# Monitoring Dropzone ## What is the recommended way to monitor Dropzone? There are two supported patterns: ### Option 1: API Pull * Use: `/app/api/v1/system-events/list` endpoint * Poll system-events API * Filter events by category (e.g., investigations, integrations, API, system info) * Send to SIEM * Map events into your SIEM/observability schema ### Option 2: Response Actions (Recommended) * Use triggers to emit events * Send via Python scripts to external systems **Note:** The triggers are the same in system events and Response Actions. This is based on customer preferences and tooling. If you are unsure which method is best for you, contact Dropzone Support. *** ## What are some key things to monitor? ### 1. Investigation Lifecycle * Investigation started/stopped * Investigation failures (application errors) * Inconclusive outcomes (requires human intervention) These indicate whether Dropzone is successfully processing alerts. ### 2. API Key & Authentication Events * API key creation/revocation * Users performing actions outside of their assigned role or taking negative actions API key issues can silently break integrations if not tracked. ### 3. System & Operational Events * User authentication changes * Admin actions * License / system updates Useful for auditability and operational awareness. ### 4. Integration Events * Integration failures can stop alerts from flowing to Dropzone or prevent critical data enrichment ### 5. Response Action Outcomes * Response actions are python scripts run by Dropzone in response to a trigger. If these are failing you could be missing critical visibility into external systems. *** ## What does “good” monitoring look like? A complete monitoring setup should cover: * **Ingest:** Are alerts entering Dropzone? * **Process:** Are investigations completing successfully? * **Response Action Output:** Are results written back correctly? * **Integration:** Are systems up for alert ingestion and data enrichment? * **Auth:** Are users performing their roles This ensures full visibility across the pipeline. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.dropzone.ai/faq/monitoring-dropzone.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.