This blog was written in collaboration with@Sebastien Molendijk , thank you for all of your hard work!
Security teams today are inundated with alerts and information from a growing number of siloed point solutions. Furthermore, manual processes and cross-team handoffs hinder the security team’s ability to efficiently respond to attacks.
Security teams are in dire need of workflows that can shorten the response cycle by enabling automated workflow actions so analysts can focus on remediation and effectively managing the lifecycle of security incidents. PagerDuty is an agile incident management platform that works with IT Operations and DevOps teams to improve operational reliability and agility.
In this installment, we will cover the process to integrate and centralize your security response in Azure Sentinel with PagerDuty.
Figure 1: High Level flow to integrate Azure Sentinel with PagerDuty
The first step is to create a REST API key. (This API key will be used by Azure Logic Apps to communicate with PagerDuty). Go to the “Apps” menu and click on “API Access”.
Figure 1: PagerDuty Configuration2. On the API Access page, select Create New API Key.
Figure 2: PagerDuty Configutation
3. In the dialog that pops up, you’ll be prompted to enter a Description for your key. You will also have the option to create the key as Read-only; leave this box unchecked as a full-access API key is required.
Select the Create Key button to generate the new API key.
Figure 3: PagerDuty Configuration
4. Once the key is generated, you will see a dialog displaying your key and confirming the options you filled in on the previous step.
Figure 4: PagerDuty Configuration
Important: Make sure to copy this key and save it in a secure place, as you will not have access to the key after this step. If you lose a key that you created previously and need access to it again, you should remove the key and create a new one.
We now have to import the Logic App creating the incidents in PagerDuty.
Go to GitHub and select the Deploy to Azure button.
Figure 5: Azure Configuration
2. Provide the required parameters, the Azure Sentinel connection name and Resource Group.
Figure 6: Azure Configuration
3. Once the deployment is complete, go to the resource group to configure the Logic App.
Figure 7: Azure Configuration
4. Click on the Edit button to access to the designer.
Figure 8: Azure Configuration
5. In the Logic App, configure the API token value, as well as the PagerDuty service ID. Note: to increase security, you could store the API token in a Key Vault.
Test your Logic App
To validate that our solution is working as expected, go to Azure Sentinel and open an incident.
In the incident, on the Alerts tab, go to the right of the blade and click on View playbooks
Figure 9: Azure Configuration
2. Search for the Logic App you just created and click on the Run button.
3. Once the execution successfully complete, a new comment with a link to PagerDuty will be added (you might need to click on the refresh button in the incident).
4. Click on the link in the comment. It will open the incident in PagerDuty.
Putting it all together
In this installment, we demonstrated the process to integrate and centralize your security reponse in Azure Sentinel with PagerDuty. This integration will ensure comprehensive mapping of details in the alert to Security Incident artifacts and trigger playbooks in PagerDuty to orchestrate, triage, investigate and response actions. Additionally, it will enable quality and consistency of security investigations and scales security incident teams.