WebsiteTest DriveStatus

Priority Rules Quick Setup Guide

Overview

Priority Rules allow you to automatically adjust investigation priorities based on predefined conditions. When alerts match your criteria, Dropzone sets the investigation priority to the appropriate level—Urgent, Notable, or Informational—without manual intervention.

Priority Rules help ensure that critical investigations receive the right level of attention, while lower-risk or expected activity is appropriately deprioritized.

How Priority Rules Affect Investigations

With Priority Rules enabled:

  • Investigation priorities are automatically adjusted based on your rules

  • Default priorities can be overridden using insight tags and conclusions

  • Similar alerts receive consistent prioritization

  • Analysts spend less time manually triaging priority levels

Quick Setup

Step 1: Navigate to Custom Strategies

  1. In the Dropzone interface, open Settings from the left navigation.

  2. Click Custom Strategies.

  3. You’ll see the Custom Strategies management page with a New Strategy button.

Step 2: Create or Edit a Strategy

  • Click + New Strategy to create a new strategy, or select an existing one.

  • In the Create Strategy modal:

    • Enter a unique, descriptive strategy title (for example, High Priority Malware Alerts).

    • Click Save.

You’ll be taken to the strategy configuration page.

Step 3: Configure Alert Filters

Alert filters define when your Priority Rules should apply.

Configure one or more of the following filters:

  • Scenario Keywords that appear in alert descriptions (for example, malware detection).

  • Attack Surface Select one or more:

    • Cloud

    • Network

    • Email

    • Identity

  • MITRE Tactic Choose applicable tactics such as:

    • Initial Access

    • Execution

    • Defense Evasion

    • Or All

  • Alert Source Select specific sources (for example, GuardDuty, Sumo Logic, Email) or All.

Example Filter Configuration:

  • Scenario: malware detection

  • Attack Surface: Network

  • MITRE Tactic: Execution

  • Alert Source: All

Step 4: Configure Priority Rules

Scroll to the Priority Rules section of the strategy.

  1. Click + Add Condition.

  2. Define the condition:

    • Has Insight Tags: Select one or more tags (for example, Malware, Blocked Activity).

    • And conclusion is one of: Select applicable conclusions (for example, Malicious, Suspicious).

  3. Then, set priority to: Choose the priority level:

    • Urgent

    • Notable

    • Informational

  4. Add additional conditions as needed using + Add Condition.

Understanding Insight Tags

Insight Tags are automatically applied labels that provide additional context during investigations.

Insight Tags can:

  • Restrict or influence possible conclusions

  • Provide context without changing outcomes

They help embed domain-specific knowledge into the AI’s decision-making and are often used in combination with conclusions to drive priority decisions.

Example Priority Rule

Malware with Confirmed Impact

  • Has Insight Tags: Malware, Blocked Activity

  • And conclusion is one of: Malicious

  • Then, set priority to: Urgent

Priority Levels

Priority Rules support the following levels:

  • Urgent Critical threats requiring immediate attention

  • Notable Important alerts that require prompt review

  • Informational Low-priority alerts intended primarily for awareness

Common Insight Tags

Frequently used insight tags include:

  • Malware

  • Blocked Activity

  • Potentially Unwanted Program

  • Account Lockout

  • Attack Simulation

  • Authorized Scanner

  • Conditional Access Block

Best Practices

✅ Do

  • Assign higher priority to confirmed malicious activity

  • Use multiple conditions to create precise rules

  • Test rules using representative alerts

  • Consider analyst workload and team capacity

❌ Don’t

  • Set all investigations to Urgent

  • Create overlapping or conflicting priority rules

  • Ignore investigation conclusions when assigning priority

Example Priority Rule Configurations

High-Priority Malware

  • Condition: Has Insight Tags: Malware AND conclusion is Malicious

  • Priority: Urgent

Blocked Suspicious Activity

  • Condition: Has Insight Tags: Blocked Activity, Potentially Unwanted Program AND conclusion is Benign

  • Priority: Informational

Account Security Events

  • Condition: Has Insight Tags: Account Lockout AND conclusion is Suspicious

  • Priority: Notable

What You’ll See in Your Investigations

After configuring Priority Rules:

  • Automatic Priority Assignment Investigation priorities are set automatically.

  • Consistent Prioritization Similar alerts receive the same priority treatment.

  • Reduced Manual Work Analysts no longer need to adjust priorities by hand.

  • Improved Resource Allocation Teams can focus on the most critical cases first.

Next Steps

  • Start simple Create one or two rules for your most common alert types.

  • Test and monitor Observe how rules affect investigation queues.

  • Refine Adjust rules based on feedback and workload.

  • Expand Add more sophisticated prioritization as your team gains confidence.

Need help? Contact your Dropzone support team for assistance with Priority Rule setup and optimization.

PreviousInvestigation Questions Quick Setup Guide

Last updated

Was this helpful?