PagerDuty

PagerDuty + Lacework Integration Benefits

• Extend Lacework Events to route to the correct people, at the correct time that fits your existing business processes using PagerDuty triage, escalations, and workflows.
• One-way event notification forwards from Lacework to PagerDuty.
• Lacework Alert Routing and Alert Rules settings allow you to configure which events and severities to receive and which resource groups and event categories you want events for. They grant complete control of the alert channels forwarded to PagerDuty.

How it Works

Lacework events that arise from anomaly detection, compliance, vulnerabilities, or configured rule definitions send an event to a service in PagerDuty. Events from Lacework can either trigger a new incident on the corresponding PagerDuty service or be grouped as alerts into an existing incident. For additional information about incidents and alerts, see https://support.pagerduty.com/docs/incidents and https://support.pagerduty.com/docs/alerts.

Requirements

• PagerDuty integrations require an Admin base role for account authorization. If you do not have this role, contact an Admin or Account Owner within your organization to configure the integration.
• Lacework requires an integration key, and alerts and incidents must be enabled. Integration keys are generated by creating a new service or by creating a new integration for an existing service.

Set Up PagerDuty

Follow these steps to integrate with a PagerDuty service:

1. Navigate to Services > Service Directory.
2. Add an integration to a service through one of the following methods:
   • Add your integration to an existing service—In the Configuring Services and Integrations documentation, follow the procedure outlined in the Edit Existing Service Settings section.
   • Create a new service for your integration—In the Configuring Services and Integrations documentation, follow the procedure outlined in the Create a New Service section.
3. Expand the Lacework integration's settings.
4. Edit the Integration Name so it uses the format monitoring-tool-service-name (e.g., Lacework-Cloud-Security) and click Save.
5. When you expand the integration's settings, you can also view the Integration Key. Save this key in a safe location because it will be used when you configure the integration with Lacework in the next section.

Create a PagerDuty Alert Channel from the Lacework Console

Navigate to PagerDuty

1. Log in to the Lacework Console as a Lacework user with administrative privileges.
2. Go to Settings > Notifications > Alert channels.
3. Click + Add new.
4. Select PagerDuty.
5. Click Next.
6. Follow the steps in the next section.

Create a PagerDuty Alert Channel

Ensure you have set up your PagerDuty integration key as described in Set Up PagerDuty. Then complete the following steps:

1. Name the channel (e.g., PagerDuty-something).
2. Add your integration key.
3. Click Save.
4. Locate the new PagerDuty alert channel.
   Notice that the status check reads “Integration Check Pending.”
5. Click Test Integration and it will indicate “success.”
   From the PagerDuty console, confirm that an incident was triggered with the subject “This is a test Message.”
6. When complete, click Alert rules and configure your required alert routing details/options by leveraging the alert channel you created.

Disable the PagerDuty Alert Channel

Follow these steps to disable the PagerDuty alert channel in the Lacework Console.

1. Log in to the Lacework Console as a Lacework user with administrative privileges.
2. Go to Settings > Notifications > Alert Channels.
3. Locate the desired PagerDuty alert channel.
4. In the Status column, click the green Enabled status to change it to Disabled.

Uninstall the PagerDuty Alert Channel

Follow these steps to uninstall the PagerDuty alert channel from the Lacework Console.

1. Log in to the Lacework Console with a Lacework user that has administrative privileges.
2. Navigate to Settings > Notifications > Alert Channels.
3. Select the desired PagerDuty alert channel checkbox and click Delete (trash icon).

Create a Lacework PagerDuty Alert Channel Using Terraform

For organizations using Terraform to manage their environments, Lacework maintains the Terraform provider for Lacework, which enables configuration of Lacework alert channels using automation.

If you are new to the Lacework Terraform Provider, or Lacework Terraform Modules, read the Terraform for Lacework Overview to learn the basics on how to configure the provider and more.

For a complete list of custom Terraform resources to manage alert channels in Lacework, see Managing Alert Channels with Terraform.

# Configure PagerDuty Alert Channel in Lacework

resource "lacework_alert_channel_pagerduty" "critical" {
  name            = "Forward Critical Alerts"
  integration_key = "1234abc8901abc567abc123abc78e012"
}

Additional information on the lacework_alert_channel_pagerduty resource can be found on the Terraform Registry.