WebsiteTest DriveStatus

Investigation Questions Quick Setup Guide

Overview

Investigation Questions (configured through Custom Strategies) allow you to add your organization’s specific security questions to Dropzone’s automated investigations. When alerts match your defined criteria, Dropzone automatically asks your custom questions alongside its standard investigation questions.

This capability helps ensure that organization-specific checks, validations, and enrichment steps are consistently applied—without requiring manual analyst input.

How Investigation Questions Affect Investigations

When Investigation Questions are configured:

  • Your custom questions appear in the Findings area alongside standard Dropzone questions

  • Questions are generated automatically based on alert context and strategy filters

  • All findings are tagged with their source for traceability

  • Up to 10 additional questions can be added per investigation (processed in batches of 5)

Quick Setup

Step 1: Navigate to Custom Strategies

  1. In the Dropzone interface, open Settings from the left navigation.

  2. Click Custom Strategies.

  3. You’ll see the Custom Strategies management page with a New Strategy button.

Step 2: Create a New Strategy

  • Click + New Strategy.

  • In the Create Strategy modal:

    • Enter a unique, descriptive strategy title (for example, AWS IAM Security Investigation).

    • Click Save.

You’ll be taken to the strategy configuration page.

Step 3: Configure Alert Filters

Alert filters define when your custom investigation questions should run.

Configure one or more of the following:

  • Scenario Keywords that appear in the alert description (for example, external IP login attempts).

  • Attack Surface Select one or more:

    • Cloud

    • Network

    • Email

    • Identity

  • MITRE Tactic Choose tactics such as:

    • Initial Access

    • Execution

    • Defense Evasion

    • Or All

  • Alert Source Select specific sources (for example, GuardDuty, Sumo Logic, Email) or All.

Example Filter Configuration:

  • Scenario: suspicious login

  • Attack Surface: Identity

  • MITRE Tactic: Initial Access

  • Alert Source: GuardDuty

Step 4: Add Investigation Questions

On the strategy configuration page, locate the Investigative Questions section.

  1. Click + Add Instruction.

  2. Enter your question using the format: “If [condition], ask the question, ‘[question]’”

  3. Repeat + Add Instruction to add more questions.

  4. Use Delete question to remove unnecessary questions.

  5. Use Reset Changes to undo edits if needed.

Example Investigation Questions

AWS IAM Alerts

  1. If the alert involves suspicious login activity from an external IP, ask the question: “What is the recent login history for user <user_name> from source IP <source_ip> in the last 24 hours?”

  2. If the alert involves an IAM user performing unusual actions, ask the question: “Does user <user_name> have MFA enabled, and what are their recent MFA authentication logs?”

  3. If an IAM role is specified in the alert, ask the question: “What are the current permissions and trust relationships for IAM role <iam_role>?”

  4. If a user email is identified in the alert, ask the question: “What are the details of the user <user_email>?”

    • If the user’s group is identified and the user is part of a system administrators group, ask the question: “Who added this user to group <group_name>?”

Email Alerts

  1. If the sender domain is external, ask the question: “What is the reputation and threat intelligence data for sender domain <sender_domain>?”

  2. If the email contains attachments, ask the question: “Are there any malicious indicators or sandbox analysis results for attachment <attachment_name> of type <attachment_type>?”

  3. If the email body references an invoice link, ask the question: “Has the user clicked the link <invoice_url>?”

Common Placeholder Variables

Use placeholder variables to dynamically inject alert context into questions:

  • <user_name> – Username from the alert

  • <user_email> – User email address

  • <source_ip> – Source IP address

  • <attachment_name> – File attachment name

  • <attachment_type> – Attachment file type

  • <sender_domain> – Email sender domain

  • <dest_port> – Destination port

  • <dest_host> – Destination hostname

Best Practices

✅ Do

  • Write clear, actionable questions

  • Use specific placeholder variables

  • Keep questions relevant to the alert type

  • Test questions using sample alerts

❌ Don’t

  • Write questions that depend on answers from other custom questions

  • Add irrelevant or ambiguous questions

  • Duplicate questions already covered by standard investigations

What You’ll See in Your Investigations

Once configured, Investigation Questions will appear automatically in investigations:

  • Enhanced Findings Custom questions appear alongside standard Dropzone questions.

  • Contextual Execution Questions are only generated when alert filters match.

  • Source Tracking Each question is tagged with the strategy that generated it.

  • Automatic Processing No analyst action is required—questions are asked and answered automatically.

Tip: Test Questions in Chat First

Before finalizing Investigation Questions, test them in the Ask a Question chat:

  • Ask the exact questions you plan to configure

  • Verify response relevance and structure

  • Test alternative phrasings

  • Confirm required data sources are accessible

This helps ensure your questions produce useful, actionable findings when used in investigations.

Next Steps

  • Start small Choose one alert type and add 2–3 questions.

  • Test Validate behavior using sample alerts.

  • Expand Add additional alert types and questions over time.

  • Monitor Track how custom questions improve investigation quality.

Need help? Contact your Dropzone support team for assistance with Investigation Question setup and optimization.

PreviousAnalysis Guidance Quick Setup GuideNextPriority Rules Quick Setup Guide

Last updated

Was this helpful?