# Priority Rules Quick Setup Guide ## Overview **Priority Rules** allow you to automatically adjust investigation priorities based on predefined conditions. When alerts match your criteria, Dropzone sets the investigation priority to the appropriate level—**Urgent**, **Notable**, or **Informational**—without manual intervention. Priority Rules help ensure that critical investigations receive the right level of attention, while lower-risk or expected activity is appropriately deprioritized. ### How Priority Rules Affect Investigations With Priority Rules enabled: * Investigation priorities are automatically adjusted based on your rules * Default priorities can be overridden using insight tags and conclusions * Similar alerts receive consistent prioritization * Analysts spend less time manually triaging priority levels *** ## Quick Setup ### Step 1: Navigate to Custom Strategies 1. In the Dropzone interface, open **Settings** from the left navigation. 2. Click **Custom Strategies**. 3. You’ll see the Custom Strategies management page with a **New Strategy** button. *** ### Step 2: Create or Edit a Strategy * Click **+ New Strategy** to create a new strategy, or select an existing one. * In the **Create Strategy** modal: * Enter a unique, descriptive strategy title\ (for example, *High Priority Malware Alerts*). * Click **Save**. You’ll be taken to the strategy configuration page. *** ### Step 3: Configure Alert Filters Alert filters define *when* your Priority Rules should apply. Configure one or more of the following filters: * **Scenario**\ Keywords that appear in alert descriptions\ (for example, *malware detection*). * **Attack Surface**\ Select one or more: * Cloud * Network * Email * Identity * **MITRE Tactic**\ Choose applicable tactics such as: * Initial Access * Execution * Defense Evasion * Or **All** * **Alert Source**\ Select specific sources (for example, GuardDuty, Sumo Logic, Email) or **All**. **Example Filter Configuration:** * Scenario: *malware detection* * Attack Surface: *Network* * MITRE Tactic: *Execution* * Alert Source: *All* *** ### Step 4: Configure Priority Rules Scroll to the **Priority Rules** section of the strategy. 1. Click **+ Add Condition**. 2. Define the condition: * **Has Insight Tags:** Select one or more tags\ (for example, *Malware*, *Blocked Activity*). * **And conclusion is one of:** Select applicable conclusions\ (for example, *Malicious*, *Suspicious*). 3. **Then, set priority to:** Choose the priority level: * Urgent * Notable * Informational 4. Add additional conditions as needed using **+ Add Condition**. *** ## Understanding Insight Tags **Insight Tags** are automatically applied labels that provide additional context during investigations. Insight Tags can: * Restrict or influence possible conclusions * Provide context without changing outcomes They help embed domain-specific knowledge into the AI’s decision-making and are often used in combination with conclusions to drive priority decisions. *** ## Example Priority Rule **Malware with Confirmed Impact** * Has Insight Tags: *Malware, Blocked Activity* * And conclusion is one of: *Malicious* * Then, set priority to: **Urgent** *** ## Priority Levels Priority Rules support the following levels: * **Urgent**\ Critical threats requiring immediate attention * **Notable**\ Important alerts that require prompt review * **Informational**\ Low-priority alerts intended primarily for awareness *** ## Common Insight Tags Frequently used insight tags include: * Malware * Blocked Activity * Potentially Unwanted Program * Account Lockout * Attack Simulation * Authorized Scanner * Conditional Access Block *** ## Best Practices ### ✅ Do * Assign higher priority to confirmed malicious activity * Use multiple conditions to create precise rules * Test rules using representative alerts * Consider analyst workload and team capacity ### ❌ Don’t * Set all investigations to **Urgent** * Create overlapping or conflicting priority rules * Ignore investigation conclusions when assigning priority *** ## Example Priority Rule Configurations ### High-Priority Malware * Condition:\ Has Insight Tags: *Malware*\ AND conclusion is *Malicious* * Priority: **Urgent** ### Blocked Suspicious Activity * Condition:\ Has Insight Tags: *Blocked Activity, Potentially Unwanted Program*\ AND conclusion is *Benign* * Priority: **Informational** ### Account Security Events * Condition:\ Has Insight Tags: *Account Lockout*\ AND conclusion is *Suspicious* * Priority: **Notable** *** ## What You’ll See in Your Investigations After configuring Priority Rules: * **Automatic Priority Assignment**\ Investigation priorities are set automatically. * **Consistent Prioritization**\ Similar alerts receive the same priority treatment. * **Reduced Manual Work**\ Analysts no longer need to adjust priorities by hand. * **Improved Resource Allocation**\ Teams can focus on the most critical cases first. *** ## Next Steps * **Start simple**\ Create one or two rules for your most common alert types. * **Test and monitor**\ Observe how rules affect investigation queues. * **Refine**\ Adjust rules based on feedback and workload. * **Expand**\ Add more sophisticated prioritization as your team gains confidence. *** Need help? Contact your Dropzone support team for assistance with Priority Rule setup and optimization. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.dropzone.ai/best-practices/custom-strategies/priority-rules-quick-setup-guide.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.