Integrating with PagerDuty allows Red Canary to trigger PagerDuty incidents as part of an automation playbook.
Estimated procedure time: 10 minutes
- In any playbook, click Add Action.
- Click PagerDuty, Create PagerDuty Incident, and then click Add to Playbook.
- Specify the incident message you want to appear in each PagerDuty incident.
- Click Save & Connect with PagerDuty.
- You will be redirected to the PagerDuty site and asked to authorize Red Canary. Following that, you will be returned to Red Canary.
When the playbook is triggered, you'll see a PagerDuty incident that looks like the following:
What details are included in the PagerDuty incident?
The PagerDuty API allows custom details to be specified for each incident. Red Canary adds several fields when a PagerDuty incident is triggered:
For audit logs:
- actor is set to the name and email of the user triggering the audit log.
- timestamp is set to the time the audit log was created.
- action_name is set to the name of the action that occurred.
For activity monitors:
- activity_monitor is set to the activity monitor’s name.
- num_matches_found is set to the number of matches that were found recently, or were found in this notification.
- severity is set to the detection’s severity.
- classification is set to the detection’s root classification.
- subclassifications is set to a comma-separated list of the detection’s subclassifications.
- A PagerDuty link is included that links to the confirmed threat in Red Canary.
Can PagerDuty incidents be resolved?
Yes. Each incident created by Red Canary has an incident key associated with the underlying resource that triggered the automation, for example: an audit log, detection, or an endpoint. These incidents can also be resolved by Red Canary automation.
For example, a playbook may use Create PagerDuty Incident when a detection is published, and may then use Resolve PagerDuty Incident when a detection is acknowledged. This works because the same detection triggers both the incident creation and resolution actions.