Amazon Web Services (AWS)

This is a combined document for enabling the Amazon Web Services (AWS) Dropzone AI Data Source and Alert Source.

The Dropzone AI platform integrates with Amazon Web Services (AWS) APIs for ingesting alerts (AWS GuardDuty) and enriching investigations with data from AWS such as CloudWatch.

Dropzone creates a separate IAM role for each customer. This document describes how to enable the Dropzone role to access your AWS environment and configure the Dropzone platform.

Integration Overview

To enable these integrations you will perform the following actions:

Enable Cross-Account Access
- Create an IAM role in your account(s)
- Attach policies to the role
Enable the Dropzone Data Source
Enable the Dropzone Alert Source

The Dropzone platform has a dedicated IAM role for your organization. You enable cross-account access for this IAM to gain access to specific roles within your AWS accounts.

These instructions will work for any account, but you may have different methods for applying them, for example if you are using Control Tower or deploying changes via Infrastructure as Code.

You must complete these steps for all AWS accounts you wish accessible by Dropzone.

Enable Cross-Account Access

You need to enable Dropzone to acces your AWS environments for it to pull alerts and run investigations. There are several ways you can achieve this:

Toolset

Documentation

Description

Set up roles via the Management Console

Set up roles and create policies in the AWS Console. Several manual steps, highly documented

Use AWS CloudFormation

Set up roles by running Dropzone's CFTs and copy/pasting in a small number of values

Use Infrastructure-as-Code / CLI / etc

see your provider's information

The following policies are required for full Dropzone functionality:

Policy

AWSCloudTrail_ReadOnlyAccess

AmazonEC2ReadOnlyAccess

AmazonGuardDutyReadOnlyAccess

AmazonRoute53ReadOnlyAccess

AmazonS3OutpostsReadOnlyAccess

AmazonS3ReadOnlyAccess

AmazonSSMReadOnlyAccess

IAMReadOnlyAccess

Be sure to use one of the above options to enable the cross-account access before moving on to enabling the integrations.

Enable The Dropzone Data Source Integration

The Data source integration allows Dropzone AI to interact with AWS APIs, for example pulling CloudWatch information, enumerating EC2 instances, for use in investigation analysis and interactive chat.

You'll need the following information:

Dropzone Field

Source

Default Region

The AWS region you run most of your services in

Role ARNs

The ARNs of the AWS roles you created in your accounts

To enable the Data Source integration, do the following:

Navigate to your Dropzone AI tenant home page e.g. https://mycompany.dropzone.app
In the bottom left hand corner, click Settings > Integrations

Click "Available"

In the Search bar, search AWS, then click "Configure"

Under the Data Source Header, enter an AWS region into the "Default Region" field
- This should be the region that the majority of your monitored resources live in
In the "Role ARNs", click "Add Item"
- Paste the first the role ARNs that you created earlier
- Continue to add Role ARNs until done

Click "Test & Save" to finish

If you have any errors engage your Dropzone AI support representative.

Enable The Dropzone Alert Source Integration

The Alert source integration allows Dropzone AI to pull alerts from AWS GuardDuty for investigation.

You'll need the following information:

Dropzone Field

Source

Default Region

The AWS region you run most of your services in

Role ARNs

The ARNs of the AWS roles you created in your accounts

Navigate to your Dropzone AI tenant home page e.g. https://mycompany.dropzone.app
In the bottom left hand corner, click Settings > Integrations

Click "Available"

In the Search bar, search AWS, then click "Configure"

Under the Alert Source heading, enter an AWS region into the "Default Region" field
- This should be the region that the majority of your monitored resources live in
In the "Role ARNs", click "Add Item"
- Paste the first the role ARNs that you created earlier
- Continue to add Role ARNs until done

Under "Minimum Severity Level", select the minimum alert severity level you want Dropzone to investigate alerts for
If you wish, check the box next to "Include Archived Alerts" to allow Dropzone to investigate alerts that have been archived

Input your desired poll interval and poll lookback
Click "Test & Save" to finish

If you have any errors engage your Dropzone AI support representative.

PreviousAlert + Data Source Integrations NextCross-Account Access via CloudFormation

Last updated 3 days ago

Was this helpful?

