Rapid Incident Response with Incapsula and PagerDuty

With the growing number of attacks targeting organizations worldwide, operations teams are under more pressure than ever to stay on top of the increasing number of incidents.

PagerDuty offers improved incident visibility and flexible notifications that result in faster resolution times. By using PagerDuty, Imperva Incapsula customers can now better manage incident response. We believe our integration with PagerDuty gives your ops teams the tools they need to be more responsive to the growing volume of threats.

We configured our account to manage incident notifications sent via email by Incapsula to our PagerDuty account. We also created two services with different notification settings for incident alerts and more routine communications like weekly reports.

Here’s the screenshot of the Service we configured in the Configuration section:

pagerduty integration-settings

 

In the Integration Settings > Email Filters section, we configured the system to accept emails where the subject does not match the regex Weekly Report for(.*). Since this specific email type doesn’t represent an urgent issue, we don’t want triggering alerts to wake up operations staff. These alerts were routed to the second service we created for receiving weekly reports.

In the “Email Management” section, you can see that incidents for the service will be triggered (1) when the body contains the phrase, We suspect that your site is under a DDoS attack. They’ll be automatically resolved when (2) a follow up email’s body contains the phrase Seems that the DDoS attack has ended. These conditions hold as long as the email subject of both emails matches all text that follows after DDoS Alert: (referenced on the following line in (2)).

You can replicate this rule for other alerts as well, not just DDoS attacks. It can be made more flexible with the use of additional regular expressions (RegEx).

For example, we configured our threat settings for Backdoor Type to Generic Backdoor. The alert we received was, We detected a backdoor on example.com

We also set alerts for SQL injection, cross site scripting, remote file inclusion and illegal resource access request blocks.

Think of your PagerDuty dashboard as your email inbox: You can set filters to send emails to different folders or set the Services in PagerDuty to route traffic and incidents alerts to specific recipients—ops, security, marketing and other teams.

Alerts

The PagerDuty dashboard gives you a full view of attacks against your site.

dashboard alerts

 

Alerts can also be sent via email, phone and SMS messages.
text-alerts

 

This is a just a quick overview to illustrate how you can easily configure PagerDuty to meet your specific requirements. Is there a custom rule you’d like help setting up? Leave us a comment and we’ll be happy to help.

To learn more about how you can use PagerDuty to build a rapid response plan, register for our upcoming webinar, “Improve Incident Response with Incapsula and PagerDuty.

Keep your finger on the pulse

Sign up for updates from Imperva, our affiliated entities and industry news.