# How to Create a Custom Strategy Custom strategies allow you to tailor how the AI analyst interprets, investigates, and concludes on specific alert scenarios. This feature is essential for encoding your organization’s tribal knowledge, reducing false positives, and ensuring consistent outcomes for recurring situations. *** ## 1. Accessing Custom Strategies To get started: 1. Navigate to the **Settings** section of the platform. 2. Select **Custom Strategies** from the menu. Here, you’ll see a list of existing strategies as well as the option to create a new one. *** ## 2. Defining When the Strategy Applies Each custom strategy is triggered by specific conditions. You can define these conditions using one or both of the following methods: ### Scenario Description Provide a plain-language description of the situation the strategy should apply to. **Example:** * “User has an impossible travel alert” This description helps the AI analyst understand the intent and context of the strategy. ### Filters Use structured filters to target a broad or narrow set of alerts. Common filter fields include: * Attack surface * MITRE tactic * Alert source * Insight tags **Examples:** * All Microsoft Defender phishing alerts * Only Proofpoint phishing attempts You can combine scenario descriptions and filters for more precise targeting. *** ## 3. Specifying Investigative Questions (Optional) You may require the AI analyst to ask specific questions during the investigation phase. These questions ensure the investigation aligns with your organization’s unique requirements. **Examples:** * “Did the user pass an MFA check?” * “Has this IP address been seen in the environment in the last 30 days?” When defined, these questions are explicitly addressed as part of the investigation workflow. *** ## 4. Setting Analysis Guidance and Outcomes Define how the AI analyst should conclude when the strategy matches. ### Conclusion State Force a specific outcome based on your policy: * **Benign** * **Suspicious** * **Malicious** **Example:** * Always mark student video game detections as benign. ### Priority (If Supported) Assign a priority level to matched alerts. **Example:** * Escalate all VIP executive alerts to **Urgent**. ### Insight Tag Rules Use meta-analysis tags to further refine: * When the strategy applies * What outcome or priority should be enforced *** ## 5. Saving and Testing Your Strategy 1. Save the strategy. It will appear in your list of custom strategies. 2. Enable or disable the strategy as needed. *** ## 6. Best Practices * Use clear, plain language in scenario descriptions to make strategies easy to understand and maintain. * Regularly review and remove outdated strategies to ensure ongoing relevance and accuracy. * Pair custom strategies with **context memory** for optimal results: * Context memory stores facts. * Strategies encode conditional (“if/then”) logic. * Start with broader strategies and refine them over time as you observe outcomes and gather investigation feedback. *** ## Example Use Cases * Automatically mark all alerts from a known vulnerability scanner IP as benign. * Escalate all suspicious login alerts for VIP users to urgent priority. * Require additional investigation steps for impossible travel scenarios. *** For additional guidance or troubleshooting, consult the in-platform documentation or reach out to your technical support contact. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.dropzone.ai/best-practices/custom-strategies/how-to-create-custom-strategy.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.