# Investigation Reviews Deep Dive New to Dropzone? We recommend starting with our overview of **The Platform**, specifically the **Dashboard** and **Investigations** sections, to familiarize yourself with how alerts flow through the system. Once you’re comfortable, you’re ready to begin reviewing investigations. ## Overview: Investigation Reviews **Investigation Reviews** enable SOC analysts to validate AI-completed alert investigations for accuracy and completeness. This process ensures high-quality security analysis while creating feedback loops that continuously improve Dropzone’s automated investigation capabilities. Reviews help: * Confirm AI conclusions align with your SOPs * Reduce false positives * Capture institutional knowledge * Improve future investigation accuracy You may follow your existing **Standard Operating Procedures (SOPs)** or use Dropzone’s built-in **Quality Assurance checklist** when reviewing investigations. *** ## What You’ll See Here * **Investigation Queue Management**\ Efficient filtering and prioritization of completed investigations * **Review Interface Navigation**\ A walkthrough of all investigation review components * **Feedback Systems**\ Context Memory creation and Custom Strategy development * **Quality Assurance Workflows**\ Structured approaches to validating investigations * **Outcome Management**\ Conclusion changes and investigation status updates * **Knowledge Base Integration**\ Leveraging reviews for long-term organizational learning *** ## How Investigation Reviews Work ### Review Process Model 1. **Investigation Completion**\ The AI completes an automated investigation of security alerts. 2. **Review Queue**\ Completed investigations enter the review queue with an **In Review** status. 3. **Analyst Assessment**\ Human analysts evaluate the AI’s conclusions, evidence, and reasoning. 4. **Feedback Integration**\ Review outcomes improve AI performance through Context Memory and strategies. 5. **Status Updates**\ Investigations move from **In Review** to **Reviewed**. *** ## Review Components ### Investigation Data Each investigation review provides access to: * **Complete Alert Context**\ Original alert details, triggering rules, and metadata * **AI Analysis Results**\ Investigative findings, evidence, and reasoning * **Supporting Evidence**\ API calls, queries, and data sources used * **Recommended Actions**\ Suggested follow-up steps based on the investigation outcome ### Review Tools * **Approval Workflows**\ Single-click approval for accurate investigations * **Conclusion Modification**\ Ability to change investigation outcomes with justification * **Context Memory Creation**\ Add organizational knowledge for future AI reference * **Custom Strategy Development**\ Encode reusable investigation logic for alert patterns *** ## Quality Assurance Model Investigation reviews support structured quality assurance across several dimensions: * **Accuracy Validation**\ Confirm AI conclusions match evidence and organizational context * **Completeness Assessment**\ Ensure all relevant investigative angles were explored * **False Positive Reduction**\ Identify and correct misclassified benign activity * **Knowledge Transfer**\ Capture institutional expertise to improve future investigations *** ## Accessing Investigations ### Login and Tenant Selection * Navigate to your Dropzone AI tenant home page (for example, `https://mycompany.dropzone.app`) * If you have multiple tenants, use the tenant tree to navigate between environments ### Investigation Queue Access * In the left navigation menu, click **Investigations** * Select investigations by **Priority**: * Urgent * Notable * Informational * Use filters to refine results by: * Conclusion * Interview usage * Source * And more *** ## Reviewing Investigations Each investigation contains multiple tabs, described below. ### Summary Tab * **Alert Summary**\ Overview of the triggering alert and detection rule * **Top Findings**\ The five most significant findings influencing the AI’s conclusion * **Associated Entities**\ Hosts, users, IP addresses, and other related entities * **Final Conclusion**\ AI-determined outcome with supporting context and confidence ### Interviews Tab > *Only available if AI Interviewer is enabled* * **Interview Details**\ State, creation time, last update, and recipient * **Interview Question and Context**\ The question asked and why it was generated * **Resulting Communications**\ Full conversation if the recipient responds * **Approval Button**\ Available when auto-approval is not enabled ### Findings Tab * **Investigative Questions**\ AI-generated questions guiding the investigation * **Evidence-Based Rationale**\ Reasoning derived from Evidence Locker entries * **Analysis Depth**\ Detailed view of investigation methodology ### Evidence Locker Tab * **API Call History**\ All queries and lookups performed by the AI * **Data Sources**\ External systems accessed during the investigation * **Response Data**\ Raw and processed results from each source ### Notes Tab * **Reviewer Commentary**\ Space for analyst observations and feedback * **Collaboration Space**\ Team communication around the investigation {% hint style="info" %} Notes currently do not influence AI behavior directly. {% endhint %} ### Remediations Tab * **Suggested Actions**\ Follow-up steps based on the investigation outcome * **Automation Triggers**\ Potential response automations for similar alerts {% hint style="info" %} Remediation recommendations are not shown for investigations concluded as **Benign**. {% endhint %} ### Changelog Tab * **Investigation Timeline**\ Chronological record of investigation events * **System Events**\ Automated actions and status changes * **Review History**\ Prior review activity and modifications *** ## Standard Approval Process ### Investigation Review * Verify the Conclusion aligns with your SOPs ### Approval Execution * Select **Approve and Close** to keep the same Conclusion * The investigation moves to **Reviewed** *** ## Conclusion Modification Workflow ### Investigation Review * Verify the Conclusion aligns with your SOPs ### Change Conclusion State * Use the dropdowns in the top-right to update the Conclusion: * Malicious * Suspicious * Inconclusive * Benign {% hint style="info" %} Dropzone treats **Malicious** and **Benign** as final states, but teams may use statuses however best fits their workflow. {% endhint %} ### Document Feedback * Add notes explaining why the Conclusion was changed * Adjust pre-set selections as appropriate * Click **Save** to move the investigation to **Reviewed** (unless unchecked) *** ## Onboarding Recommendation During onboarding, we recommend reviewing **10–15+ investigations per day** for the first few weeks, prioritizing: * Urgent * Malicious * Suspicious This accelerates alignment with your internal SOPs and helps tune Dropzone quickly. *** ## What’s Next? Once you’re comfortable reviewing investigations, explore our **Best Practice guides** for: * Building Custom Strategies * Setting up Response Actions * Leveraging Context Memory {% hint style="warning" %} Some advanced features are available to **Admins only**. {% endhint %}