# Investigation Questions Quick Setup Guide

## Overview

**Investigation Questions** (configured through Custom Strategies) allow you to add your organization’s specific security questions to Dropzone’s automated investigations. When alerts match your defined criteria, Dropzone automatically asks your custom questions alongside its standard investigation questions.

This capability helps ensure that organization-specific checks, validations, and enrichment steps are consistently applied—without requiring manual analyst input.

### How Investigation Questions Affect Investigations

When Investigation Questions are configured:

* Your custom questions appear in the **Findings** area alongside standard Dropzone questions
* Questions are generated automatically based on alert context and strategy filters
* All findings are tagged with their source for traceability
* Up to **10 additional questions** can be added per investigation (processed in batches of 5)

***

## Quick Setup

### Step 1: Navigate to Custom Strategies

1. In the Dropzone interface, open **Settings** from the left navigation.
2. Click **Custom Strategies**.
3. You’ll see the Custom Strategies management page with a **New Strategy** button.

***

### Step 2: Create a New Strategy

* Click **+ New Strategy**.
* In the **Create Strategy** modal:
  * Enter a unique, descriptive strategy title\
    (for example, *AWS IAM Security Investigation*).
  * Click **Save**.

You’ll be taken to the strategy configuration page.

***

### Step 3: Configure Alert Filters

Alert filters define *when* your custom investigation questions should run.

Configure one or more of the following:

* **Scenario**\
  Keywords that appear in the alert description\
  (for example, *external IP login attempts*).
* **Attack Surface**\
  Select one or more:
  * Cloud
  * Network
  * Email
  * Identity
* **MITRE Tactic**\
  Choose tactics such as:
  * Initial Access
  * Execution
  * Defense Evasion
  * Or **All**
* **Alert Source**\
  Select specific sources (for example, GuardDuty, Sumo Logic, Email) or **All**.

**Example Filter Configuration:**

* Scenario: *suspicious login*
* Attack Surface: *Identity*
* MITRE Tactic: *Initial Access*
* Alert Source: *GuardDuty*

***

### Step 4: Add Investigation Questions

On the strategy configuration page, locate the **Investigative Questions** section.

1. Click **+ Add Instruction**.
2. Enter your question using the format:\
   \&#xNAN;**“If \[condition], ask the question, ‘\[question]’”**
3. Repeat **+ Add Instruction** to add more questions.
4. Use **Delete question** to remove unnecessary questions.
5. Use **Reset Changes** to undo edits if needed.

***

## Example Investigation Questions

### AWS IAM Alerts

1. If the alert involves suspicious login activity from an external IP, ask the question:\
   \&#xNAN;*“What is the recent login history for user `<user_name>` from source IP `<source_ip>` in the last 24 hours?”*
2. If the alert involves an IAM user performing unusual actions, ask the question:\
   \&#xNAN;*“Does user `<user_name>` have MFA enabled, and what are their recent MFA authentication logs?”*
3. If an IAM role is specified in the alert, ask the question:\
   \&#xNAN;*“What are the current permissions and trust relationships for IAM role `<iam_role>`?”*
4. If a user email is identified in the alert, ask the question:\
   \&#xNAN;*“What are the details of the user `<user_email>`?”*
   * If the user’s group is identified and the user is part of a system administrators group, ask the question:\
     \&#xNAN;*“Who added this user to group `<group_name>`?”*

***

### Email Alerts

1. If the sender domain is external, ask the question:\
   \&#xNAN;*“What is the reputation and threat intelligence data for sender domain `<sender_domain>`?”*
2. If the email contains attachments, ask the question:\
   \&#xNAN;*“Are there any malicious indicators or sandbox analysis results for attachment `<attachment_name>` of type `<attachment_type>`?”*
3. If the email body references an invoice link, ask the question:\
   \&#xNAN;*“Has the user clicked the link `<invoice_url>`?”*

***

## Common Placeholder Variables

Use placeholder variables to dynamically inject alert context into questions:

* `<user_name>` – Username from the alert
* `<user_email>` – User email address
* `<source_ip>` – Source IP address
* `<attachment_name>` – File attachment name
* `<attachment_type>` – Attachment file type
* `<sender_domain>` – Email sender domain
* `<dest_port>` – Destination port
* `<dest_host>` – Destination hostname

***

## Best Practices

### ✅ Do

* Write clear, actionable questions
* Use specific placeholder variables
* Keep questions relevant to the alert type
* Test questions using sample alerts

### ❌ Don’t

* Write questions that depend on answers from other custom questions
* Add irrelevant or ambiguous questions
* Duplicate questions already covered by standard investigations

***

## What You’ll See in Your Investigations

Once configured, Investigation Questions will appear automatically in investigations:

* **Enhanced Findings**\
  Custom questions appear alongside standard Dropzone questions.
* **Contextual Execution**\
  Questions are only generated when alert filters match.
* **Source Tracking**\
  Each question is tagged with the strategy that generated it.
* **Automatic Processing**\
  No analyst action is required—questions are asked and answered automatically.

***

## Tip: Test Questions in Chat First

Before finalizing Investigation Questions, test them in the **Ask a Question** chat:

* Ask the exact questions you plan to configure
* Verify response relevance and structure
* Test alternative phrasings
* Confirm required data sources are accessible

This helps ensure your questions produce useful, actionable findings when used in investigations.

***

## Next Steps

* **Start small**\
  Choose one alert type and add 2–3 questions.
* **Test**\
  Validate behavior using sample alerts.
* **Expand**\
  Add additional alert types and questions over time.
* **Monitor**\
  Track how custom questions improve investigation quality.

***

Need help? Contact your Dropzone support team for assistance with Investigation Question setup and optimization.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.dropzone.ai/best-practices/custom-strategies/investigation-questions-quick-setup-guide.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.