Note: This is available as of v2.182.1+. Previous versions can use the Halo Integrator method.
This guide explains how to set up webhooks in Azure Sentinel to create tickets in your Halo instance. You will need to be able to create Logic apps and Sentinel Automations.
Part 1) Create a new Logic app in Microsoft Azure
Select the Multi-tenant Consumption hosting option:
Fill out the Project and Instance details:
Once your Logic app has been deployed, go to the Logic app designer section under the Development Tools tab.
Add a trigger and select the “Microsoft Sentinel incident” option:
Add a new step after the Sentinel trigger and search for “HTTP”:
Fill out the HTTP action as follows:
URI: {Your Halo URL}/api/Notify/AzureSentinel
Method: POST
Headers: Key = Authorization, Value = {“username:password” bas64 encoded}”.
For the body, press the lightning icon to add objects from the previous step, choosing the body of the Sentinel trigger:
Save the Logic app.
Part 2) Sentinel Automation rules
Navigate to the Microsoft Sentinel resource and select the “Automations” section under the “Configuration” group.
Create a new Automation rule for each of the following triggers:
- When incident is created
- When incident is updated
Add an action to “Run playbook” and choose the playbook that was made in part 1 of this guide:
Save the automation rules.
Now whenever a Sentinel Incident is created or updated, the playbook will send a request to the Halo API and create/update a ticket in Halo.
