PagerDuty Example Webhook

Create a webhook as described in Webhooks, configuring the elements of the endpoint as follows:

Visit https://v2.developer.pagerduty.com/docs/send-an-event-events-api-v2 for information on the URL to use.
Use the HTTP method: POST.
Set an Authorization Header as follows:

Authorization Header: Token token=<token>

where is your PagerDuty authentication token.

Set the content type to application/json.
Set the enabled state to true.
Set the Trigger Event Type to SecurityAlert or Analytics.Server.AdaptiveSessionRecording.
Select the Triggering Risk Level (Required if SecurityAlert is selected).
Enter the payload that will be sent as the POST body. For example:

{
  "payload": {
    "summary": "${intel_risk_level?cap_first} Risk: <#if event_name=='Cloud.Core.MfaSummary'>Service Login<#elseif event_name?starts_with('Cloud.Saas.Application')>Launched ${app_name}<#elseif event_name?ends_with('PasswordExport')>Requested Infrastructure credential checkout<#elseif event_name?ends_with('SessionStart')>Requested Infrastructure login<#elseif event_name?ends_with('CpsTileLaunch')>Infrastructure resource access to ${app_name}<#else>${event_name}<#if action?has_content> for command ${action}</#if> on ${target_address}</#if> from ${user_name} at ${utils.number_to_datetime_timezone(event_time, 'US/Pacific')}",
    "source": "${user_name}",
    "severity": "warning",
    "component": "${target_address}",
    "class": "${event_type}",
    "custom_details": {
      "Event Name": "${event_name}",
      "Event Time": "${utils.number_to_datetime_timezone(event_time, 'US/Pacific')}",
      "User Name": "${user_name}",
      "Server": "${target_address}",
      "Risk Level": "${intel_risk_level?cap_first}",
      "OS Type": "${os_type}"
      <#if action?has_content>,"Command": "${action}"</#if>
      <#if privilege_period?has_content>,"Recording Link": "${privilege_period}"</#if>
    }
  },
  "routing_key": "**************************",
  "images": [
    {
      "src": "https://www.centrify.com/images/centrify-logo-breach-stops-here.png",
      "href": "https://${tenant_id}-${system.podscape}.${system.domain}/analytics/",
      "alt": "Centrify Analytics"
    }
  ],
  "links": [
    <#if privilege_period?has_content>
    {
      "href": "${privilege_period}",
      "text": "Open Session Recording"
    }
    </#if>
  ],
  "event_action": "trigger",
  "client": "Centrify Analytics",
  "client_url": "<#if event_name?starts_with('Cloud')>https://${tenant_id}-${system.podscape}.${system.domain}/analytics/ui/#/explore?sql=(%22user_name%22%20IN%20('${user_name}'))&start=%24now-21days&end=%24now-0days&categoryval=behavior&drillview=Infrastructure%20Server%20Risk&ignoresession=truemy-dev.centrify.io/analytics/ui/#/explore?sql=(%22user_name%22%20IN%20('${user_name}'))&start=%24now-21days&end=%24now-0days&categoryval=behavior&drillview=Category%20Alert&ignoresession=true<#else>https://${tenant_id}-${system.podscape}.${system.domain}/analytics/ui/#/explore?sql=(%22user_name%22%20IN%20('${user_name}'))&start=%24now-21days&end=%24now-0days&categoryval=behavior&drillview=Infrastructure%20Server%20Risk&ignoresession=true</#if>"
}

Note: the routing_key is the "Integration Key" listed on the Events API V2 integration's detail page.