PagerDuty integration allows Red Canary to trigger PagerDuty incidents as part of an automation playbook.

1. In any playbook, click Add Action.
2. Click PagerDuty, Create PagerDuty Incident and then click Add to Playbook.
3. Specify the incident message you want to appear in each PagerDuty incident.
4. Click Save & Connect with PagerDuty.
5. You will be redirected to the PagerDuty site and asked to authorize Red Canary. Following that, you will be returned to Red Canary.

When the playbook is triggered, a PagerDuty incident will appear.

What details are included in the PagerDuty incident?

Custom details may be specified for each incident using the PagerDuty API. Red Canary adds several fields when a PagerDuty incident is triggered.

For audit logs:

• actor is set to the name and email of the user triggering the audit log.
• timestamp is set to the time the audit log was created.
• action_name is set to the name of the action that occurred.

For activity monitors:

• activity_monitor is set to the activity monitor’s name.
• num_matches_found is set to the number of matches that were found recently, or were found in this notification.

For threats: 

• severity is set to the detection’s severity.
• classification is set to the detection’s root classification.
• subclassifications is set to a comma-separated list of the detection’s subclassifications.
• A PagerDuty link is included that links to the confirmed threat in Red Canary.

Can PagerDuty incidents be resolved?

Yes. Each Red Canary incident has an incident key associated with the underlying resource that triggered the automation, such as an audit log, detection, or endpoint. These incidents can also be resolved by Red Canary automation.

For example, a playbook may use Create PagerDuty Incident when a detection is published, and may then use Resolve PagerDuty Incident when a detection is acknowledged. This works because the same detection triggers both the incident creation and resolution actions.