Defend Alert Integration
The One Defend (EDR) integrates directly with On-Call to page the on-call technician when a critical or high-severity threat is detected on a managed endpoint.
How It Works
When Defend detects a critical or high-severity security event, it calls the On-Call internal escalation endpoint:
POST /api/internal/escalations/create
X-Integration-Key: <DEFEND_SERVICE_KEY>
On-Call receives the Defend alert payload, creates an incident, and immediately begins escalating to the on-call technician.
The integration uses deduplication: if Defend fires multiple alerts for the same detection (e.g., during an active ransomware attack), only one On-Call incident is created. Subsequent alerts update the existing incident rather than spawning new pages.
Alert Payload from Defend
Defend sends the following data with each escalation request:
| Field | Description |
|---|---|
title | Detection name (e.g., "Ransomware behavior detected on CLIENT-WS-04") |
severity | critical or high — maps directly to On-Call incident severity |
source | Always defend |
source_ref | Defend alert ID — used as the dedup key |
description | Full detection details including device name, process chain, and file paths |
device_name | Hostname of the affected endpoint |
detection_type | MITRE ATT&CK technique name (e.g., T1486 - Data Encrypted for Impact) |
mitre_technique | MITRE technique ID and name |
recommended_action | Defend's recommended immediate response (e.g., "Isolate device from network") |
tenant_id | Org ID for multi-tenant routing |
What the On-Call Technician Sees
When paged for a Defend alert, the on-call technician's notification and incident detail include:
- Device name — which endpoint triggered the detection
- Detection type — what Defend classified the behavior as
- MITRE technique — the ATT&CK technique mapping (useful for understanding scope and lateral movement risk)
- Recommended action — Defend's immediate mitigation guidance
- Incident link — direct link to the incident in On-Call and to the Defend detection in the Defend console
This gives the technician enough context to act immediately without needing to log into Defend first.
Severity Thresholds
Only critical and high severity Defend detections trigger On-Call pages:
| Defend Severity | On-Call Action |
|---|---|
| Critical | Creates incident immediately, starts escalation |
| High | Creates incident immediately, starts escalation |
| Medium | No On-Call incident; appears in Defend dashboard only |
| Low / Info | No On-Call incident |
To change the severity threshold, adjust the routing rules on the Defend integration in On-Call's Alert Sources settings.
Configuring the Integration
Step 1: Get the Defend Service Key
The DEFEND_SERVICE_KEY is a shared secret generated by the On-Call API. It must be set as an environment variable on both:
- On-Call API (
theoneoncall-api):DEFEND_SERVICE_KEY - Defend API (
theonedefend-api):ONCALL_SERVICE_KEY
If these keys are not set, Defend escalation calls will fail with a 401 Unauthorized response.
theoneoncall-kv and theonedefend-kv. Rotate both simultaneously if you need to change the key.Step 2: Create a Defend Escalation Service
- In On-Call, go to Services → New Service.
- Name it
Defend Critical Alerts. - Set Criticality:
Critical. - Assign a dedicated escalation policy for security incidents (faster escalation, shorter delays).
- Set Alert Grouping:
Time-based, 5 minutes— groups a burst of related detections during an active incident. - Set Auto Resolve:
Never— security incidents should be manually resolved after investigation. - Click Save.
Step 3: Assign the Service in Defend
In the Defend admin settings, set the On-Call service ID as the escalation target. Defend routes all critical/high detections to this service.
Responding to a Defend Page
When you receive a page from a Defend-sourced incident:
- Acknowledge the On-Call incident immediately — this stops escalation to the next tier.
- Review the context in the incident: device name, MITRE technique, recommended action.
- Open Defend — click the Defend investigation link in the incident to see the full detection.
- Take action — follow Defend's recommended action (isolate device, run remediation, etc.).
- Add notes to the On-Call incident as you investigate — notes become part of the incident record.
- Resolve the On-Call incident when the Defend detection is remediated.
If you need to hand off to another technician mid-investigation, reassign the incident via the incident detail page (assigned_to field).
PSA Ticket Auto-Creation
When you acknowledge a Defend-sourced On-Call incident, a PSA ticket is automatically created with:
- Incident title and description (including device name and MITRE technique)
- Defend alert source link
- Your acknowledgment timestamp
Your investigation notes in On-Call sync to the PSA ticket. When you resolve the On-Call incident, the PSA ticket is updated with the resolution summary.
See PSA Ticket Creation for full details.