PagerDuty
LAST UPDATED: 04/12/2024
Overview
PagerDuty's Platform for Real-Time Operations integrates machine data & human intelligence to improve visibility & agility across organizations.
D3 SOAR is providing REST operations to function with PagerDuty.
PagerDuty integration is available for use in:
Known Limitations
Limits | REST API | Events API v2 |
Size Limits | - | Events API payloads are limited to 512 KB |
Rate Limits | 900 events/min across an entire organization | approximately 120 calls/minute per integration key |
For more information about API limitation, please refer to PagerDuty REST API Rate Limiting and Events API Limits.
Connection
To connect PagerDuty from D3 SOAR, please follow this part to collect the required information below:
Parameter | Description | Example |
Server URL | The REST API base URL. | https://api.pagerduty.com |
Event URL | The base URL for events API. | https://events.pagerduty.com |
API Key | The API key to provide when making API calls. | u+Do************bgRQ |
Integration Key | The integration key is used to determine which service an event should be routed to. If you need to execute event-related commands (such as Create Event, Resolve Event, and Acknowledge Event) using the Events API V2 integration, you must input a valid integration key. Refer to https://support.pagerduty.com/docs/services-and-integrations#add-integrations-to-an-existing-service to add the Events API V2 integration to your service and obtain the integration key. Alternatively, you can visit https://support.pagerduty.com/docs/services-and-integrations#generate-a-new-integration-key to generate a new integration key. | 34be7512****************3c3534ca |
API Version | The Version of API. The defult value is v2. | v2 |
Permission Requirement
As PagerDuty is using role-based access control (RBAC), the API access key and integration key are generated based on a specific user account and the application. Therefore, the command permissions are inherited from the user account’s role. Users need to configure their user profile from the PagerDuty console for each command in this integration.
PagerDuty has two tiers of user roles depending on your account's plan. To determine which tier your role belongs to, navigate to User Icon My Profile. If you see a tab that says Permissions & Teams, please visit our article on Advanced Permissions. If you only see the User Settings tab, your account has basic user roles and you should continue to use User Roles for reference.
Configuring PagerDuty to Work with D3 SOAR
Creating API Key
Login to PagerDuty (https://app.pagerduty.com/) with your email and password.
After signing in, hover your mouse to the Integrations tab, and click API Access Keys under the Developer Tools section.
Click + Create New API Key button to create a new API key.
4. Enter the description for the API Key, then click the Create Key button.
Copy and Save API Key for API authorization.
READER NOTE
This API key will not be visible again, so please store it in a safe place. If you lose it, you can create a new one.
Obtaining an Integration Key (Optional)
The integration key is used to determine which service an event should be routed to. If you need to execute event-related commands (such as Create Event, Resolve Event, and Acknowledge Event) using the Events API V2 integration, you must input a valid integration key.
API keys for the Events API are associated with a service-level integration, and are listed on the Service’s Integrations tab. Read more about configuring integration keys for the Events API in the Services and Integrations article.
Navigate to the Integrations tab. Click the arrow to expand the integration menu. From there you can Copy and Save the Integration key to use for connecting to D3 SOAR.
If this is your first time using the integration key, please refer to the steps below to create one.
Login to PagerDuty. Hover over the Services tab to select Service Directory.
Click on the + New Service button.
Enter a Name and Description for your service, then click Next.
To assign an escalation policy, you can Generate a new Escalation Policy or Select an existing Escalation Policy, then click Next.
To reduce noise, you can combine similar alerts. There are four options to choose from; Intelligent is recommended. Then, click Next.
Check the Events API V2 for your integration. Then click Create Service.
Copy and Save the Integration Key to use in the D3 VSOC connection.
Configuring D3 SOAR to Work with PagerDuty
Log in to D3 SOAR.
Find the PagerDuty integration.
Navigate to Configuration on the top header menu.
Click on the Integration icon on the left sidebar.
Type PagerDuty in the search box to find the integration, then click it to select it.
Click New Connection, on the right side of the Connections section. A new connection window will appear.
Configure the following fields to create a connection to PagerDuty.
Connection Name: The desired name for the connection.
Site: Specifies the site to use the integration connection. Use the drop-down menu to select the site. The Share to Internal Sites option enables all sites defined as internal sites to use the connection. Selecting a specific site will only enable that site to use the connection.
