# Stellar Cyber

The Dropzone AI Platform integrates with [Stellar Cyber](https://stellarcyber.ai/), an AI powered SecOps platform offering security solutions such as SIEM, Network Detection & Response (NDR), Identity Threat Detection & Response (ITDR), and User Behavior Entity Analytics (UEBA). Dropzone can perform analysis cases and alerts from the Stellar Cyber Connect API, and/or use Stellar Cyber data as part of investigation analysis.

## Integration Overview

To enable these integrations you will perform the following actions:

* Create an API token
* Install the credentials into your Dropzone tenant
* Select integration parameters, such as which alert types to sync

## Create an API key

Stellar Cyber requires an API key to enable. To create an API key with the necessary permissions, the user must have Root scope and Super Admin privileges.

If you have access to a user with Root scope and Super Admin privileges, do the following:

* As a user with the Edit User privilege, log into your Stellar Cyber instance
* In the menu bar, click "System"

<figure><img src="https://435022081-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FmBVcKuiytGCsIDpL70BC%2Fuploads%2Fgit-blob-1aac6aa726588c061337a73614d2b86d9b41f5ff%2Fstellarcyber-1.png?alt=media" alt=""><figcaption><p>Click "System"</p></figcaption></figure>

* Navigate to Administration > Users

<figure><img src="https://435022081-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FmBVcKuiytGCsIDpL70BC%2Fuploads%2Fgit-blob-b8dc8d534086dceab80a7e4a3ecf6c44e2d543fd%2Fstellarcyber-2.png?alt=media" alt=""><figcaption><p>Click "Users"</p></figcaption></figure>

* Under the Users tab, locate a user with Root scope and Super Admin privileges
* Copy the email address for use later in the Dropzone UI where it is called "User Email Address"

<figure><img src="https://435022081-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FmBVcKuiytGCsIDpL70BC%2Fuploads%2Fgit-blob-bd5478f8d85b97067563c3dc87504669cf960d12%2Fstellarcyber-3.png?alt=media" alt=""><figcaption><p>The User List</p></figcaption></figure>

* Under "Actions," click the Edit button

<figure><img src="https://435022081-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FmBVcKuiytGCsIDpL70BC%2Fuploads%2Fgit-blob-bbc3ac7afdcce788b5a737f426ce9b2069b198c7%2Fstellarcyber-4.png?alt=media" alt=""><figcaption></figcaption></figure>

* In the API Access section, click "Generate New Token"
* Copy the token shown for use later in the Dropzone UI where it is called "Access Token"

<figure><img src="https://435022081-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FmBVcKuiytGCsIDpL70BC%2Fuploads%2Fgit-blob-72945261e40ea868ef5b4dc85155812e0c42be18%2Fstellarcyber-5.png?alt=media" alt=""><figcaption><p>Generate the Access Token</p></figcaption></figure>

If you do not already have a user with those privileges, do the following:

* As a user with the Add User privilege, log into your Stellar Cyber instance
* Navigate to System > Administration > Users
* Under the Users tab, click "+ Create"

<figure><img src="https://435022081-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FmBVcKuiytGCsIDpL70BC%2Fuploads%2Fgit-blob-a9d7d6b388ac39521fa386afb69c49a3bc13842e%2Fstellarcyber-6.png?alt=media" alt=""><figcaption><p>Create User</p></figcaption></figure>

* Input an email address for the User. Copy the value for use later in the Dropzone UI where it is called "User Email Address"

{% hint style="info" %}
Stellar Cyber requires a unique email address for all its users. We recommend creating a dedicated email address for this user, rather than using an existing company email.
{% endhint %}

* Name the user something memorable, such as Dropzone AI
* Create a password for the user
* Next to "User Scope," click "Root"
* Next to "User Privilege," select "Super Admin"

<figure><img src="https://435022081-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FmBVcKuiytGCsIDpL70BC%2Fuploads%2Fgit-blob-37f1534323903137d1bb53bc8008771539cf8bc0%2Fstellarcyber-7.png?alt=media" alt=""><figcaption><p>Fill out the User Details</p></figcaption></figure>

