/AS-Create-Opsgenie-Incident

Create an incident in Opsgenie with the information from a Microsoft Sentinel incident

AS-Create-Opsgenie-Incident

Author: Accelerynt

For any technical questions, please contact info@accelerynt.com

Deploy to Azure Deploy to Azure Gov

This playbook is intended to be run from a Microsoft Sentinel Incident. It will create either an incident or an alert in Opsgenie with the information from a Microsoft Sentinel incident.

Opsgenie_Demo_1

This playbook maps Microsoft Sentinel incident severity over to Opsgenie incident/alert priority like so:

Microsoft Sentinel Opsgenie
High P2 - High
Medium P3 - Moderate
Low P4 - Low
Informational P5 - Informational

Requirements

The following items are required under the template settings during deployment:

  • An Opsgenie account and an API integration
  • For creating Opsgenie incidents, a standard or enterprise plan is needed. This is not a requirement for creating Opsgenie alerts. It should be noted that structurally, incident and alert objects are nearly identical in Opsgenie, and either works well with Microsoft Sentinel incident data. If you are using a trial account, select the alert endpoint during deployment
  • An Azure Key Vault Secret containing your Okta API Token

Setup

Create an Opsgenie API integration

From your Opsgenie account, select the "Teams" tab, and then click "Add Team".

opsgenie_setup_1

Enter "Microsoft Sentinel" in the name field and add an optional description, then click "Add team".

opsgenie_setup_2

From the newly created team page, navigate to "Integrations" from the left menu blade, then click "Add integration".

opsgenie_setup_3

Although there are pre-built integration apps for Microsoft Azure, there is currently not one for Microsoft Sentinel, therefore the "API" integration must be selected.

opsgenie_setup_4

Take note of the "API Key" that is generated, as it will be needed later, then click "Save integration".

opsgenie_setup_5

Create an Azure Key Vault Secret:

Navigate to the Azure Key Vaults page: https://portal.azure.com/#view/HubsExtension/BrowseResource/resourceType/Microsoft.KeyVault%2Fvaults

Navigate to an existing Key Vault or create a new one. From the Key Vault overview page, click the "Secrets" menu option, found under the "Settings" section. Click "Generate/Import".

Opsgenie_Key_Vault_1

Choose a name for the secret, such as "AS-Create-Opsgenie-Incident-API-Key", and enter the Opsgenie API Key copied previously in the previous section. All other settings can be left as is. Click "Create".

Opsgenie_Key_Vault_2

Once your secret has been added to the vault, navigate to the "Access policies" menu option, also found under the "Settings" section on the Key Vault page menu. Leave this page open, as you will need to return to it once the playbook has been deployed. See Granting Access to Azure Key Vault.

Opsgenie_Key_Vault_3

Deployment

To configure and deploy this playbook:

Open your browser and ensure you are logged into your Microsoft Sentinel workspace. In a separate tab, open the link to our playbook on the Accelerynt Security GitHub Repository:

https://github.com/Accelerynt-Security/AS-Create-Opsgenie-Incident

Deploy to Azure Deploy to Azure Gov

Click the “Deploy to Azure” button at the bottom and it will bring you to the custom deployment template.

In the Project Details section:

  • Select the “Subscription” and “Resource Group” from the dropdown boxes you would like the playbook deployed to.

In the Instance Details section:

  • Playbook Name: This can be left as "AS-Create-Opsgenie-Incident" or you may change it.

  • Opsgenie Endpoint: This can be left as "/v1/incidents/create" if mapping Microsoft Sentinel incidents to Opsgenie incidents, or changed to "/v2/alerts" if mapping Microsoft Sentinel incidents to Opsgenie alerts.

  • Key Vault Name: Enter the name of the Key Vault referenced in Create an Azure Key Vault Secret.

  • Secret Name: Enter the name of the Key Vault Secret created in Create an Azure Key Vault Secret.

Towards the bottom, click on “Review + create”.

Opsgenie_Deploy_1

Once the resources have validated, click on "Create".

Opsgenie_Deploy_2

The resources should take around a minute to deploy. Once the deployment is complete, you can expand the "Deployment details" section to view them. To view the deployed Logic App, click the resource that corresponds to it.

Opsgenie_Deploy_3

Granting Access to Azure Key Vault

Before the Logic App can run successfully, the Key Vault connection created during deployment must be granted access to the Key Vault storing your Okta API Token.

From the Key Vault "Access policies" page, click "Create".

Opsgenie_Access_1

Select the "Get" checkbox under "Secret permissions", then click "Next".

Opsgenie_Access_2

Paste "AS-Create-Opsgenie-Incident" into the principal search box and click the option that appears. Click "Next" towards the bottom of the page.

Opsgenie_Access_3

Navigate to the "Review + create" section and click "Create".

Opsgenie_Access_4