Website Test Drive

Panther

This is a combined document for enabling the Panther Dropzone Data Source and Alert Source integrations.

The Dropzone platform integrates with the Panther security SIEM.

Create an API Key

Panther requires an API key to enable.

To obtain an API Key, do the following:

  • Navigate to your Panther homepage

  • Click on the gear icon in the top right corner

  • Select "API Tokens"

  • Record the API URL located at the top of the page for use later in the Dropzone UI where it is called "Panther URL"

  • Click on "Create New Token"

  • Grant the token the following permissions:

PermissionPurpose

Read Alerts

Allows Access to alert information

View Rules

Allows viewing the log rules setup in Panther

Query Data Lake

Allows listing and issuing Data Explorer & Indicator Search queries

View Log Sources

Allows viewing the Log sources setup

Read User Info

Allows access to user information related to your Panther resources

  • Click "Create API Token" at the bottom of the page

  • Record the "Value" for use later in the Dropzone UI where it is called "API key"

This value is not shown after you leave this page - be sure to record it immediately.

  • Click "Done"

Enable The Dropzone Data Source Integration

To enable the Data Source integration, do the following:

  • Navigate to your Dropzone AI tenant home page e.g. https://mycompany.dropzone.ai

  • Click System > Integrations

  • Click "Data Sources" in the top left corner

  • In the SIEM section, find the Panther tile and click "Connect"

  • Input the Panther URL link and the API key

  • Click "Test & Save" to finish

The Panther API token activation is not instantaneous. If the connection fails initially try again after a few minutes.

Enable The Dropzone Alert Source Integration

To enable the Alert Source integration, do the following:

  • Navigate to your Dropzone AI tenant home page e.g. https://mycompany.dropzone.ai

  • Click System > Integrations

  • Click "Alert Sources" in the top left corner

  • In the SIEM section, find the Panther tile and click "Connect"

  • Input the Panther URL and the API key

  • Check the severity levels you want to ingest

  • Select a duration in minutes for alert deduplication. See the Panther alert deduplication documentation for more info. A value of 15 is reasonable

  • Optional: use an alert filter by setting "Alert origin regex filter"

    • When a regex is put in this field Dropzone will only ingest alerts whose origin ID matches the regular expression

    • Example origin IDS: AWS.Root.Activity, Okta.AdminRoleAssigned, GCP.GKE.Kubernetes.Cron.Job.Created.Or.Modified

    • Supports Python regular expression syntax

      • For example, to ingest all alerts other than AWS alerts, you could use ^(?!AWS).*

    • Work with your Dropzone technical resource to determine if this is appropriate

  • Click "Test & Save" to finish

The Panther API token activation is not instantaneous. If the connection fails initially try again after a few minutes.

If you have any errors engage your Dropzone AI support representative.

PreviousMicrosoft 365 / Microsoft DefenderNextSentinelOne

Last updated