* In the API Access section, click "Generate New Token"
* Copy the token shown for use later in the Dropzone UI where it is called "API Key"

{% hint style="info" %}
If you do not copy the token when the user is created, you will need to generate a new token.
{% endhint %}

<figure><img src="https://435022081-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FmBVcKuiytGCsIDpL70BC%2Fuploads%2Fgit-blob-72945261e40ea868ef5b4dc85155812e0c42be18%2Fstellarcyber-5.png?alt=media" alt=""><figcaption><p>Generate the Access Token</p></figcaption></figure>

## Enable Stellar Cyber

To enable the Alert Source integration, you'll need the following information:

| Dropzone Field     | Source                                                                           |
| ------------------ | -------------------------------------------------------------------------------- |
| Instance Domain    | Your Stellar Cyber server hostname (e.g. https\://*myserver.stellarcyber.cloud*) |
| User Email Address | The email address of the Stellar Cyber user you created/used earlier             |
| Access Token       | The "Access Token" value you generated earlier                                   |

To enable the Alert Source integration, do the following:

* Navigate to your Dropzone AI tenant home page e.g. https\://*mycompany*.dropzone.app
* In the bottom left hand corner, navigate to Settings > Integrations

<figure><img src="https://435022081-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FmBVcKuiytGCsIDpL70BC%2Fuploads%2Fgit-blob-b3f07f902b1402dadc7abbd8bb62f9c204547390%2Fui-integrations-dropdown.png?alt=media" alt=""><figcaption><p>Integrations Dropdown</p></figcaption></figure>

* Click "Available"

<figure><img src="https://435022081-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FmBVcKuiytGCsIDpL70BC%2Fuploads%2Fgit-blob-434641ec6d4e45051842f86164f485d6bd289424%2Fapp_system_integrations_available.png?alt=media" alt=""><figcaption><p>Click Available</p></figcaption></figure>

* In the Search bar, search Stellar Cyber, then click "Configure"

<figure><img src="https://435022081-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FmBVcKuiytGCsIDpL70BC%2Fuploads%2Fgit-blob-f8a5d0adb9817dab5fe060ee1d046d3534840504%2Fapp_system_integrations_available_stellarcyber.png?alt=media" alt=""><figcaption><p>The Stellar Cyber Tile</p></figcaption></figure>

* Under the Alert Source heading, input the instance domain, user email address, and access token

<figure><img src="https://435022081-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FmBVcKuiytGCsIDpL70BC%2Fuploads%2Fgit-blob-d60fe8f529ac09ba56704d342fc4c6c65c3421c0%2Fapp_system_integrations_available_stellarcyber_alert_config_1.png?alt=media" alt=""><figcaption><p>The Stellar Cyber Alert Source Configuration (pt 1)</p></figcaption></figure>

* In the StellarCyber Alerts section, you may input an array of Python regex patterns to include or exclude specific [alerts](https://docs.stellarcyber.ai/prod-docs/5.1.x/Using/Alerts/Alert-Main.htm?tocpath=SECURITY%20MONITORING%7CWorking%20with%20Alerts%7C_____1) by name. To do so, select whether to exlude or include the listed threat names, then click "Add Item" and input the array. Continue adding arrays until done.

<figure><img src="https://435022081-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FmBVcKuiytGCsIDpL70BC%2Fuploads%2Fgit-blob-139e9a00e8330a3ce291c9f1880bc7533edffd85%2Fapp_system_integrations_available_stellarcyber_alert_config_2.png?alt=media" alt=""><figcaption><p>The Stellar Cyber Alert Source Configuration (pt 2)</p></figcaption></figure>

* To enable Dropzone to poll for alerts, check the box labeled "Enable polling for alerts"
* Input the [Alert Index prefix](https://docs.stellarcyber.ai/prod-docs/5.1.x/Using/ML/Machine-Learning-by-index.htm?tocpath=REFERENCE%7CDetection%20and%20Correlation%20Overview%7CAlert%20Type%20Model%20Summary%7C_____3) and minimum desired [event score](https://docs.stellarcyber.ai/prod-docs/5.1.x/Using/Alerts/Alert-Scoring.htm?tocpath=SECURITY%20MONITORING%7CWorking%20with%20Alerts%7C_____6) of the alerts you want Dropzone to investigate