Amazon Web Services (AWS)

This is a combined document for enabling the Amazon Web Services (AWS) Dropzone AI Data Source and Alert Source.

The Dropzone AI platform integrates with Amazon Web Services (AWS) APIs for ingesting alerts (AWS GuardDuty) and enriching investigations with data from AWS such as CloudWatch.

Dropzone creates a separate IAM role for each customer. This document describes how to enable the Dropzone role to access your AWS environment and configure the Dropzone platform.

Integration Overview

To enable these integrations you will perform the following actions:

Enable Cross-Account Access
- Create an IAM role in your account(s)
- Attach policies to the role
Enable the Dropzone Data Source
Enable the Dropzone Alert Source

The Dropzone platform has a dedicated IAM role for your organization. You enable cross-account access for this IAM to gain access to specific roles within your AWS accounts.

These instructions will work for any account, but you may have different methods for applying them, for example if you are using Control Tower or deploying changes via Infrastructure as Code.

You must complete these steps for all AWS accounts you wish accessible by Dropzone.

Enable Cross-Account Access

You need to enable Dropzone to acces your AWS environments for it to pull alerts and run investigations. There are several ways you can achieve this:

Toolset

Documentation

Description

Set up roles via the Management Console

Set up roles and create policies in the AWS Console. Several manual steps, highly documented

Use AWS CloudFormation

Set up roles by running Dropzone's CFTs and copy/pasting in a small number of values

Use Infrastructure-as-Code / CLI / etc

see your provider's information

You can create your own IaC by looking at the role and policy information in the documentation. Dropzone does not provide any pre-canned IaC code at this time.

The following policies are required for full Dropzone functionality:

Policy

AWSCloudTrail_ReadOnlyAccess

AmazonEC2ReadOnlyAccess

AmazonGuardDutyReadOnlyAccess

AmazonRoute53ReadOnlyAccess

AmazonS3OutpostsReadOnlyAccess

AmazonS3ReadOnlyAccess

AmazonSSMReadOnlyAccess

IAMReadOnlyAccess

Be sure to use one of the above options to enable the cross-account access before moving on to enabling the integrations.

Enable The Dropzone Data Source Integration

You'll need the following information:

Dropzone Field

Source

Default Region

The AWS region you run most of your services in

Role ARNs

The ARNs of the AWS roles you created in your accounts

To enable the Data Source integration, do the following:

Navigate to your Dropzone AI tenant home page e.g. https://mycompany.dropzone.app
In the bottom left hand corner, click Settings > Integrations

Click "Available"

In the Search bar, search AWS, then click "Configure"

Under the Data Source Header, enter an AWS region into the "Default Region" field
- This should be the region that the majority of your monitored resources live in
In the "Role ARNs", click "Add Item"
- Paste the first the role ARNs that you created earlier
- Continue to add Role ARNs until done

Click "Test & Save" to finish

If you have any errors engage your Dropzone AI support representative.

Enable The Dropzone Alert Source Integration

The Alert source integration allows Dropzone AI to pull alerts from AWS GuardDuty for investigation.

You'll need the following information:

Dropzone Field

Source

Default Region

The AWS region you run most of your services in

Role ARNs

The ARNs of the AWS roles you created in your accounts

Navigate to your Dropzone AI tenant home page e.g. https://mycompany.dropzone.app
In the bottom left hand corner, click Settings > Integrations

Click "Available"

In the Search bar, search AWS, then click "Configure"

Under the Alert Source heading, enter an AWS region into the "Default Region" field
- This should be the region that the majority of your monitored resources live in
In the "Role ARNs", click "Add Item"
- Paste the first the role ARNs that you created earlier
- Continue to add Role ARNs until done

Under "Minimum Severity Level", select the minimum alert severity level you want Dropzone to investigate alerts for
If you wish, check the box next to "Include Archived Alerts" to allow Dropzone to investigate alerts that have been archived
If you wish, you may exclude AWS GuardDuty alerts by . To do so, click "Add Item" in the AWS "GuardDuty Alert Exclusions" section. Past in an alert type in the form of a string

Input your desired poll interval and poll lookback
Click "Test & Save" to finish

If you have any errors engage your Dropzone AI support representative.

PreviousAlert + Data Source Integrations NextCross-Account Access via CloudFormation

Last updated 3 days ago

Was this helpful?