Panther
Last updated
Last updated
This is a combined document for enabling the Dropzone AI Data Source and Alert Source for Panther.
The Dropzone platform integrates with the Panther security SIEM.
Panther requires an API key to enable.
To obtain an API Key, do the following:
Navigate to your Panther homepage
Click on the gear icon in the top right corner
Select "API Tokens"
Record the API URL located at the top of the page for use later in the Dropzone UI where it is called "Panther URL"
Click on "Create New Token"
Grant the token the following permissions:
| Permission | Purpose |
|---|---|
Manage Alerts | (optional) Allows Dropzone to add investigations results as Panther comments |
Read Alerts | Allows Access to alert information |
View Rules | Allows viewing the log rules setup in Panther |
Query Data Lake | Allows listing and issuing Data Explorer & Indicator Search queries |
View Log Sources | Allows viewing the Log sources setup |
Read User Info | Allows access to user information related to your Panther resources |
Click "Create API Token" at the bottom of the page
Record the "Value" for use later in the Dropzone UI where it is called "API key"
This value is not shown after you leave this page - be sure to record it immediately.
Click "Done"
To enable the Data Source integration, do the following:
Navigate to your Dropzone AI tenant home page e.g. https://mycompany.dropzone.ai
Click System > Integrations
Click "Data Sources" in the top left corner
In the SIEM section, find the Panther tile and click "Connect"
Input the Panther URL link and the API key
Click "Test & Save" to finish
The Panther API token activation is not instantaneous. If the connection fails initially try again after a few minutes.
To enable the Alert Source integration, do the following:
Navigate to your Dropzone AI tenant home page e.g. https://mycompany.dropzone.ai
Click System > Integrations
Click "Alert Sources" in the top left corner
In the SIEM section, find the Panther tile and click "Connect"
Input the Panther URL and the API key
Check the severity levels you want to ingest
Select a duration in minutes for alert deduplication. See the Panther alert deduplication documentation for more info. A value of 15 is reasonable
Optional: use an alert filter by setting "Alert origin regex filter"
When a regex is put in this field Dropzone will only ingest alerts whose origin ID matches the regular expression
Example origin IDS: AWS.Root.Activity, Okta.AdminRoleAssigned, GCP.GKE.Kubernetes.Cron.Job.Created.Or.Modified
Supports Python regular expression syntax
For example, to ingest all alerts other than AWS alerts, you could use ^(?!AWS).*
Work with your Dropzone technical resource to determine if this is appropriate
Click "Test & Save" to finish
The Panther API token activation is not instantaneous. If the connection fails initially try again after a few minutes.
If you have any errors engage your Dropzone AI support representative.
