket types, SLAs, or workflows are required unless you choose to create a dedicated ticket type for Sentinel incidents. Allied ESM can scope and deliver the integration without disrupting your current operations.
Ready to connect Sentinel and Halo?
Allied ESM can scope and configure the full Halo + Azure Sentinel integration — from Azure App Registration through to webhook setup and field mapping. Talk to us to find out what's involved for your environment.
