PagerDuty

PagerDuty + Lacework Integration Benefits

• Extend Lacework Events to route to the correct people, at the correct time that fits your existing business processes using PagerDuty triage, escalations, and workflows.
• One-way event notification forwards from Lacework to PagerDuty.
• Lacework Alert Routing and Alert Rules settings allow you to configure which events and severities to receive and which resource groups and event categories you want events for. They grant complete control of the alert channels forwarded to PagerDuty.

How it Works

Lacework events that arise from anomaly detection, compliance, vulnerabilities, or configured rule definitions send an event to a service in PagerDuty. Events from Lacework can either trigger a new incident on the corresponding PagerDuty service or be grouped as alerts into an existing incident. For additional information about incidents and alerts, see https://support.pagerduty.com/docs/incidents and https://support.pagerduty.com/docs/alerts.

Requirements

• PagerDuty integrations require an Admin base role for account authorization. If you do not have this role, contact an Admin or Account Owner within your organization to configure the integration.
• Lacework requires an integration key, and alerts and incidents must be enabled. Integration keys are generated by creating a new service or by creating a new integration for an existing service.

Support

If you need help with this integration, contact support@lacework.net.

Integration Setup

In PagerDuty

Follow these steps to integrate with a PagerDuty service:

1. Navigate to Services > Service Directory.
2. Add an integration to a service through one of the following methods:
   • Add your integration to an existing service—In the Configuring Services and Integrations documentation, follow the procedure outlined in the Edit Existing Service Settings section.
   • Create a new service for your integration—In the Configuring Services and Integrations documentation, follow the procedure outlined in the Create a New Service section.
3. Expand the Lacework integration's settings.
4. Edit the Integration Name so it uses the format monitoring-tool-service-name (e.g., Lacework-Cloud-Security) and click Save.
5. When you expand the integration's settings, you can also view the Integration Key. Save this key in a safe location because it will be used when you configure the integration with Lacework in the next section.

In Lacework

After you have your PagerDuty integration key, return to the Lacework Console and complete the following steps:

1. Log in to the Lacework Console with a Lacework user that has administrative privileges.
2. Navigate to Settings > Alert Routing > Alert Channels.
3. Click + Create New.
4. Under Channel Type, select PagerDuty, select Next.
5. Name the channel (e.g., PagerDuty-something).
6. Add your integration key.
7. Click Save.

8. Locate the new PagerDuty alert channel.
   Notice that the status check reads “Integration Check Pending.”

9. Click Test Integration and it will indicate “success.”
   From the PagerDuty console, confirm that an incident was triggered with the subject “This is a test Message.”

10. When complete, click Alert Rules and configure your required alert routing details/options by leveraging the alert channel you created.

Disable the PagerDuty Alert Channel

Follow these steps to disable the PagerDuty alert channel in the Lacework Console.

1. Log in to the Lacework Console with a Lacework user that has administrative privileges.
2. Navigate to Settings > Alert Routing > Alert Channels.
3. Locate the desired PagerDuty alert channel.
4. In the Status column, click the green Enabled status to change it to Disabled.

Uninstall the PagerDuty Alert Channel

Follow these steps to uninstall the PagerDuty alert channel from the Lacework Console.

1. Log in to the Lacework Console with a Lacework user that has administrative privileges.
2. Navigate to Settings > Alert Routing > Alert Channels.
3. Select the desired PagerDuty alert channel checkbox and click Delete (trash icon).

Create a Lacework PagerDuty Alert Channel Using Terraform

For organizations using Terraform to manage their environments, Lacework maintains the Terraform Provider for Lacework which enables configuration of Lacework Alert Channels using automation.

If you are new to the Lacework Terraform Provider, or Lacework Terraform Modules, read the Terraform for Lacework Overview to learn the basics on how to configure the provider and more.

For a complete list of custom Terraform resources to manage alert channels in Lacework, see Managing Alert Channels with Terraform.

# Configure PagerDuty Alert Channel in Lacework

resource "lacework_alert_channel_pagerduty" "critical" {
  name            = "Forward Critical Alerts"
  integration_key = "1234abc8901abc567abc123abc78e012"
}

Additional information on the lacework_alert_channel_pagerduty resource can be found on the Terraform Registry.