Centralize your security response with Azure Sentinel & PagerDuty

Posted by

This blog was written in collaboration with  , thank you for all of your hard work!


 


Security teams today are inundated with alerts and information from a growing number of siloed point solutions. Furthermore, manual processes and cross-team handoffs hinder the security team’s ability to efficiently respond to attacks.


 


Security teams are in dire need of workflows that can shorten the response cycle by enabling automated workflow actions so analysts can focus on remediation and effectively managing the lifecycle of security incidents. PagerDuty is an agile incident management platform that works with IT Operations and DevOps teams to improve operational reliability and agility.


 


In this installment, we will cover the process to integrate and centralize your security response in Azure Sentinel with PagerDuty.


 


visiodiagram.png


 


Figure 1:  High Level flow to integrate Azure Sentinel with PagerDuty


 


Configuration steps


 


In PagerDuty


 



  1. The first step is to create a REST API key. (This API key will be used by Azure Logic Apps to communicate with PagerDuty).
    Go to the “Apps” menu and click on “API Access”.


Figure 1: PagerDuty ConfigurationFigure 1: PagerDuty Configuration2. On the API Access page, select Create New API Key.


 


Figure 2: PagerDuty ConfigutationFigure 2: PagerDuty Configutation


 


3. In the dialog that pops up, you’ll be prompted to enter a Description for your key. You will also have the option to create the key as Read-only; leave this box unchecked as a full-access API key is required.


 


Select the Create Key button to generate the new API key.


 


Figure 3: PagerDuty ConfigurationFigure 3: PagerDuty Configuration


 


 4. Once the key is generated, you will see a dialog displaying your key and confirming the options you filled in on the previous step.


 


Figure 4: PagerDuty ConfigurationFigure 4: PagerDuty Configuration


 


Important: Make sure to copy this key and save it in a secure place, as you will not have access to the key after this step. If you lose a key that you created previously and need access to it again, you should remove the key and create a new one.


 


In Azure


 


We now have to import the Logic App creating the incidents in PagerDuty.


 



  1. Go to GitHub and select the Deploy to Azure button.


Figure 5: Azure ConfigurationFigure 5: Azure Configuration


 


2. Provide the required parameters,  the Azure Sentinel connection name and Resource Group.


 


Figure 6: Azure ConfigurationFigure 6: Azure Configuration


 


3. Once the deployment is complete, go to the resource group to configure the Logic App.


 


Figure 7: Azure ConfigurationFigure 7: Azure Configuration


 


 4. Click on the Edit button to access to the designer.


 


Figure 8: Azure ConfigurationFigure 8: Azure Configuration


 


 5. In the Logic App, configure the API token value, as well as the PagerDuty service ID.
 Note: to increase security, you could store the API token in a Key Vault.


 


azuresteps6.png


 


Test your Logic App


 


To validate that our solution is working as expected, go to Azure Sentinel and open an incident.



  1. In the incident, on the Alerts tab, go to the right of the blade and click on View playbooks


 


Figure 9: Azure ConfigurationFigure 9: Azure Configuration


 


2. Search for the Logic App you just created and click on the Run button.


azuresteps8.png


 


3. Once the execution successfully complete, a new comment with a link to PagerDuty will be added (you might need to click on the refresh button in the incident).


 


azuresteps9.png


 


4. Click on the link in the comment. It will open the incident in PagerDuty.


 


azuresteps10.png


 


 

Putting it all together


 


In this installment, we demonstrated the process to integrate and centralize your security reponse in Azure Sentinel with PagerDuty. This integration will ensure comprehensive mapping of details in the alert to Security Incident artifacts and trigger playbooks in PagerDuty to orchestrate,  triage, investigate and response actions. Additionally, it will enable quality and consistency of security investigations and scales security incident teams.


 

This articles are republished, there may be more discussion at the original link. But if you found this helpful, you're more than welcome to let us know!

This site uses Akismet to reduce spam. Learn how your comment data is processed.