Overview

The Dropzone AI platform has many components and functionality.

Alert Source Integrations

The Dropzone platform creates Investigations based on alerts that it receives via connected customer systems, for example cloud native alerting, EDR, workforce solutions, and SIEM.

Some typical features of alert sources:

• Require API-access to your corporate systems, such as API keys, or sharing your resources with a customer-specific Dropzone service account

• May have filtering to investigate only some portion of available alerts, such as only HIGH or CRITICAL

• Can "backfill" alerts from before you enabled the Alert source to capture and investigate historical alerts

• Dropzone can "write back" to some Alert sources, such as select ticketing systems

Common Alert Sources include AWS GuardDuty, Microsoft Defender, CrowdStrike, Splunk, and Google Workspace.

See Alert Sources for more info.

Data Source Integrations

Data Sources enrich the information Dropzone uses to perform alert investigations and respond to interactive chat. Dropzone has support for many Threat Intelligence (TI) feeds, tools, and corporate systems such as identity, directory, and SIEM tools.

For example when investigating possible malicious URLs or IP addresses it may contact a tools, and when understanding systems access it may query your corporate directory services.

Common Data Sources include corporate systems such as Microsoft Entra ID and Google Workspace, Threat Intel tools such as CrowdStrike Falcon Intelligence and VirusTotal, and built in tooling such as WHOIS and PDF Analysis.

See Data Sources for more info

Investigations

Investigations are the heart of the Dropzone AI platform. Once an alert is received Dropzone will begin analyzing it much like a human analyst

• gathering data from multiple security tools and corporate systems via the Data Source integrations

• analyzing the results and determining their legitimacy and potential threat level

• producing a comprehensive report with evidence

Investigations are categorized as either Malicious, Suspicious, or Benign.

Chat

Dropzone allows you to ask interactive security questions. Chat can be done stand alone via the Chat button, or directly within an investigation in which case the entire investigation findings are part of the context, allowing you to ask followup questions.

On-prem Connector

Dropzone AI connects to APIs via its Data Source and Alert integrations. Many of these are reachable across the internet, such as third-party Threat Intelligence sources, corporate SaaS tools, and public cloud APIs. However many corporate systems may be behind firewalls and VPNs for security reasons.

Customers are able to enable Dropzone to reach restricted systems by running a lightweight Dropzone Connector Client docker container within their secure environment.

See On-prem Support - Dropzone Connector for more info.

Operational Context Memory

Dropzone automatically learns and stores organizational context as it performs investigations, and also allows you to provide facts of your own that can be useful for investigations, much like a seasoned SOC analyst will have learned their own institutional knowledge.

You can view, add, edit, and delete Operational Context Memory from the "Context Memory" page.

API

Dropzone has multiple user-facing APIs, documented with a Swagger UI for all endpoints and schemas. API keys are created in the Dropzone UI, and can have an optional expiration date.

Response Automation

Dropzone can run custom code upon completing an investigation. This allows you to hook into corporate systems to perform your own business logic. Examples include:

• sending an investigation summary to a slack channel

• telling your EDR to quarantine a device based on investigation findings

• sending investigation data to a serverless function (e.g. lambda) that kicks off a complicated business workflow

User provisioning

Dropzone has two user types:

Dropzone users are identified by email address, and are restricted to the company domain by default.