Recipient site for events from connections Shared to Internal Sites: This field appears if you selected Share to Internal Sites for Site to let you select the internal site to deploy the integration connection.
Agent Name (Optional): Specifies the proxy agent required to build the connection. Use the dropdown menu to select the proxy agent from a list of previously configured proxy agents.
Description (Optional): Add your desired description for the connection.
Tenant (Optional): When configuring the connection from a master tenant site, you have the option to choose the specific tenant sites you want to share the connection with. Once you enable this setting, you can filter and select the desired tenant sites from the dropdowns to share the connection.
Configure User Permissions: Defines which users have access to the connection.
Active: Check the tick-box to ensure the connection is available for use.
System: This section contains the parameters defined specifically for the integration. These parameters must be configured to create the integration connection.
1. Input the Server URL. The default value is http://api.pagerduty.com.
2. Input the Event URL. The default value is http://events.pagerduty.com.
3. Input the API Key from the PagerDuty platform. Please refer to step 5 of Configuring PagerDuty to Work with D3 SOAR for more details.
4. Input the Integration Key. Please refer to Obtaining an Integration Key for more details.
5. Input the API Version. The default value is v2.Enable Password Vault: An optional feature that allows users to take the stored credentials from their own password vault. Please refer to the password vault connection guide if needed.
Connection Health Check: Updates the connection status you have created. A connection health check is done by scheduling the Test Connection command of this integration. This can only be done when the connection is active. To set up a connection health check, check the Connection Health Check tick box. You can customize the interval (minutes) for scheduling the health check. An email notification can be set up after a specified number of failed connection attempts.
Test the connection.
Click Test Connection to verify the account credentials and network connection. If the Test Connection Passed alert window appears, the test connection is successful. You will see Passed with a green checkmark appear beside the Test Connection button. If the test connection fails, please check your connection parameters and try again.
Click OK to close the alert window.
Click + Add to create and add the configured connection.
Commands
PagerDuty includes the following executable commands for users to set up schedules or create playbook workflows. With the Test Command, you can execute these commands independently for playbook troubleshooting.
Integration API Note
For more information about the PagerDuty API, please refer to the PagerDuty API reference.
Note for Time-related parameters
The input format of time-related parameters may vary based on your account settings. As a result, the sample data provided in our commands is different from what you see. To set your preferred time format, follow these steps:
Navigate to Configuration > Application Settings. Select Date/Time Format.
Choose your desired date and time format.
After that, you will be able to view your preferred time format when configuring the DateTime input parameters for commands.
Acknowledge Event
Changes the status of the specified event to resolve.
READER NOTE
Dedup Key is a required parameter to run this command.
Run the Create Event or Get Incident Alerts commands to obtain Dedup Key. Dedup Keys can be found in the returned raw data of the Create Event command at the path $.dedup_key. Or in the returned raw data of the Get Incident Alerts command at the path $.alerts[*].body.cef_details.dedup_key.
For more information about Dedup Key, please refer to Event Management.
Input
Input Parameter | Required/Optional | Description | Example |
Dedup Key | Required | The key to identifying events. The Dedup key can be obtained using the Create Event or Get Incident Alerts commands. | ***** |
Output
Error Handling
If the Return Data is Partially Successful or Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | Acknowledge Event failed. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the PagerDuty portal. Refer to the PagerDuty Error Codes for details. | Status Code: 2100. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: Incident ID Not Found. |
Error Sample Data Acknowledge Event failed. Status Code: 2100. Message: Incident ID Not Found. |
Create Event
Sends a trigger event to report a new problem, or to update an ongoing problem, depending on the event type.
Input
Input Parameter | Required/Optional | Description | Example |
Summary | Required | The brief text summary of the event is used to generate the summaries or titles of any associated alerts. | Example alert on 2021101500a |
Severity | Required | The perceived severity of the status the event is describing, with respect to the affected system. The options are Value, Critical, Warning, Error, Info. | Info |
Source | Required | The unique location of the affected system, preferably a hostname or FQDN. | prod-********03.example.com |
Component | Optional | The component of the source machine that is responsible for the event. | Postgres |
Group | Optional | The logical grouping of components of a service. | Prod-datapipe |
Class | Optional | The class/type of the event. | Deploy |
Custom Details | Optional | Additional details about the event and the affected system. | {"ping time":"1500ms","load avg":0.75} |
Output
Error Handling
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | Create Event failed. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the PagerDuty portal. Refer to the PagerDuty Error Codes for details. | Status Code: 2001. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: The value for parameter (Custom Details) is invalid. |
Error Sample Data Create Event failed. Status Code: 2001. Message: The value for parameter (Custom Details) is invalid. |
Fetch Incident
Returns existing incident(s) from the platform based on specified criteria.
