Red Canary’s PagerDuty integration allows pages to be triggered as part of an automation playbook.
Adding a PagerDuty automation action
To create a PagerDuty incident as part of an automation playbook:
- Within any playbook, click Add Action.
- Click PagerDuty > Create PagerDuty Incident > Add to Playbook.
- Specify the Incident Message you want to appear in each PagerDuty incident.
- Click Save & Connect with PagerDuty.
- You will be redirected to the PagerDuty site and asked to authorize Red Canary. Following that, you will be returned to Red Canary.
When executed, you will see an incident created similar to the following:
What details are included in the created incident?
The PagerDuty API allows custom details to be specified for each incident. Red Canary adds several fields when a PagerDuty incident is triggered:
For audit logs:
- actor is set to the name and email of the user triggering the audit log.
- timestamp is set to the time the audit log was created.
- action_name is set to the name of the action that occurred.
For activity monitors:
- activity_monitor is set to the activity monitor’s name.
- num_matches_found is set to the number of matches that were found recently / in this notification.
- severity is set to the detection’s severity.
- classification is set to the detection’s root classification.
- subclassifications is set to a comma-separated list of the detection’s subclassifications.
- detection_engine_observed is set to a hash of the category names and descriptions of analytics that were used to identify the threat. This field is deprecated and will be replaced with the ATT&CK techniques and contributing intelligence in mid-2020.
- A PagerDuty link is included that links to the confirmed threat in Red Canary.
Can PagerDuty incidents be resolved?
Yes. Each incident created by Red Canary has an incident key associated with the underlying resource that triggered the automation (for example, an audit log, detection, endpoint, etc.), so these incidents can also be resolved by Red Canary automation.
For example, a playbook may use Create PagerDuty Incident when a detection is published, and may then use Resolve PagerDuty Incident when a detection is acknowledged. This works because the same detection triggers both the incident creation and resolution actions.