# Panther

{% hint style="info" %}
Panther is an SIEM integration. SIEM integrations are used to perform analysis of any SIEM generated alerts, and/or to use generated data as part of investigation analysis.
{% endhint %}

The Dropzone platform integrates with the [Panther](https://panther.com) security SIEM. Many customers ingest other alert sources into Panther (e.g. IDPs) and integrate Dropzone into Panther rather than the source systems.

## Create an API Key

Panther requires an API key to enable.

To obtain an API Key, do the following:

* Navigate to your Panther homepage
* Click on the gear icon in the top right corner
* Select "API Tokens"

<figure><img src="/files/rMbgKWDczTARxzk3jnh4" alt=""><figcaption><p>Select API Tokens</p></figcaption></figure>

* Record the API URL located at the top of the page for use later in the Dropzone UI where it is called "Panther URL"

<figure><img src="/files/Kc1naJsLMdcCPxRn6GZU" alt=""><figcaption><p>API URL</p></figcaption></figure>

* Click on "Create New Token"
* Grant the token the following permissions:

| Permission       | Purpose                                                                      |
| ---------------- | ---------------------------------------------------------------------------- |
| Manage Alerts    | (optional) Allows Dropzone to add investigations results as Panther comments |
| Read Alerts      | Allows Access to alert information                                           |
| View Rules       | Allows viewing the log rules setup in Panther                                |
| Query Data Lake  | Allows listing and issuing Data Explorer & Indicator Search queries          |
| View Log Sources | Allows viewing the Log sources setup                                         |
| Read User Info   | Allows access to user information related to your Panther resources          |

* Click "Create API Token" at the bottom of the page

<figure><img src="/files/rVEE5HVK3ENW87OnOJHM" alt=""><figcaption><p>Create API Token</p></figcaption></figure>

* Record the value for use later in the Dropzone UI where it is called "API key"

<figure><img src="/files/QklKBnMt3jMyy18vJaX9" alt=""><figcaption><p>Record the API Token</p></figcaption></figure>

{% hint style="danger" %}
This value is not shown after you leave this page — be sure to record it immediately.
{% endhint %}

* Click "Done"

## Enable The Dropzone Alert Source Integration

To enable the Alert Source integration, do the following:

* Navigate to your Dropzone AI tenant home page e.g. https\://*mycompany*.dropzone.app
* In the bottom left hand corner, navigate to Settings > Integrations

<figure><img src="/files/zN02u3HObDaemUY8E1kD" alt=""><figcaption><p>Integrations Dropdown</p></figcaption></figure>

* Click "Available"

<figure><img src="/files/brI7n2Ux40Tk0jTwBCVh" alt=""><figcaption><p>Click Available</p></figcaption></figure>

* In the Search bar, search Panther, then click "Configure"

<figure><img src="/files/aIQoOqxBNgtDUIkUVV9e" alt=""><figcaption><p>The Panther Tile</p></figcaption></figure>

* Under the Alert Source heading, input the Panther URL and the API key

<figure><img src="/files/TgcmrbtdIQ06zerb7Zh6" alt=""><figcaption><p>The Panther Alert Source Configuration (pt 1)</p></figcaption></figure>

* In the "Enabled alert statuses for ingestion" section, check the alert [statuses](https://docs.panther.com/alerts/alert-management) you want Dropzone to be able to investigate

{% hint style="info" %}
The "Closed" status in the Dropzone UI is shown as "Invalid" in the Panther UI.
{% endhint %}

<figure><img src="/files/1fkB0aonm4bL2tbgSvAc" alt=""><figcaption><p>The Panther Alert Source Configuration (pt 2)</p></figcaption></figure>

* Check the severity levels you want to ingest

<figure><img src="/files/JwdkK7Jy7lkP5cJEcM6H" alt=""><figcaption><p>The Panther Alert Source Configuration (pt 3)</p></figcaption></figure>

* Select a duration in minutes for alert deduplication. See the [Panther alert deduplication](https://docs.panther.com/detections/rules#deduplication-of-alerts) documentation for more info. A value of 15 is reasonable
* If you wish, you may use an alert filter by setting "Detection ID regex filter"
  * When a regex is put in this field Dropzone will only ingest alerts whose origin ID matches the regular expression
  * Example origin IDS: `AWS.Root.Activity`, `Okta.AdminRoleAssigned`, `GCP.GKE.Kubernetes.Cron.Job.Created.Or.Modified`
  * Supports [Python regular expression syntax](https://docs.python.org/3/library/re.html)
    * For example, to ingest all alerts *other* than AWS alerts, you could use `^(?!AWS).*`
  * Work with your Dropzone technical resource to determine if this is appropriate

<figure><img src="/files/2g0TkODCIx38xONKh8nz" alt=""><figcaption><p>The Panther Alert Source Configuration (pt 4)</p></figcaption></figure>

* In the "Ticket Sync" section, check the boxes to choose what comments you wish to be included with each ticket

<figure><img src="/files/esiRPvNQvq4f0KYDeEJ3" alt=""><figcaption><p>The Panther Alert Source Configuration (pt 5)</p></figcaption></figure>

* Click "Test & Save" to finish

{% hint style="info" %}
The Panther API token activation is not instantaneous. If the connection fails initially, try again after a few minutes.
{% endhint %}

If you have any errors engage your Dropzone AI support representative.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.dropzone.ai/integrations/alert/panther_alert.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.