Input
Input Parameter | Required/Optional | Description | Example |
Start Time | Required | The Start Time of the time range for fetching incident(s) in UTC time. The maximum time range is 6 months. | 2022-01-10 00:00 |
End Time | Required | The End Time of the time range for fetching incident(s) in UTC time. The maximum time range is 6 months. | 2022-01-11 00:00 |
Top Recent Incident Number | Optional | The maximum number of incidents to return is specified. The default value is 20. | 20 |
Search Condition | Optional | The queries in JSON format to filter results. The supported keys in the JSON include[], time_zone, urgencies[], and statuses[]. The allowed values include[]: users, services, first_trigger_log_entries, escalation_policies, teams, assignees, acknowledges, priorities, conference_bridge; The allowed values for urgencies[]: high, low, suppressed; The allowed values for statuses[]: triggered, acknowledged, resolved. | { "include[]": "first_trigger_log_entries", "time_zone": "UTC", "urgencies[]": "high", "statuses[]": "triggered" } |
Output
Incident Field Mapping
For this integration, the default incident fields in D3 SOAR are fixed with no built-in source fields. Users can specify the source fields as needed.
Event and Incident Intake Field Mapping
Please note that incident and event intake commands require both Event Field and Incident Field Mapping. These field mappings are the default event/incident field mappings for D3 system integrations. You can edit the provided mappings or create custom mappings as needed. Please refer to Event and Incident Intake Field Mapping for more details.
Incident Main JSON Path: $.incidents
Field Name | Source Field |
Title | User to define |
Description | User to define |
Severity | User to define, default is “Low” |
Incident Type * | User to define, default is the first Incident form in D3 SOAR system |
Incident Creator | User to define |
Incident Owner | User to define |
Incident Playbook | User to define |
Due In Date | User to define |
Unique Key | User to define |
Tactics | User to define |
Techniques | User to define |
Event Field Mapping
Main Event JSON Path
$
Please refer to the table below for Event Field Mapping:
Field Name | Source Field |
Unique Event Key | .id |
Start Time | .created_at |
Event Type | .type |
Description | .description |
Status | .status |
Urgency | .urgency |
Priority | .priority |
Title | .title |
IncidentNumber | .incident_number |
IncidentKey | .incident_key |
AlertCounts | .alert_counts.all |
Error Handling
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | Fetch Incident failed. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the PagerDuty portal. Refer to the PagerDuty Error Codes for details. | Status Code: 2001. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: The value for parameter (Number of Incident(s) Fetched) is invalid. |
Error Sample Data Fetch Incident failed. Status Code: 2001. Message: The value for parameter (Number of Incident(s) Fetched) is invalid. |
Get All Schedules
Retrieves the on-call schedules.
Input
N/A
Output
Error Handling
If the Return Data is Partially Successful or Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | Get All Schedules failed. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the PagerDuty portal. Refer to the PagerDuty Error Codes for details. | Status Code: 2010. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: Access Denied. |
Error Sample Data Get All Schedules failed. Status Code: 2010. Message: Access Denied. |
Get Incident Alerts
Retrieves all alerts related to the specified incident.
READER NOTE
The parameter Incident IDs is required to run this command.
Run the Fetch Incident command to obtain Incident IDs. Incident IDs can be found in the returned raw data at the path $.incidents[*].id.
Input
Input Parameter | Required/Optional | Description | Example |
Incident IDs | Required | The ID to identify an incident. Incident IDs can be obtained using the Fetch Incident command. | ["Q25********0BF"] |
Output
Error Handling
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | Get Incident Alerts failed. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the PagerDuty portal. Refer to the PagerDuty Error Codes for details. | Status Code: 2100. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: Not Found. |
Error Sample Data Get Incident Alerts failed. Status Code: 2100. Message: Not Found. |
Get User Contact Methods
Retrieves contact methods of the specified user.
