Dropzone AI Documentation
WebsiteTest Drive
  • Dropzone Documentation
  • Overview
    • Alert Sources
    • Data Sources
    • Communicators
    • On-prem Support - Dropzone Connector
    • Interactive Chat
    • Metrics Guide
  • Dropzone Administraton
    • Team Admin
      • Google Workspace SAML
      • Okta SAML
  • Dropzone Integrations
    • Alert + Data Source Integrations
      • Amazon Web Services (AWS)
        • Cross-Account Access via CloudFormation
        • Cross-Account Access via Console
      • CrowdStrike
      • Datadog
      • Elasticsearch
      • Google Workspace
      • Google GCP
      • Jira
      • Microsoft 365 / Microsoft Defender
      • Palo Alto Networks Firewall
      • Panther
      • SentinelOne
      • Splunk
      • Sumo Logic
    • Alert Integrations
      • Gem
    • Communicators
      • Slack Communicator
    • Data Source Integrations
      • AbuseIPDB
      • Active Directory (LDAP)
      • Archive Inspector
      • Blocklist.de
      • CAPA
      • Censys
      • Crowdstrike Falcon Intelligence
      • DNSResolver
      • File
      • GreyNoise
      • Hybrid Analysis
      • Host.io
      • IPInfo.io
      • IPQualityScore
      • MalwareBazaar
      • Nuclei
      • NVD
      • Okta
      • oletools
      • OpenSSL Sign Code
      • PDF Analysis
      • Perplexity AI
      • PhishTank
      • Shodan
      • TShark
      • QRadar
      • UnshortenMe
      • URLhaus
      • Urlscan.io
      • VirusTotal
      • Vision
      • WHOIS
      • YARAify
Powered by GitBook
On this page
  • Create an API Key
  • Enable The Dropzone Data Source Integration
  • Enable The Dropzone Alert Source Integration

Was this helpful?

  1. Dropzone Integrations
  2. Alert + Data Source Integrations

Panther

PreviousPalo Alto Networks FirewallNextSentinelOne

Last updated 2 months ago

Was this helpful?

This is a combined document for enabling the Dropzone AI Data Source and Alert Source for Panther.

Panther is an SIEM integration. SIEM integrations are used to perform analysis of any SIEM generated alerts, and/or to use generated data as part of investigation analysis.

The Dropzone platform integrates with the security SIEM. Many customers ingest other alert sources into Panther (e.g. IDPs) and integrate Dropzone into Panther rather than the source systems.

Create an API Key

Panther requires an API key to enable.

To obtain an API Key, do the following:

  • Navigate to your Panther homepage

  • Click on the gear icon in the top right corner

  • Select "API Tokens"

  • Record the API URL located at the top of the page for use later in the Dropzone UI where it is called "Panther URL"

  • Click on "Create New Token"

  • Grant the token the following permissions:

Permission
Purpose

Manage Alerts

(optional) Allows Dropzone to add investigations results as Panther comments

Read Alerts

Allows Access to alert information

View Rules

Allows viewing the log rules setup in Panther

Query Data Lake

Allows listing and issuing Data Explorer & Indicator Search queries

View Log Sources

Allows viewing the Log sources setup

Read User Info

Allows access to user information related to your Panther resources

  • Click "Create API Token" at the bottom of the page

  • Record the value for use later in the Dropzone UI where it is called "API key"

This value is not shown after you leave this page — be sure to record it immediately.

  • Click "Done"

Enable The Dropzone Data Source Integration

To enable the Data Source integration, do the following:

  • Navigate to your Dropzone AI tenant home page e.g. https://mycompany.dropzone.ai

  • Click System > Integrations

  • Click "Available"

  • In the Search bar, search Panther, then click "Configure"

  • Under the Data Source heading, input the Panther URL link and the API key

  • Click "Test & Save" to finish

The Panther API token activation is not instantaneous. If the connection fails initially try again after a few minutes.

Enable The Dropzone Alert Source Integration

To enable the Alert Source integration, do the following:

  • Navigate to your Dropzone AI tenant home page e.g. https://mycompany.dropzone.ai

  • Click System > Integrations

  • Click "Available"

  • In the Search bar, search Panther, then click "Configure"

  • Under the Alert Source heading, input the Panther URL and the API key

  • Check the severity levels you want to ingest

  • Optional: use an alert filter by setting "Detection ID regex filter"

    • When a regex is put in this field Dropzone will only ingest alerts whose origin ID matches the regular expression

    • Example origin IDS: AWS.Root.Activity, Okta.AdminRoleAssigned, GCP.GKE.Kubernetes.Cron.Job.Created.Or.Modified

      • For example, to ingest all alerts other than AWS alerts, you could use ^(?!AWS).*

    • Work with your Dropzone technical resource to determine if this is appropriate

  • Click "Test & Save" to finish

The Panther API token activation is not instantaneous. If the connection fails initially try again after a few minutes.

If you have any errors engage your Dropzone AI support representative.

Select a duration in minutes for alert deduplication. See the documentation for more info. A value of 15 is reasonable

Supports

Panther alert deduplication
Python regular expression syntax
Panther
Select API Tokens
API URL
Create API Token
Record the API Token
Integrations Dropdown
Click Available
The Panther Tile
Fill out the Data Source details
Integrations Dropdown
Click Available
The Panther Tile
Fill out the Alert Source details (pt 1)
Fill out the Alert Source details (pt 2)