Skip to content

Manual Test Runbook — K2: On-Call Integration

Owner: Sagar  |  Time: ~10 min (live apply)  |  Sandbox: snowops-sandbox-01

Overview

K2 provides the Baseline-tier On-Call Integration module, used to forward high-severity incidents (from Microsoft Sentinel / Azure Defender) to paging systems like PagerDuty, Opsgenie, or Slack.

The module creates an Azure Monitor Action Group (with webhook/email endpoints) and optionally binds it to Azure Security Center automation for automatic routing.

The catalog test criterion: synthetic Sentinel incident → page received.

Part A — Live Deployment (~5 min)

A1. Deploy the Module

Create a temporary main.tf in a sandbox directory calling the oncall-integration module: 

module "oncall" {
  source              = "../../modules/azure/oncall-integration"
  action_group_name   = "snowops-test-oncall"
  short_name          = "snow-oncall"
  resource_group_name = "snowops-sandbox-01-rg"

  webhook_receivers = [
    {
      name        = "slack-webhook"
      service_uri = "https://webhook.site/your-test-url-here" # Replace with a mock webhook (e.g. from webhook.site)
    }
  ]

  enable_security_center_automation = true
  security_center_scope_id          = "/subscriptions/<YOUR-SUBSCRIPTION-ID>"
}
Run terraform init and terraform apply.

Part B — Trigger Alert & Verification (~5 min)

B1. Synthetic Incident Generation

  1. Navigate to Microsoft Defender for Cloud -> Security alerts.
  2. Select Sample alerts at the top.
  3. Choose the subscription and generate a high-severity sample alert.

B2. Validate Webhook Delivery

  1. Navigate to the URL used for the mock webhook (e.g., webhook.site).
  2. Verify that an HTTP POST request was received containing the Azure Common Alert Schema JSON.
  3. Check the severity field inside the payload to confirm it was forwarded successfully.

Pass criteria

  • Terraform apply completes successfully
  • Action Group and Security Center Automation are provisioned
  • Synthetic high-severity alert correctly reaches the webhook destination

Teardown

  • Run terraform destroy on the temporary deployment.
  • Verify the action group is removed.

Sign-off

  • Tester: _  |  Date: _  |  Result: PASS / FAIL / N/A
  • Notes: