WebsiteTest DriveStatus

Utilizing the Dropzone AI Chatbot

Overview

The Dropzone AI Chatbot is a lightweight assistant designed to accelerate analyst workflows by providing quick, conversational access to integrated tools and data sources. Unlike the full Dropzone AI Analyst, the chatbot does not conduct autonomous investigations or make decisions. Instead, it serves as a low-friction interface for answering tactical questions quickly.

This document provides an overview of the chatbot’s capabilities and limitations, along with best practices for getting the highest-quality results when using chat.

Configuring Integrations

The Dropzone chatbot uses the same integrations as the Dropzone AI Analyst to answer questions. Out of the box, the chatbot is preconfigured with select integrations such as VirusTotal and a URL sandbox.

To expand the chatbot’s capabilities, ensure the appropriate integrations are configured.

Start by connecting to your core security and IT platforms, including:

  • SIEMs such as Splunk, Sumo Logic, or Panther

  • EDR platforms

  • Identity providers like Okta, Google Workspace, or Azure AD

  • Ticketing systems such as Jira or ServiceNow

  • Messaging tools like Slack or Microsoft Teams

After integrations are connected, validate that Dropzone has access to the correct datasets. This includes log telemetry, asset inventories, user activity logs, vulnerability and CVE feeds, and other supporting data sources. The quality of chatbot responses is directly tied to the breadth and accuracy of available data.

Types of Chat Contexts

The Dropzone chatbot supports two distinct interaction modes, each designed for different workflows.

Session-scoped chats are freeform conversations that do not include investigation or alert context. These chats are useful for general lookups and exploratory questions across connected data sources.

Investigation-scoped chats include context from a specific investigation, such as extracted entities and alert details. This context allows the chatbot to reference investigation-specific data directly.

Clicking “Ask a question” from within an investigation automatically opens an investigation-scoped chat.

High-Level Usage Guidance

The Dropzone chatbot is designed for fast, focused queries. It excels at retrieving data from integrated tools, enriching investigations, and answering point-in-time questions. It is not intended to replace full investigations or make analytical judgments.

Use the chatbot to speed up lookups and gather supporting facts, but rely on the full Dropzone AI Analyst for deeper reasoning and investigation workflows.

Ask for Investigative Data, Not Alerts

The chatbot is best used to retrieve event-level evidence from source systems. While investigation-scoped chats include alert context, the chatbot cannot independently pull alerts or incidents directly from source systems outside of an investigation.

Frame questions around observable activity and evidence rather than alert summaries.

Be Specific, Actionable, and Time-Bound

This is the single most important factor in getting high-quality responses.

Avoid vague questions like:

  • “What happened?”

Instead, ask questions such as:

  • “Was file X downloaded by users other than Y in the last Z days?”

Clear constraints allow the chatbot to generate precise queries and return relevant results.

Be Entity-Specific

Whenever possible, reference concrete entities in your questions, such as:

  • Users: email addresses, employee ID numbers

  • Devices: hostnames, asset tags

  • Files: filenames, hashes (SHA256, MD5)

  • Network indicators: IP addresses, domains

  • Platforms: specific tools (for example, “in SentinelOne” or “from Okta”)

  • Timeframes and locations: specific dates, time windows, or geographic regions

Including explicit identifiers significantly improves accuracy and relevance.

Stay Tactical, Not Strategic

The chatbot excels at tactical lookups—retrieving data, surfacing facts, and answering narrowly scoped questions. It does not perform investigative reasoning, hypothesis testing, or behavioral baselining like the full Dropzone AI Analyst.

Avoid subjective or open-ended questions such as:

  • “Is this normal?”

  • “What do you think happened here?”

  • “Is this suspicious?”

Instead, break larger questions into specific lookups, for example:

  • “What other devices have been observed with this process hash in the last 48 hours?”

  • “Has IP AAA.BBB.CCC.DDD communicated with internal systems before?”

Follow Up and Iterate

Chatbot sessions support lightweight follow-up questions that reference prior responses, especially in investigation-scoped chats. This allows you to progressively narrow focus or explore pivots without restating full context.

Use short, incremental follow-ups to gather additional information and refine results.

Reference Generated Queries and Evidence

To promote transparency and trust, the Dropzone chatbot provides evidence-backed responses powered by live integration queries.

When reviewing responses:

  • Greyed-out evidence indicates a query that returned no results

  • Blue evidence indicates a query with results

  • Hovering over an evidence item shows the executed query

  • Clicking an evidence item opens a modal with the full response payload

Reviewing generated queries and evidence helps validate results and understand how answers were derived.

Final Thoughts

When used correctly, the Dropzone chatbot is a powerful accelerator for analyst workflows. By asking specific, well-scoped questions and leveraging follow-ups and evidence, analysts can quickly surface relevant facts and enrich investigations—without leaving the chat interface.

PreviousInvestigation Reviews Deep DiveNextCustom Strategies

Last updated

Was this helpful?