HomeProduct documentationGitHubCyberArk developer community

PagerDuty Example Webhook

This page describes the elements necessary to create a webhook for PagerDuty

Suggest Edits

Create a webhook as described in Webhooks, configuring the elements of the endpoint as follows:

Authorization Header: Token token=<token>

where is your PagerDuty authentication token.

  • Set the content type to application/json.
  • Set the enabled state to true.
  • Set the Trigger Event Type to SecurityAlert.
  • Select the Triggering Risk Level (Required if SecurityAlert is selected).
  • Enter the payload that will be sent as the POST body. For example:
{
  "payload": {
    "summary": "${intel_risk_level?cap_first} Risk: <#if event_name=='Cloud.Core.MfaSummary'>Service Login<#elseif event_name?starts_with('Cloud.Saas.Application')>Launched ${app_name}<#else>${event_name}<#if action?has_content> for command ${action}</#if> on ${target_address}</#if> from ${event.user_name} at ${utils.number_to_datetime_timezone(event_time, 'US/Pacific')}",
    "source": "${event.user_name}",
    "severity": "warning",
    "component": "${target_address}",
    "class": "${event_type}",
    "custom_details": {
      "Event Name": "${event_name}",
      "Event Time": "${utils.number_to_datetime_timezone(event_time, 'US/Pacific')}",
      "User Name": "${event.user_name}",
      "Server": "${target_address}",
      "Risk Level": "${intel_risk_level?cap_first}",
      "OS Type": "${os_type}"
      <#if action?has_content>,"Command": "${action}"</#if>
    }
  },
  "routing_key": "xxxxxxxxx",
  "event_action": "trigger",
  "client": "Idaptive Analytics",
  "client_url": "<#if event_name?starts_with('Cloud')>https://${tenant_id}-${system.podscape}.${system.domain}/analytics/ui/#/explore?sql=(%22user_name%22%20IN%20('${event.user_name}'))&start=%24now-21days&end=%24now-0days&categoryval=behavior&drillview=Category%20Alert&ignoresession=true<#else>https://${tenant_id}-${system.podscape}.${system.domain}/analytics/ui/#/explore?sql=(%22user_name%22%20IN%20('${event.user_name}'))&start=%24now-21days&end=%24now-0days&categoryval=behavior&drillview=Category%20Alert&ignoresession=true</#if>"
}

Note: the routing_key is the "Integration Key" listed on the Events API V2 integration's detail page.

Updated about 2 years ago