Splunk
The Dropzone AI Platform integrates with Splunk Enterprise, a SIEM tool. Dropzone can perform analysis of Splunk-generated alerts, and/or use Splunk data as part of investigation analysis. Many customers ingest other alert sources into Splunk (e.g. IDPs) and integrate Dropzone into Splunk rather than the source systems.
Dropzone communicates to Splunk Enterprise using the Dropzone Connector.
There are two methods to integrate with Dropzone AI: creating a Splunk User or configuring an API token. To create an API token, follow instructions in Splunk's documentation.
Create a Splunk User
To create a Splunk user, do the following:
In the Home Menu of Splunk Enterprise, navigate to Settings > Users
Click "New User"
Name the user something memorable, such as Dropzone AI, and create a password. Save them for use later in the Dropzone UI where they are called "Username" and "Password" respectively
In the "Assign Roles" section, assign the user the "User" role
If two-factor authentication is enabled, provide the Duo username
Click "Create"
Enable the Dropzone Data Source Integration
You'll need the following information:
Server
The hostname or IP address of your Splunk server, e.g splunk.corp.example.net
Password
The username of the Splunk user you created earlier
Password
The password of the Splunk user you created earlier
To enable the Data Source integration, do the following:
Navigate to your Dropzone AI tenant home page e.g. https://mycompany.dropzone.app
In the bottom left hand corner, navigate to Settings > Integrations
Click "Available"
In the Search bar, search Splunk, then click "Configure"
Input your Splunk Server and port
If you created a Splunk User, under "Authentication Method," select Password. If you created an API token, select Token
Input your authentication details
If you wish for Dropzone to only investigate specific indexes, click "Add Item" in the Index Allow List section. Input the list of Splunk indexes you want Dropzone to investigate. Otherwise, leave blank
If you want to further customize Dropzone's query configuration, check the box next to "Enable" in the "Advanced: Query Configuration" section. Then input your desired index selection tips, query tips, query examples, and macro configuration
Click "Test & Save" to finish
If you have any errors or questions, engage your Dropzone AI support representative.
Enable the Dropzone Alert Source Integration
In addition to data source integration, Dropzone can be configured to monitor and investigate specific incident types from Splunk.
You'll need the following information:
Server
The hostname or IP address of your Splunk server, e.g splunk.corp.example.net
Password
The username of the Splunk user you created earlier
Password
The password of the Splunk user you created earlier
To enable the Alert Source integration, do the following:
Navigate to your Dropzone AI tenant home page e.g. https://mycompany.dropzone.app
In the bottom left hand corner, navigate to Settings > Integrations
Click "Available"
In the Search bar, search Splunk, then click "Configure"
Input your Splunk Server and port
If you created a Splunk User, under "Authentication Method," select Password. If you created an API token, select Token
Input your authentication details
In the "Alert Queries" section, under "Splunk Alert Search," you must input a Splunk SPL search query to identify alerts to investigate
Input your desired poll interval and lookback
Click "Test & Save" to finish
If you have any errors or questions, engage your Dropzone AI support representative.
Last updated
Was this helpful?