Centralize your security response with Azure Sentinel & PagerDuty
Published Feb 03 2021 05:44 AM 11.5K Views

This blog was written in collaboration with @Sebastien Molendijk , thank you for all of your hard work!


Security teams today are inundated with alerts and information from a growing number of siloed point solutions. Furthermore, manual processes and cross-team handoffs hinder the security team’s ability to efficiently respond to attacks.


Security teams are in dire need of workflows that can shorten the response cycle by enabling automated workflow actions so analysts can focus on remediation and effectively managing the lifecycle of security incidents. PagerDuty is an agile incident management platform that works with IT Operations and DevOps teams to improve operational reliability and agility.


In this installment, we will cover the process to integrate and centralize your security response in Azure Sentinel with PagerDuty.




Figure 1:  High Level flow to integrate Azure Sentinel with PagerDuty


Configuration steps


In PagerDuty


  1. The first step is to create a REST API key. (This API key will be used by Azure Logic Apps to communicate with PagerDuty).
    Go to the “Apps” menu and click on “API Access”.

Figure 1: PagerDuty ConfigurationFigure 1: PagerDuty Configuration2. On the API Access page, select Create New API Key.


Figure 2: PagerDuty ConfigutationFigure 2: PagerDuty Configutation


3. In the dialog that pops up, you’ll be prompted to enter a Description for your key. You will also have the option to create the key as Read-only; leave this box unchecked as a full-access API key is required.


Select the Create Key button to generate the new API key.


Figure 3: PagerDuty ConfigurationFigure 3: PagerDuty Configuration


 4. Once the key is generated, you will see a dialog displaying your key and confirming the options you filled in on the previous step.


Figure 4: PagerDuty ConfigurationFigure 4: PagerDuty Configuration


Important: Make sure to copy this key and save it in a secure place, as you will not have access to the key after this step. If you lose a key that you created previously and need access to it again, you should remove the key and create a new one.


In Azure


We now have to import the Logic App creating the incidents in PagerDuty.


  1. Go to GitHub and select the Deploy to Azure button.

Figure 5: Azure ConfigurationFigure 5: Azure Configuration


2. Provide the required parameters,  the Azure Sentinel connection name and Resource Group.


Figure 6: Azure ConfigurationFigure 6: Azure Configuration


3. Once the deployment is complete, go to the resource group to configure the Logic App.


Figure 7: Azure ConfigurationFigure 7: Azure Configuration


 4. Click on the Edit button to access to the designer.


Figure 8: Azure ConfigurationFigure 8: Azure Configuration


 5. In the Logic App, configure the API token value, as well as the PagerDuty service ID.
 Note: to increase security, you could store the API token in a Key Vault.




Test your Logic App


To validate that our solution is working as expected, go to Azure Sentinel and open an incident.

  1. In the incident, on the Alerts tab, go to the right of the blade and click on View playbooks


Figure 9: Azure ConfigurationFigure 9: Azure Configuration


2. Search for the Logic App you just created and click on the Run button.



3. Once the execution successfully complete, a new comment with a link to PagerDuty will be added (you might need to click on the refresh button in the incident).




4. Click on the link in the comment. It will open the incident in PagerDuty.





Putting it all together


In this installment, we demonstrated the process to integrate and centralize your security reponse in Azure Sentinel with PagerDuty. This integration will ensure comprehensive mapping of details in the alert to Security Incident artifacts and trigger playbooks in PagerDuty to orchestrate,  triage, investigate and response actions. Additionally, it will enable quality and consistency of security investigations and scales security incident teams.


Version history
Last update:
‎Feb 03 2021 05:44 AM
Updated by: