The Dropzone AI Platform integrates with Splunk Enterprise, a SIEM tool. Dropzone can perform analysis of Splunk-generated alerts, and/or use Splunk data as part of investigation analysis. Many customers ingest other alert sources into Splunk (e.g. IDPs) and integrate Dropzone into Splunk rather than the source systems.
Dropzone communicates to Splunk Enterprise using the Dropzone Connector.
There are two methods to integrate with Dropzone AI: creating a Splunk User or configuring an API token. To create an API token, follow instructions in Splunk's documentation.
Create a Splunk User
To create a Splunk user, do the following:
In the Home Menu of Splunk Enterprise, navigate to Settings > Users
Navigate to Users
Click "New User"
Click New User
Name the user something memorable, such as Dropzone AI, and create a password. Save them for use later in the Dropzone UI where they are called "Username" and "Password" respectively
In the "Assign Roles" section, assign the user the "User" role
You may need to add capabilities to this role depending on the level of access you want Dropzone to have. If you would like to limit the indexes Dropzone has access to, you will need to create a custom role with inherited permissions from the user role. See the Splunk documentation for more information on creating custom roles.
If two-factor authentication is enabled, provide the Duo username
Fill out fields for New User
Click "Create"
Create new user
Enable Splunk
To enable the Alert Source integration, you'll need the following information:
Dropzone Field
Source
Server
The hostname or IP address of your Splunk server, e.g splunk.corp.example.net
Password
The username of the Splunk user you created earlier
Password
The password of the Splunk user you created earlier
If you chose to create an API token instead of a Splunk user, you will need to use the API token instead.
To enable the Alert Source integration, do the following:
Navigate to your Dropzone AI tenant home page e.g. https://mycompany.dropzone.app
In the bottom left hand corner, navigate to Settings > Integrations
Integrations Dropdown
Click "Available"
Click Available
In the Search bar, search Splunk, then click "Configure"
If you created a Splunk User, under "Authentication Method," select Password. If you created an API token, select Token
The Splunk Alert Source Configuration (pt 2)
Input your authentication details
The Splunk Alert Source Configuration (pt 3)
To enable Splunk Enterprise Security alert polling, check the box labeled "Enabled" in the "Splunk Enterprise Security" section
Under "ES Macro," select the version of ES you are using ('notable' for ES 8.0+ or 'mc_incidents' for version ES 7.0 and earlier)
The Splunk Alert Source Configuration (pt 4)
Under "Enabled Severities," select the severity levels you want Dropzone to investigate
In the "Title Exclusion Patterns" section, you may exclude notable events from investigation by title. To do so, click "Add Item," then input a python regex to filter out titles
The Splunk Alert Source Configuration (pt 5)/p>
In the "Ticket Sync" sections, check the boxes to choose what comments you wish to be included with each ticket
The Splunk Alert Source Configuration (pt 6)/p>
In the "Alert Queries" section, input your desired log ingestion delay
Under "Splunk Alert Search," you must input a Splunk SPL search query to identify alerts to investigate
If you wish for Dropzone to regularly query for alerts 24 hours in the past, check the box labeled "Advanced: Enable hourly 1 day lookback"
The Splunk Alert Source Configuration (pt 7)/p>
Input your desired log ingestion delay, poll interval and lookback
The Splunk Alert Source Configuration (pt 8)/p>
Click "Test & Save" to finish
If you have any errors or questions, engage your Dropzone AI support representative.
