crowdstrike/logscale-pagerduty

VendorCrowdStrike Holdings, Inc.
AuthorCrowdStrike
Version1.0.0
Minimum LogScale Version1.76.0

This package contains a template for creating a webhook action to send LogScale alerts and scheduled searches to PagerDuty. The action template provides the same content as the Action Type: PagerDuty and additionally also sends timestamp and description of the trigger. It also provides a way to customize what is sent to PagerDuty.

Installing the Package in LogScale

Find the repository where you want to use PagerDuty actions or create a new one.

  1. Navigate to your repository in the LogScale interface, click Settings and then Packages on the left.

  2. Click Marketplace and install the LogScale package for PagerDuty (i.e. crowdstrike/logscale-pagerduty).

  3. When the package has finished installing, on the top menu go to Alerts and then click Actions on the side menu.

  4. Click + New action, a pop-up is displayed.

  5. Type a name for the action, select From package and click Continue.

  6. Set the routing key by replacing ``

  7. Set the severity by replacing `` with `critical`, `error`, `warning`, or `info` in the Message Body Template.

Customizing Your Action and Triggers

In order to customize the action, see PagerDuty API documentation for an overview of what fields you can send. You can use Message Templates and Variables to fill in information about the trigger, the query and the events found by the query.

The message template documentation also describes how you can use these templates in the name or the description of the trigger. That enables you to use the same action for multiple triggers and get customized messages, where the customization happens in the trigger.

Example

You create an action where the message contains {description} which will be replaced by the description of the trigger. In the description of one trigger, you can then write Host {field:$host} failed.

If the result of the trigger had a field host=3, this will be expanded to Host 3 failed, before being put into the `{description}` message template in the action. Another trigger could have a different description using different fields.