# Analysis Guidance Quick Setup Guide ## Overview **Analysis Guidance** allows you to automatically assign investigation conclusions based on predefined conditions. When alerts match your configured criteria, Dropzone applies the appropriate conclusion—such as **Malicious**, **Suspicious**, or **Benign**—without requiring manual review. Analysis Guidance helps standardize investigation outcomes, reduce repetitive analyst effort, and ensure consistent handling of common alert patterns. ### How Analysis Guidance Affects Investigations With Analysis Guidance enabled: * Investigation conclusions are automatically assigned based on your rules * Default AI conclusions can be overridden using insight tags or scenario descriptions * Similar alerts receive consistent conclusions across investigations * Conclusion changes are applied automatically without analyst intervention *** ## Quick Setup ### Step 1: Navigate to Custom Strategies 1. In the Dropzone interface, open **Settings** from the left navigation. 2. Select **Custom Strategies**. 3. You’ll see the Custom Strategies management page with a **New Strategy** button. *** ### Step 2: Create or Edit a Strategy * Click **+ New Strategy** to create a new strategy, or select an existing one to edit. * In the **Create Strategy** modal: * Enter a unique, descriptive title (for example, *Automated Conclusion Rules*). * Click **Save**. You’ll be taken to the strategy configuration page. *** ### Step 3: Configure Alert Filters Alert filters define *when* your Analysis Guidance rules apply. Configure one or more of the following filters: * **Scenario**\ Enter keywords that appear in alert descriptions (for example, *new device login*). * **Attack Surface**\ Select one or more surfaces: * Cloud * Network * Email * Identity * **MITRE Tactic**\ Choose applicable tactics such as: * Initial Access * Execution * Defense Evasion * Or **All** * **Alert Source**\ Select specific sources (for example, GuardDuty, Sumo Logic, Email) or **All**. **Example Filter Configuration:** * Scenario: *new device login* * Attack Surface: *Identity* * MITRE Tactic: *Initial Access* * Alert Source: *All* *** ### Step 4: Configure Analysis Guidance Scroll to the **Analysis Guidance** section of the strategy. 1. Select a **Guidance Type**: * **Insight Tag Rule** * **Scenario Description** 2. Click **+ Add Condition**. 3. Define the condition and the conclusion to apply. *** ## Understanding Insight Tags **Insight Tags** are automatically applied labels that provide additional context during investigations. Insight Tags can: * Restrict or influence possible conclusions * Provide additional context without changing outcomes They allow domain-specific knowledge to be embedded into the AI’s decision-making process. *** ## Guidance Types ### Insight Tag Rule Use this guidance type when conclusions should be set based on specific insight tags. **Configuration:** * **Has Insight Tags:** Select one or more tags (for example, *Blocked Activity*, *Malware*). * **Then, set conclusion to:** Choose a conclusion: * Malicious * Suspicious * Benign * Inconclusive * Ignored You can add multiple conditions using **+ Add Condition**. **Example:** * Has Insight Tags: *Blocked Activity, Potentially Unwanted Program* * Then, set conclusion to: **Benign** *** ### Scenario Description Use this guidance type when conclusions should be based on alert descriptions or behavioral patterns. **Configuration:** * **Matches Description:** Enter a descriptive pattern. * **Then, set conclusion to:** Choose a conclusion type. You can add multiple conditions using **+ Add Condition**. **Example:** * Matches Description:\ \&#xNAN;*If the user agent indicates a new device type (Android, iPhone, Windows, Mac, Linux) that has not been observed for the user before* * Then, set conclusion to: **Malicious** *** ## Conclusion Types Analysis Guidance supports the following conclusions: * **Malicious (Red)**\ Confirmed threat or attack * **Suspicious (Yellow)**\ Potentially harmful activity requiring review * **Benign (Teal)**\ Legitimate or harmless activity * **Inconclusive (Gray)**\ Insufficient data to determine intent * **Ignored (Gray)**\ Activity that does not require further investigation *** ## Common Insight Tags Frequently used insight tags include: * Blocked Activity * Potentially Unwanted Program * Account Lockout * Attack Simulation * Authorized Scanner * Conditional Access Block * Consumer VPN Use * Critical Asset *** ## Best Practices ### ✅ Do * Use **Benign** for clearly legitimate activity (for example, blocked unwanted programs) * Use **Malicious** for confirmed threats or well-understood attack patterns * Use **Suspicious** for activity that warrants human review * Test rules using representative alerts * Consider organizational and environmental context ### ❌ Don’t * Mark everything as **Malicious** * Create overlapping or conflicting rules * Ignore alert context when defining conclusions *** ## Example Analysis Guidance Configurations ### Insight Tag Rules **Blocked Unwanted Programs** * Guidance Type: Insight Tag Rule * Has Insight Tags: *Blocked Activity, Potentially Unwanted Program* * Then, set conclusion to: **Benign** **Malware Detection** * Guidance Type: Insight Tag Rule * Has Insight Tags: *Malware* * Then, set conclusion to: **Malicious** *** ### Scenario Description Rules **New Device Login** * Guidance Type: Scenario Description * Matches Description:\ \&#xNAN;*If the user agent indicates a new device type that has not been observed for the user before* * Then, set conclusion to: **Suspicious** **Suspicious Login Pattern** * Guidance Type: Scenario Description * Matches Description:\ \&#xNAN;*If login attempts occur from multiple countries within a short time frame* * Then, set conclusion to: **Malicious** *** ## What You’ll See in Your Investigations After configuring Analysis Guidance: * **Automatic Conclusion Assignment**\ Conclusions are set automatically based on your rules. * **Consistent Outcomes**\ Similar alerts receive consistent treatment. * **Reduced Manual Work**\ Analysts no longer need to assign conclusions for common patterns. * **Standardized Process**\ Investigation outcomes align with documented team criteria. *** ## Next Steps * **Start Simple**\ Create one or two rules for your most common alert types. * **Test and Monitor**\ Observe how rules affect investigation outcomes. * **Refine**\ Adjust rules based on analyst feedback and evolving patterns. * **Expand**\ Add more sophisticated rules as your team becomes comfortable. *** Need help? Contact your Dropzone support team for assistance with Analysis Guidance setup and optimization. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.dropzone.ai/best-practices/custom-strategies/analysis-guidance-quick-setup-guide.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.