Search code examples
pythonport-scanning

Pagerduty grouping the incidents in one single incident

I have written a portscanner using python which will send "illegal ports open" notifications as an incident to pagerduty. The integration works fine but there is a small issue which bugs me. I am unable to send unique incident for each host which has a open port. Lets assume that my script scanned 2 hosts and finds that illegal ports are found and sends notification to pagerduty as follows: 

 for serv in host.services:
                if serv.port not in safe_port:
                  print ('Illegal Port open :'+str(serv.port)+'/'+str(serv.protocol)+' '+str(serv.service)+', on host=> '+str(host))

                  notify_slack_forbidden_port(str(serv.port),str(serv.protocol),str(serv.service),str(host))
                  ######
                  notify_pagerduty_forbidden_port(str(serv.port),str(serv.protocol),str(serv.service),str(host))
                else:

The function defination for notify_pagerduty_forbidden_port is as follows :

def notify_pagerduty_forbidden_port(a,b,c,d):      ## Call this when a Forbidden port has been open up 
    headers = {
        'Authorization': 'Token token={0}'.format(API_ACCESS_KEY),
        'Content-type': 'application/json',
    }
    payload = json.dumps({
      "service_key": API_ACCESS_KEY,
      "incident_key": "illegal/port",
      "event_type": "trigger",
      "description": "A Illegle port was found open"+str(a)+"/ "+str(b)+" service "+str(c)+" on "+str(d)+" Found in "+str(box_name),
    })
    print "Sending to Pagerduty",payload
    r = requests.post(
                    'https://events.pagerduty.com/generic/2010-04-15/create_event.json',
                    headers=headers,
                    data=payload,
    )
    print "Done!"

My problem is that when this gets sent to Pagerduty this is treated as one incident rather than different incident :

enter image description here

I am expecting that for each open port in each host, a different incedent is generated.

Solution

  • This behaviour is described in the docs:

    incident_key - Identifies the incident to which this trigger event should be applied. If there's no open (i.e. unresolved) incident with this key, a new one will be created. If there's already an open incident with a matching key, this event will be appended to that incident's log. The event key provides an easy way to "de-dup" problem reports.

    So if you use another incident_key each time you insert a new issue you would get a new issue id.