# Alert Sources

The Dropzone platform creates Investigations based on alerts that it receives via connected customer systems, for example cloud native alerting, EDR, workforce solutions, and SIEM.

Common Alert Sources include AWS GuardDuty, CrowdStrike, Microsoft Defender, and Splunk.

Some typical features of alert sources:

* Require API-access to your corporate systems, such as API keys, or sharing your resources with a customer-specific Dropzone service account
* May have filtering to investigate only some portion of available alerts, such as only HIGH or CRITICAL
* Can "backfill" alerts from before you enabled the Alert source to capture and investigate historical alerts
* Dropzone can "write back" to some Alert sources, such as select ticketing systems

## Configuration Options

Alert sources have a number of common configuration options:

| Type                       | Purpose                                                                            | Examples                                              |
| -------------------------- | ---------------------------------------------------------------------------------- | ----------------------------------------------------- |
| API parameters and secrets | Access credentials and configuration used by Dropzone authenticate to service APIs | URL endpoints, Client IDs, Client secrets, API tokens |
| Ingest filters             | Select which types of events you want to investigate                               | High and Critical alerts only                         |
| Ingest frequency           | How often the source is polled for more actionable events                          | 60 seconds                                            |

Each integration documentation page will go into details about which values you'll need and how to find them.

<figure><img src="/files/pvNqWm6fk8mjD3yBBeU8" alt=""><figcaption><p>An example Alert Source configuration with severity selector</p></figcaption></figure>

## Backfilling Alerts

When you enable an Alert Source it starts looking for new alerts immediately. You may also wish to "backfill" to pull in historical alerts for processing.

On all Alert Source configuration pages, after the configuration section, you'll find "Backfill alerts":

<figure><img src="/files/6DAIErYIusX4ulQRs5ht" alt=""><figcaption><p>Backfill Time Selection</p></figcaption></figure>

Simply pick a time range you wish to pull for historical alerts and hit "Save".

Instantly a new backfill progress section will appear and you can watch:

<figure><img src="/files/XfoyIWVE81ceZajkfxWZ" alt=""><figcaption><p>Backfill Time Complete</p></figcaption></figure>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.dropzone.ai/dropzone-101/terms-and-defs/alert-sources.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.