Analysis Guidance Quick Setup Guide
Overview
Analysis Guidance allows you to automatically assign investigation conclusions based on predefined conditions. When alerts match your configured criteria, Dropzone applies the appropriate conclusion—such as Malicious, Suspicious, or Benign—without requiring manual review.
Analysis Guidance helps standardize investigation outcomes, reduce repetitive analyst effort, and ensure consistent handling of common alert patterns.
How Analysis Guidance Affects Investigations
With Analysis Guidance enabled:
Investigation conclusions are automatically assigned based on your rules
Default AI conclusions can be overridden using insight tags or scenario descriptions
Similar alerts receive consistent conclusions across investigations
Conclusion changes are applied automatically without analyst intervention
Quick Setup
Step 1: Navigate to Custom Strategies
In the Dropzone interface, open Settings from the left navigation.
Select Custom Strategies.
You’ll see the Custom Strategies management page with a New Strategy button.
Step 2: Create or Edit a Strategy
Click + New Strategy to create a new strategy, or select an existing one to edit.
In the Create Strategy modal:
Enter a unique, descriptive title (for example, Automated Conclusion Rules).
Click Save.
You’ll be taken to the strategy configuration page.
Step 3: Configure Alert Filters
Alert filters define when your Analysis Guidance rules apply.
Configure one or more of the following filters:
Scenario Enter keywords that appear in alert descriptions (for example, new device login).
Attack Surface Select one or more surfaces:
Cloud
Network
Email
Identity
MITRE Tactic Choose applicable tactics such as:
Initial Access
Execution
Defense Evasion
Or All
Alert Source Select specific sources (for example, GuardDuty, Sumo Logic, Email) or All.
Example Filter Configuration:
Scenario: new device login
Attack Surface: Identity
MITRE Tactic: Initial Access
Alert Source: All
Step 4: Configure Analysis Guidance
Scroll to the Analysis Guidance section of the strategy.
Select a Guidance Type:
Insight Tag Rule
Scenario Description
Click + Add Condition.
Define the condition and the conclusion to apply.
Understanding Insight Tags
Insight Tags are automatically applied labels that provide additional context during investigations.
Insight Tags can:
Restrict or influence possible conclusions
Provide additional context without changing outcomes
They allow domain-specific knowledge to be embedded into the AI’s decision-making process.
Guidance Types
Insight Tag Rule
Use this guidance type when conclusions should be set based on specific insight tags.
Configuration:
Has Insight Tags: Select one or more tags (for example, Blocked Activity, Malware).
Then, set conclusion to: Choose a conclusion:
Malicious
Suspicious
Benign
Inconclusive
Ignored
You can add multiple conditions using + Add Condition.
Example:
Has Insight Tags: Blocked Activity, Potentially Unwanted Program
Then, set conclusion to: Benign
Scenario Description
Use this guidance type when conclusions should be based on alert descriptions or behavioral patterns.
Configuration:
Matches Description: Enter a descriptive pattern.
Then, set conclusion to: Choose a conclusion type.
You can add multiple conditions using + Add Condition.
Example:
Matches Description: If the user agent indicates a new device type (Android, iPhone, Windows, Mac, Linux) that has not been observed for the user before
Then, set conclusion to: Malicious
Conclusion Types
Analysis Guidance supports the following conclusions:
Malicious (Red) Confirmed threat or attack
Suspicious (Yellow) Potentially harmful activity requiring review
Benign (Teal) Legitimate or harmless activity
Inconclusive (Gray) Insufficient data to determine intent
Ignored (Gray) Activity that does not require further investigation
Common Insight Tags
Frequently used insight tags include:
Blocked Activity
Potentially Unwanted Program
Account Lockout
Attack Simulation
Authorized Scanner
Conditional Access Block
Consumer VPN Use
Critical Asset
Best Practices
✅ Do
Use Benign for clearly legitimate activity (for example, blocked unwanted programs)
Use Malicious for confirmed threats or well-understood attack patterns
Use Suspicious for activity that warrants human review
Test rules using representative alerts
Consider organizational and environmental context
❌ Don’t
Mark everything as Malicious
Create overlapping or conflicting rules
Ignore alert context when defining conclusions
Example Analysis Guidance Configurations
Insight Tag Rules
Blocked Unwanted Programs
Guidance Type: Insight Tag Rule
Has Insight Tags: Blocked Activity, Potentially Unwanted Program
Then, set conclusion to: Benign
Malware Detection
Guidance Type: Insight Tag Rule
Has Insight Tags: Malware
Then, set conclusion to: Malicious
Scenario Description Rules
New Device Login
Guidance Type: Scenario Description
Matches Description: If the user agent indicates a new device type that has not been observed for the user before
Then, set conclusion to: Suspicious
Suspicious Login Pattern
Guidance Type: Scenario Description
Matches Description: If login attempts occur from multiple countries within a short time frame
Then, set conclusion to: Malicious
What You’ll See in Your Investigations
After configuring Analysis Guidance:
Automatic Conclusion Assignment Conclusions are set automatically based on your rules.
Consistent Outcomes Similar alerts receive consistent treatment.
Reduced Manual Work Analysts no longer need to assign conclusions for common patterns.
Standardized Process Investigation outcomes align with documented team criteria.
Next Steps
Start Simple Create one or two rules for your most common alert types.
Test and Monitor Observe how rules affect investigation outcomes.
Refine Adjust rules based on analyst feedback and evolving patterns.
Expand Add more sophisticated rules as your team becomes comfortable.
Need help? Contact your Dropzone support team for assistance with Analysis Guidance setup and optimization.
Last updated
Was this helpful?