PagerDuty User Token
Service Name: PagerDuty
Service Description: PagerDuty is an incident management platform that provides reliable notifications, automatic escalations, on-call scheduling, and other functionality to help teams detect and fix infrastructure problems quickly.
Service Address: https://www.pagerduty.com/
Validation Type: API Auth
IP Allow list: IP restrictions can be configured at the account level through PagerDuty's IP Access Control feature.
Secret Access Scope: Grants programmatic access to PagerDuty resources based on the permissions of the user associated with the token. Can be used to manage incidents, schedules, services, and other PagerDuty resources.
Secret Revokement URL: https://support.pagerduty.com/docs/api-access-keys#revoke-an-api-key
Secret Example: y_NbAkKc66ryYTWUXYEu
Suspicious Activity Investigation Instructions:
- Review PagerDuty audit logs for unusual API calls or resource access.
- Check for unauthorized incident creation, acknowledgment, or resolution.
- Monitor for changes to escalation policies, schedules, or service configurations.
- Look for unusual login patterns or access from unexpected locations.
- Verify if there are any new integrations or webhooks that were recently added.
Mitigation Instructions:
- Log in to your PagerDuty account.
- Navigate to Configuration > API Access.
- Locate the compromised API key.
- Click the "Revoke" button next to the key.
- Create a new API key if needed, with appropriate scopes.
- Review and update any applications or integrations that were using the revoked key.
- Consider implementing IP restrictions for API access if not already in place.
- Enable two-factor authentication for all users with API access.