WebsiteTest DriveStatus

Chat

The Dropzone security chatbot is a lightweight assistant designed to accelerate analyst workflows by providing quick, conversational access to integrated tools and data sources. Unlike the full Dropzone agent, the chatbot does not conduct autonomous investigations or make decisions. It is intended to be a low-friction interface to help analysts answer tactical questions faster.

The Dropzone Chat Interface

The chatbot supports two distinct modes of interaction tailored for different workflows:

Investigations

  • Ask questions about a specific investigation, which pulls from all investigation details including extracted entities and alerts.

  • Note that the chat can’t pull alerts directly from your source systems—only information that is included in the investigation within Dropzone.

Session Scoped Chats

  • These are freeform and will not include any investigation or alert context.

  • Many of our customers utilize these chats as a search engine within their connected alert and data sources, even allowing other teams within the company to ask questions of available security tools. XYZ

Best Practices

  • Be specific, actionable, and time-bound

    • Instead of asking “What happened?”, try: “Was the file X downloaded by users other than Y in the last Z days?”

    • Be “entity” specific:

      • Users: user email address, employee ID number

      • Devices: hostnames, asset tags

      • Files: file names, hashes (SHA256, MD5)

      • Network indicators: IP addresses, domains

      • Platforms: specific tools (e.g., “in SentinelOne” or “from Okta”)

      • Timeframes & locations: specific dates, time windows, or geo-locations

  • Stay tactical, not strategic

    • The chatbot excels at tactical lookups—retrieving data, answering point-in-time questions, and surfacing facts. It does not perform investigative reasoning, hypothesis testing, or behavioral baselining like the full Dropzone agent.

    • Avoid asking subjective or open-ended questions like:

      • “Is this normal?”

      • “What do you think happened here?”

      • “Is this suspicious?”

    • Instead, break down your question into specific lookups:

      • “What other devices have been observed with the process hash in the last 48 hours?”

      • “Has IP AAA.BBB.CCC.DDD communicated with internal systems before?”

  • Follow up and iterate

    • Chatbot sessions support lightweight follow-up questions that reference prior responses—especially in investigation-scoped chats. This allows you to progressively narrow focus or explore pivots without repeating the full context.

    • Use short, incremental follow-ups to gather additional contextual information.

PreviousInvestigationsNextContext Memory

Last updated

Was this helpful?