Building Response Automations and Actions

Overview

Response Automations enable you to execute custom Python scripts automatically when investigations or system events occur. They allow Dropzone to integrate seamlessly with external systems and to apply consistent, automated response workflows across your security operations.

Response Automations are commonly used to notify downstream systems, trigger remediation actions, enrich tickets or records, and operationalize investigation outcomes at scale.

This guide walks through how Response Automations work, how to configure them safely, and best practices for building reliable, secure automations.

How Response Automations Work

Response Automations execute when a configured trigger occurs, such as an investigation completing or feedback being applied. When triggered, Dropzone runs your automation code in a secure, isolated environment and injects relevant data for use by the script.

Automations run in a sandboxed container using Python 3.11. Outbound HTTP and HTTPS connections are permitted, while inbound connections are blocked. Execution time and resources are limited to prevent runaway processes.

At runtime, Dropzone automatically injects investigation data, system event data, and secrets as Python dictionaries. All output, errors, and execution results are captured and recorded in the run history for auditing and troubleshooting.

What You’ll See in the Response Actions Interface

The Response Actions interface provides everything needed to build, test, and monitor automations:

A full-featured Python editor with syntax highlighting and validation
A configuration panel for environment variables, triggers, and testing controls
Live enable/disable controls for automation execution
A Secrets Manager for securely storing credentials
A complete run history showing execution results and errors
Pre-installed Python libraries for common integrations

Available Data and Libraries

Depending on the trigger you select, your automation script may receive different injected variables.

For investigation-based triggers, scripts receive the investigation object, which includes alert details, outcomes, findings, feedback, and metadata. Context Memory triggers provide a context_memory object containing memory content and metadata. Integration, license, and Custom Strategy triggers inject their respective event objects. The secrets object is always available and contains all credentials stored in the Secrets Manager.

Scripts also have access to a curated set of pre-installed libraries, including the Python 3.11 standard library, requests for HTTP calls, tenacity for retry logic, apprise for notifications, and cloud SDKs such as boto3 and azure-identity.

Using Script Variables Effectively

Before writing code, it’s important to understand exactly which variables are available for your selected trigger. The Script Vars panel in the Response Actions editor allows you to explore injected variables in real time.

Select a trigger, open the Script Vars panel, and expand objects to view their structure. You can copy exact field paths directly from the panel and use them in your script. Because variables change based on trigger type, reviewing Script Vars before coding helps prevent errors and ensures your automation behaves as expected.

When working with injected data, use defensive coding practices. Extract commonly used fields into clearly named variables, use .get() when accessing optional fields, and handle missing or unexpected values gracefully.

Configuration and Secrets Management

Every automation should begin with a clear configuration section at the top of the script. This includes tenant-specific settings, feature flags, and integration parameters. Keeping configuration centralized improves readability and simplifies maintenance.

All sensitive credentials must be stored in the Secrets Manager. Secrets are injected at runtime, masked in logs, and never persisted in code. Scripts should always validate that required secrets exist before proceeding and exit cleanly if they are missing.

Never hardcode API tokens, passwords, or webhook URLs directly into automation scripts.

Creating and Configuring a Response Action

To create a new Response Action, navigate to Settings → Response Actions and click Create New. Provide a descriptive display name that clearly communicates the automation’s purpose and target system.

Next, select the trigger that determines when the automation executes. Triggers are available for investigation lifecycle events, Context Memory changes, Custom Strategy updates, integration configuration changes, and license events. If different behaviors are required for different outcomes or events, create separate Response Actions rather than overloading a single script.

Once saved, you’ll be taken to the code editor where you can implement your automation logic.

Testing, Deployment, and Monitoring

Response Automations should be deployed gradually. Start by testing scripts using historical or low-risk data through the UI. Once validated, enable the automation for a limited subset of alerts or outcomes and monitor execution results for errors or unexpected behavior.

After a stable period—typically 24 to 48 hours—automations can be enabled more broadly. Ongoing monitoring of run history, error rates, and execution timing is recommended to ensure long-term reliability.

Security and Reliability Best Practices

When building Response Automations:

Define all configuration variables explicitly at the top of the script
Store all credentials in the Secrets Manager
Use HTTPS for all external API calls
Implement retries for network operations using tenacity
Validate investigation data before acting on it
Avoid exposing sensitive data in logs or error messages
Follow the principle of least privilege for external system access

Well-structured logging and error handling make automations easier to troubleshoot and safer to operate at scale.

Example: Slack Notification Automation

The following example demonstrates a Response Automation that sends a Slack notification when an investigation completes, formatting the message based on the investigation outcome:

import apprise

DROPZONE_HOSTNAME = "your-tenant"
SLACK_CHANNEL = "#security-alerts"
SLACK_TOKEN_SECRET = "SLACK_BOT_TOKEN"

slack_token = secrets.get(SLACK_TOKEN_SECRET, "")
if not slack_token:
    print("Missing Slack token")
    exit(1)

outcome_labels = {
    "COMPLETED_BREACHED_CONFIRMED": {"label": "Malicious", "emoji": "🚫"},
    "COMPLETED_BREACHED_SUSPICIOUS": {"label": "Suspicious", "emoji": "⚠️"},
    "COMPLETED_FALSE_ALERT": {"label": "Benign", "emoji": "✅"},
    "INCOMPLETE": {"label": "Inconclusive", "emoji": "❓"},
}

outcome = investigation.get("outcome")
if not outcome:
    exit(0)

info = outcome_labels.get(outcome, {"label": "Unknown", "emoji": "❔"})

findings = investigation.get("key_findings", [])
formatted_findings = "\n".join(f"• {f}" for f in findings) or "No findings"

message = f"""*Dropzone Investigation – {info['label']}*
{info['emoji']} *Alert Type:* {investigation["alert"]["alert_type"]}

*Summary:*
{investigation.get("conclusion_summary", "No summary")}

*Key Findings:*
{formatted_findings}

*Investigation Link:* https://{DROPZONE_HOSTNAME}.dropzone.app/app/investigations/{investigation['id']}
"""

apobj = apprise.Apprise()
channel = SLACK_CHANNEL.lstrip("#")
apobj.add(f"slack://{slack_token}/#{channel}?footer=no&image=no")
apobj.notify(body=message, title="Dropzone Investigation Alert")

PreviousContext Memory NextInvestigation Reviews Deep Dive

Last updated 8 days ago

Was this helpful?