PagerDuty Example Webhook
This page describes the elements necessary to create a Centrify webhook for PagerDuty
Create a webhook as described in Webhooks, configuring the elements of the endpoint as follows:
- Visit https://v2.developer.pagerduty.com/docs/send-an-event-events-api-v2 for information on the URL to use.
- Use the HTTP method: POST.
- Set an Authorization Header as follows:
Authorization Header: Token token=<token>
where is your PagerDuty authentication token.
- Set the content type to
application/json. - Set the
enabledstate totrue. - Set the Trigger Event Type to
SecurityAlertorAnalytics.Server.AdaptiveSessionRecording. - Select the
Triggering Risk Level(Required if SecurityAlert is selected). - Enter the payload that will be sent as the POST body. For example:
{
"payload": {
"summary": "${intel_risk_level?cap_first} Risk: <#if event_name=='Cloud.Core.MfaSummary'>Service Login<#elseif event_name?starts_with('Cloud.Saas.Application')>Launched ${app_name}<#elseif event_name?ends_with('PasswordExport')>Requested Infrastructure credential checkout<#elseif event_name?ends_with('SessionStart')>Requested Infrastructure login<#elseif event_name?ends_with('CpsTileLaunch')>Infrastructure resource access to ${app_name}<#else>${event_name}<#if action?has_content> for command ${action}</#if> on ${target_address}</#if> from ${user_name} at ${utils.number_to_datetime_timezone(event_time, 'US/Pacific')}",
"source": "${user_name}",
"severity": "warning",
"component": "${target_address}",
"class": "${event_type}",
"custom_details": {
"Event Name": "${event_name}",
"Event Time": "${utils.number_to_datetime_timezone(event_time, 'US/Pacific')}",
"User Name": "${user_name}",
"Server": "${target_address}",
"Risk Level": "${intel_risk_level?cap_first}",
"OS Type": "${os_type}"
<#if action?has_content>,"Command": "${action}"</#if>
<#if privilege_period?has_content>,"Recording Link": "${privilege_period}"</#if>
}
},
"routing_key": "**************************",
"images": [
{
"src": "https://www.centrify.com/images/centrify-logo-breach-stops-here.png",
"href": "https://${tenant_id}-${system.podscape}.${system.domain}/analytics/",
"alt": "Centrify Analytics"
}
],
"links": [
<#if privilege_period?has_content>
{
"href": "${privilege_period}",
"text": "Open Session Recording"
}
</#if>
],
"event_action": "trigger",
"client": "Centrify Analytics",
"client_url": "<#if event_name?starts_with('Cloud')>https://${tenant_id}-${system.podscape}.${system.domain}/analytics/ui/#/explore?sql=(%22user_name%22%20IN%20('${user_name}'))&start=%24now-21days&end=%24now-0days&categoryval=behavior&drillview=Infrastructure%20Server%20Risk&ignoresession=truemy-dev.centrify.io/analytics/ui/#/explore?sql=(%22user_name%22%20IN%20('${user_name}'))&start=%24now-21days&end=%24now-0days&categoryval=behavior&drillview=Category%20Alert&ignoresession=true<#else>https://${tenant_id}-${system.podscape}.${system.domain}/analytics/ui/#/explore?sql=(%22user_name%22%20IN%20('${user_name}'))&start=%24now-21days&end=%24now-0days&categoryval=behavior&drillview=Infrastructure%20Server%20Risk&ignoresession=true</#if>"
}
Note: the routing_key is the "Integration Key" listed on the Events API V2 integration's detail page.
Updated about 5 years ago