Skip to content

PagerDuty User Token

Service Name: PagerDuty

Service Description: PagerDuty is an incident management platform that provides reliable notifications, automatic escalations, on-call scheduling, and other functionality to help teams detect and fix infrastructure problems quickly.

Service Address: https://www.pagerduty.com/

Validation Type: API Auth

IP Allow list: IP restrictions can be configured at the account level through PagerDuty's IP Access Control feature.

Secret Access Scope: Grants programmatic access to PagerDuty resources based on the permissions of the user associated with the token. Can be used to manage incidents, schedules, services, and other PagerDuty resources.

Secret Revokement URL: https://support.pagerduty.com/docs/api-access-keys#revoke-an-api-key

Secret Example: y_NbAkKc66ryYTWUXYEu

Suspicious Activity Investigation Instructions:

  • Review PagerDuty audit logs for unusual API calls or resource access.
  • Check for unauthorized incident creation, acknowledgment, or resolution.
  • Monitor for changes to escalation policies, schedules, or service configurations.
  • Look for unusual login patterns or access from unexpected locations.
  • Verify if there are any new integrations or webhooks that were recently added.

Mitigation Instructions:

  • Log in to your PagerDuty account.
  • Navigate to Configuration > API Access.
  • Locate the compromised API key.
  • Click the "Revoke" button next to the key.
  • Create a new API key if needed, with appropriate scopes.
  • Review and update any applications or integrations that were using the revoked key.
  • Consider implementing IP restrictions for API access if not already in place.
  • Enable two-factor authentication for all users with API access.