READER NOTE
The parameter User IDs is required to run this command.
Run the List Users command to obtain User IDs. User IDs can be found in the returned raw data at the path $.users[*].id.
Input
Input Parameter | Required/Optional | Description | Example |
User IDs | Required | The IDs of the users to get contact methods. The user IDs can be obtained using the List Users command. | ["*****"] |
Output
Error Handling
If the Return Data is Partially Successful or Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | Get User Contact Methods failed. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the PagerDuty portal. Refer to the PagerDuty Error Codes for details. | Status Code: 2100. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: User ID not found. |
Error Sample Data Get User Contact Methods failed. Status Code: 2100. Message: User ID not found. |
List Users
Lists users of your PagerDuty account.
Input
Input Parameter | Required/Optional | Description | Example |
Query | Optional | The query string filters results, for example, filtering username or email. | sysint@d3security.com |
Output
Error Handling
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | List Users failed. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the PagerDuty portal. Refer to the PagerDuty Error Codes for details. | Status Code: 2100. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: Not Found. |
Error Sample Data List Users failed. Status Code: 2100. Message: Not Found. |
Resolve Event
Changes the status of the specified event to resolve.
READER NOTE
Dedup Key is a required parameter to run this command.
Run the Create Event or Get Incident Alerts commands to obtain Dedup Key. Dedup Keys can be found in the returned raw data of the Create Event command at the path $.dedup_key. Or in the returned raw data of the Get Incident Alerts command at the path $.alerts[*].body.cef_details.dedup_key.
For more information about Dedup Key, please refer to Event Management.
Input
Input Parameter | Required/Optional | Description | Example |
Dedup Key | Required | The key to identifying events. The Dedup key can be obtained using the Create Event or Get Incident Alerts commands. | ***** |
Output
Error Handling
If the Return Data is Partially Successful or Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | Resolve Event failed. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the PagerDuty portal. Refer to the PagerDuty Error Codes for details. | Status Code: 2100. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: Not Found. |
Error Sample Data Resolve Event failed. Status Code: 2100. Message: Not Found. |
Resolve Incidents
Resolves the specified incident by incident IDs, including all alerts of the incident.
READER NOTE
The parameter Incident IDs is required to run this command.
Run the Fetch Incident command to obtain Incident IDs. Incident IDs can be found in the returned raw data at the path $.incidents[*].id.
Input
Input Parameter | Required/Optional | Description | Example |
Incident IDs | Required | The ID to identify an incident. Incident ID can be obtained using the Fetch Incident command. | ["*****"] |
From | Required | The email address of a valid user associated with the account to resolve the incident. | admin@d3security.com |
Output
Error Handling
If the Return Data is Partially Successful or Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | Resolve Incidents failed. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the PagerDuty portal. Refer to the PagerDuty Error Codes for details. | Status Code: 2100. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: Incident Not Found. |
Error Sample Data Resolve Incidents failed. Status Code: 2100. Message: Incident Not Found. |
Test Connection
Allows you to perform a health check on an integration connection. You can schedule a periodic health check by selecting Connection Health Check when editing an integration connection.
Input
N/A
Output
Error Handling
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | Test Connection failed. Failed to check the connector. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the PagerDuty portal. Refer to the PagerDuty Error Codes for details. | Status Code: 2010. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: Access Denied. |
Error Sample Data Test Connection failed. Failed to check the connector. Status Code: 2010. Message: Access Denied. |
FAQ
What is PagerDuty?
Through its SaaS-based platform, PagerDuty empowers developers, DevOps, IT operations and business leaders to prevent and resolve business-impacting incidents for an exceptional customer experience. When revenue and brand reputation depend on customer satisfaction, PagerDuty arms organizations with the insight to proactively manage events that may impact customers across their IT environments. With hundreds of native integrations, on-call scheduling and escalations, machine learning, business-wide response orchestration, analytics, and much more. PagerDuty gets the right data in the hands of the right people in real-time, every time.
When you see 429 - Request Limit Exceeded, what should you do?
Simply retrying the request a moment later can help alleviate rate limits. We suggest retrying 3 times with each request being 30 seconds apart.
What if the rate limit of the integration key is exceeded?
An easy solution is to increase the number of integration keys used on a service (fanning out).