# Custom Strategies ## Overview **Custom Strategies** in Dropzone AI enhance outcome decision-making by allowing teams to inject targeted, organization-specific judgment into investigations. These strategies apply during the **Report phase** and guide the AI SOC Analyst toward more accurate conclusions—**Malicious**, **Suspicious**, or **Benign**—based on institutional policy, patterns, and operational context. Custom Strategies extend Dropzone’s flexibility by enabling teams to override default interpretations of investigative findings and to encode clear, reusable guidance for recurring or high-volume alert patterns. *** ## Purpose and Role in Investigations Custom Strategies are Dropzone’s mechanism for defining **conditional logic and interpretive guidance** that goes beyond raw investigative facts. They are used to scope judgment to specific situations and ensure consistent outcomes across similar alerts. Custom Strategies allow teams to: * Provide tailored outcomes based on alert metadata, MITRE tactics, attack surfaces, and alert sources * Override default conclusions implied by insight tags when policy or context requires flexibility * Embed analyst-grade reasoning into the AI’s decision process for edge cases and common noise patterns For example, some organizations classify **Attack Simulation** alerts as benign by policy, while others treat them as malicious. A Custom Strategy can enforce the appropriate outcome consistently whenever these simulations are detected. *** ## Best Practices ### Write Like an Analyst, Think Like a Rule Engine Custom Strategies function like *if–then* rules, but they should reflect the nuanced judgment of experienced SOC analysts—not raw detection logic. Each Custom Strategy consists of two parts: #### Alert Filters Alert Filters define **when** a strategy applies. Filters can match on: * Scenario description * MITRE tactics * Attack surfaces * Alert sources * Insight tags An investigation must match **all configured filters** for the strategy to apply. If no filters are defined, the strategy applies to all investigations. #### Analysis Guidance Analysis Guidance defines **what outcome to recommend** once filters match. Guidance is expressed using one of two guidance types: * **Insight Tag Rule**\ Matches on specific investigation insight tags applied by the Dropzone analyst. * **Scenario Description**\ A natural-language hypothesis describing investigation findings. Only the *“If…”* portion should be included—the *“Then”* is handled by the conclusion selector. Analysis Guidance should express reasoning about investigative evidence, not simply restate detection logic. **Example Scenario Descriptions:** * “If the malicious file is an EICAR test file” → **Malicious** * “If there was no successful username-password combination” → **Benign** *** ### Design for Clarity and Reusability Well-designed strategies are easy to understand, audit, and reuse. * **Use descriptive strategy names**\ Examples: *Internal Red Teaming*, *Authorized Recon Activity* * **Leverage insight tags thoughtfully**\ Treat tags as indicators of behavior, not verdicts. Use them to guide conclusions, not dictate them. * **Group strategies by function**\ For example: * Scanning and reconnaissance * Red team and testing activity * IT operations noise * **Document rationale in natural language**\ Outcome tips should clearly explain *why* a conclusion is recommended. *** ### Use Custom Strategies to Reduce Noise — Not Replace Investigation Custom Strategies are not a substitute for investigation logic. * **Avoid overfitting**\ Don’t build strategies for one-off scenarios. Focus on repeatable patterns. * **Combine tags with context**\ Pair insight tags with metadata such as alert source or MITRE tactic for stronger signals. * **Avoid complex decision trees**\ Strategies should be easy to reason about. For layered logic, create multiple simpler strategies instead of one complex rule. *** ## Operational Behavior Understanding how Custom Strategies are evaluated helps avoid surprises. ### Match Evaluation During the outcome phase, Dropzone retrieves all **enabled Custom Strategies** that match the investigation’s: * Scenario * MITRE tactic * Attack surface * Alert source Within a strategy: * Conditions are evaluated using **logical AND** (all criteria must match) Across strategies: * Conditions are evaluated using **logical OR** (any matching strategy applies) If multiple strategies match, the final conclusion is chosen by severity priority: **Malicious → Suspicious → Benign** *** ### Outcome Tip Collation and Prompt Enrichment When multiple strategies apply: * All outcome tips are collected * Natural-language guidance is injected into the AI’s prompt * This improves justification and consistency in the final conclusion ### Insight Tag Overrides Custom Strategies can override default insight tag behavior. For example: * Without a strategy, **Atomic Red Team** may imply **Malicious** * With a strategy, **Atomic Red Team** can support **Benign** or **Suspicious** outcomes When conflicts arise, Custom Strategy guidance takes precedence. *** ## Limitations and Considerations ### Strategy Conflicts If multiple strategies apply with conflicting recommendations, the AI weighs all guidance during prompt construction. This can reduce clarity, so regular audits are recommended. ### Visibility and Traceability Outcome tips influence final conclusions, but the strategies themselves are not directly visible to end users. Ensure outcome tips are clear and self-explanatory. ### Maintenance Burden Over time, unused or overlapping strategies can accumulate. Regular review and pruning helps prevent stale logic and unintended outcomes. *** ## Conclusion Custom Strategies give SOC teams a powerful way to embed institutional judgment into automated investigations. When carefully designed and maintained, they reduce noise, improve accuracy, and enforce consistent interpretations of common scenarios—without relying on playbooks or manual intervention. When well-structured, Custom Strategies become an extension of your team’s best judgment, scaling experience and policy across every investigation. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.dropzone.ai/best-practices/custom-strategies.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.