This blog was written in collaboration with @Sebastien Molendijk , thank you for all of your hard work!
Security teams today are inundated with alerts and information from a growing number of siloed point solutions. Furthermore, manual processes and cross-team handoffs hinder the security team’s ability to efficiently respond to attacks.
Security teams are in dire need of workflows that can shorten the response cycle by enabling automated workflow actions so analysts can focus on remediation and effectively managing the lifecycle of security incidents. PagerDuty is an agile incident management platform that works with IT Operations and DevOps teams to improve operational reliability and agility.
In this installment, we will cover the process to integrate and centralize your security response in Azure Sentinel with PagerDuty.
Figure 1: High Level flow to integrate Azure Sentinel with PagerDuty
2. On the API Access page, select Create New API Key.
3. In the dialog that pops up, you’ll be prompted to enter a Description for your key. You will also have the option to create the key as Read-only; leave this box unchecked as a full-access API key is required.
Select the Create Key button to generate the new API key.
4. Once the key is generated, you will see a dialog displaying your key and confirming the options you filled in on the previous step.
Important: Make sure to copy this key and save it in a secure place, as you will not have access to the key after this step. If you lose a key that you created previously and need access to it again, you should remove the key and create a new one.
We now have to import the Logic App creating the incidents in PagerDuty.
2. Provide the required parameters, the Azure Sentinel connection name and Resource Group.
3. Once the deployment is complete, go to the resource group to configure the Logic App.
4. Click on the Edit button to access to the designer.
5. In the Logic App, configure the API token value, as well as the PagerDuty service ID.
Note: to increase security, you could store the API token in a Key Vault.
To validate that our solution is working as expected, go to Azure Sentinel and open an incident.
2. Search for the Logic App you just created and click on the Run button.
3. Once the execution successfully complete, a new comment with a link to PagerDuty will be added (you might need to click on the refresh button in the incident).
4. Click on the link in the comment. It will open the incident in PagerDuty.
In this installment, we demonstrated the process to integrate and centralize your security reponse in Azure Sentinel with PagerDuty. This integration will ensure comprehensive mapping of details in the alert to Security Incident artifacts and trigger playbooks in PagerDuty to orchestrate, triage, investigate and response actions. Additionally, it will enable quality and consistency of security investigations and scales security incident teams.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.