Blog Post

Microsoft Sentinel Blog
3 MIN READ

Centralize your security response with Azure Sentinel & PagerDuty

Cristhofer Munoz's avatar
Feb 03, 2021

This blog was written in collaboration with Sebastien Molendijk , thank you for all of your hard work!

 

Security teams today are inundated with alerts and information from a growing number of siloed point solutions. Furthermore, manual processes and cross-team handoffs hinder the security team’s ability to efficiently respond to attacks.

 

Security teams are in dire need of workflows that can shorten the response cycle by enabling automated workflow actions so analysts can focus on remediation and effectively managing the lifecycle of security incidents. PagerDuty is an agile incident management platform that works with IT Operations and DevOps teams to improve operational reliability and agility.

 

In this installment, we will cover the process to integrate and centralize your security response in Azure Sentinel with PagerDuty.

 

 

Figure 1:  High Level flow to integrate Azure Sentinel with PagerDuty

 

Configuration steps

 

In PagerDuty

 

  1. The first step is to create a REST API key. (This API key will be used by Azure Logic Apps to communicate with PagerDuty).
    Go to the “Apps” menu and click on “API Access”.

Figure 1: PagerDuty Configuration2. On the API Access page, select Create New API Key.

 

Figure 2: PagerDuty Configutation

 

3. In the dialog that pops up, you’ll be prompted to enter a Description for your key. You will also have the option to create the key as Read-only; leave this box unchecked as a full-access API key is required.

 

Select the Create Key button to generate the new API key.

 

Figure 3: PagerDuty Configuration

 

 4. Once the key is generated, you will see a dialog displaying your key and confirming the options you filled in on the previous step.

 

Figure 4: PagerDuty Configuration

 

Important: Make sure to copy this key and save it in a secure place, as you will not have access to the key after this step. If you lose a key that you created previously and need access to it again, you should remove the key and create a new one.

 

In Azure

 

We now have to import the Logic App creating the incidents in PagerDuty.

 

  1. Go to GitHub and select the Deploy to Azure button.

Figure 5: Azure Configuration

 

2. Provide the required parameters,  the Azure Sentinel connection name and Resource Group.

 

Figure 6: Azure Configuration

 

3. Once the deployment is complete, go to the resource group to configure the Logic App.

 

Figure 7: Azure Configuration

 

 4. Click on the Edit button to access to the designer.

 

Figure 8: Azure Configuration

 

 5. In the Logic App, configure the API token value, as well as the PagerDuty service ID.
 Note: to increase security, you could store the API token in a Key Vault.

 

 

Test your Logic App

 

To validate that our solution is working as expected, go to Azure Sentinel and open an incident.

  1. In the incident, on the Alerts tab, go to the right of the blade and click on View playbooks

 

Figure 9: Azure Configuration

 

2. Search for the Logic App you just created and click on the Run button.

 

3. Once the execution successfully complete, a new comment with a link to PagerDuty will be added (you might need to click on the refresh button in the incident).

 

 

4. Click on the link in the comment. It will open the incident in PagerDuty.

 

 

 

Putting it all together

 

In this installment, we demonstrated the process to integrate and centralize your security reponse in Azure Sentinel with PagerDuty. This integration will ensure comprehensive mapping of details in the alert to Security Incident artifacts and trigger playbooks in PagerDuty to orchestrate,  triage, investigate and response actions. Additionally, it will enable quality and consistency of security investigations and scales security incident teams.

 

Updated Feb 03, 2021
Version 1.0
  • ankita215's avatar
    ankita215
    Copper Contributor

    Hi, we are trying to send sentinel alert to pagerduty .But this template is not working. Please help me if any change we need to do.

  • pemontto's avatar
    pemontto
    Brass Contributor

    Is there a canonical way to secure keys and credentials in logic apps? It would be great if credentials could be defined and automatically stored and retrieved from key vault by using a placeholder.

     

    Right now the only way we can secure flow like these are by adding a step to pull from key vault, and then setting all relevant nodes to Secure Inputs/Outputs. Unfortunately that really hampers debugging! Not ideal...

  • It is funny that Azure Sentinel is security service but you propose a solution where secret is in plain text in the logic app.