Is it possible to use Pagerduty as a SIEM?

namjin.kim · December 2, 2020, 2:05am

Another team in the company is using Pagerduty for on call management.
I am a member of the security team,
I would like to see the logs of AWS and other security devices as a correlation rule, but I do not have SIEM.
It’s good to introduce SIEM as a new one, but it’s not easy, and I see other teams using Pagerduty and ask.
Is it possible to create correlation rules from multiple logs using Pagerduty??

Inactive-Member-99077006 · December 2, 2020, 10:49am

Hello,

It does appear the ask is regarding PagerDuty and SIEM, right?

PagerDuty sure has a number of Security-related native integrations for this purpose such as Splunk, Sumo Logic. They should meet your requirements?

Regards,

namjin.kim · December 3, 2020, 3:02am

I know splunk, sumo logic is a good tool to use with Siem.
However, it is difficult for the team to introduce them newly.
Pagerduty has another team that is already using it, so it’s easy to introduce, so ask.
I need the ability to create correlation rules.
Guardduty, IDS, FW, WAF, VPC Flow log, etc. are currently simply stored in S3.
Splunk, somo logic, and datadog are good to use as siems, but I can’t afford to build them.
I would like to analyze the correlation of these logs and receive alerts via slack or email when certain conditions are met.

Inactive-Member-99077006 · December 3, 2020, 7:17am

Hello,

PagerDuty will not do that on its own. But using the native integration with SIEM tools like Splunk, PagerDuty on will provide you with Notification in real time to alert you when things go wrong. Events have to be fed to PagerDuty for this to happen. The correlation rules would need to to be created outside of PagerDuty and events fed to PagerDuty in order to trigger an Incident. The use of Rulesets can be used to determine the user to notify in the event of something going wrong.

I hope that helps.

Cheers