<figure><img src="https://435022081-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FmBVcKuiytGCsIDpL70BC%2Fuploads%2Fgit-blob-c0e24fd7eb360fea9d89e953aac67f72728f42a6%2Fapp_system_integrations_available_stellarcyber_alert_config_3.png?alt=media" alt=""><figcaption><p>The Stellar Cyber Alert Source Configuration (pt 3)</p></figcaption></figure>

* To enable Dropzone to poll for [cases](https://docs.stellarcyber.ai/prod-docs/5.1.x/Using/Cases/Cases-Main.htm?Highlight=case), check the box labeled "Enable polling for cases"
* Input your minimum desired [score](https://docs.stellarcyber.ai/prod-docs/5.1.x/Using/Cases/Cases-Understanding.htm?tocpath=SECURITY%20MONITORING%7CWorking%20with%20Cases%7C_____2), then check the boxes for each [severity level](https://docs.stellarcyber.ai/prod-docs/5.1.x/Using/Cases/Cases-Detail.htm?tocpath=SECURITY%20MONITORING%7CWorking%20with%20Cases%7C_____3) you want Dropzone to investigate

<figure><img src="https://435022081-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FmBVcKuiytGCsIDpL70BC%2Fuploads%2Fgit-blob-f202257272ef568028313839add9a19e0eee6534%2Fapp_system_integrations_available_stellarcyber_alert_config_4.png?alt=media" alt=""><figcaption><p>The Stellar Cyber Alert Source Configuration (pt 4)</p></figcaption></figure>

* In the "Custom Filtering" section, you may input an array of Python regex patterns to include or exclude specific cases by name. To do so, check the box labeled "Enable Custom Filtering," select whether to exlude or include the listed threat names, then click "Add Item" and input the array. Continue adding arrays until done.

<figure><img src="https://435022081-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FmBVcKuiytGCsIDpL70BC%2Fuploads%2Fgit-blob-dbb505c5cd3a2bd4c925cbf06eb359b39f87cdc0%2Fapp_system_integrations_available_stellarcyber_alert_config_5.png?alt=media" alt=""><figcaption><p>The Stellar Cyber Alert Source Configuration (pt 5)</p></figcaption></figure>

* To limit Dropzone's access to specific [tenants](https://docs.stellarcyber.ai/prod-docs/5.1.x/Common/Using-Tenants.htm?Highlight=tenant%20id) within Stellar Cyber, check the box labeled "Manually Specify Tenant IDs," then click "Add Item." Input the Tenant [ID](https://docs.stellarcyber.ai/prod-docs/5.1.x/Configure/People/Tenants-Managing.htm?tocpath=CONFIGURING%7CManaging%20Access%7CManaging%20Tenants%7C_____2) you want Dropzone to investigate alerts for. Continue adding Tenant IDs until done.

<figure><img src="https://435022081-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FmBVcKuiytGCsIDpL70BC%2Fuploads%2Fgit-blob-0133004009bb3f955cf751969d48d6abf5cff83f%2Fapp_system_integrations_available_stellarcyber_alert_config_6.png?alt=media" alt=""><figcaption><p>The Stellar Cyber Alert Source Configuration (pt 6)</p></figcaption></figure>

* Input your desired poll interval and lookback

<figure><img src="https://435022081-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FmBVcKuiytGCsIDpL70BC%2Fuploads%2Fgit-blob-faccf70f301f07276c90d55fbd51fd6b13a77fa8%2Fapp_system_integrations_available_stellarcyber_alert_config_7.png?alt=media" alt=""><figcaption><p>The Stellar Cyber Alert Source Configuration (pt 7)</p></figcaption></figure>

* Click "Test & Save" to finish

If you have any errors or questions, engage your Dropzone AI support representative.